Many health care organizations and other companies affected by HIPAA have taken steps to comply with the federal law's security component that became effective last month, but some say more clarity and enforcement of the requirements are needed.
Health care entities faced an April 20 deadline to meet the security standards of HIPAA – the Health Insurance Portability and Accountability Act – except small organizations, which have another year to comply. The deadline for the privacy rules was two years ago.
At Baptist Health Care (BHC), a Pensacola, FL-based health care provider, staffers have worked to comply with the security rules, but are looking for more specific guidance on the requirements – which enforcement would provide, says Jim Donaldson, BHC corporate privacy and security officer.
"There are certainly some generally accepted things that have to be done – changing your passwords and securing your network infrastructure," he says. "But how far do you carry training? Do you give everyone eight hours a year or will 30 minutes do? We're kind of waiting on some guidance on this and some precedent to be set. When you're trying to maximize your nursing staff, you don't want to have them tied up in too much training unless you really have to."
A lot of organizations, frustrated by the lack of enforcement of the privacy rules, are taking a wait-and-see attitude, he says.
"If Health and Human Services comes right out after the deadline and starts making random inspections on facilities, and writes people up for doing or not doing things, then it will help set a baseline," says Donaldson.
He adds that it is hard to justify to senior management spending some half a million dollars on a project "when we may or may not get a visit [from HHS], or it may or may not be the standard" that winds up being required.
Eric Conrad, HIPAA security officer and manager of network and security engineering at Caritas Christi Health Care Systems in Boston, says he has heard concerns about a lack of HIPAA enforcement as well.
"I fight that at my own organization. People say privacy wasn't enforced that much, but privacy in some ways was simpler. It came down more to procedural issues, making sure someone signed the form, that you have the proper consent," he says. "Security is a lot deeper and it touches a lot more places. We're taking it very seriously and addressing it."
While many organizations have had a sense of urgency about the April deadline, many companies have been ducking the issue, says Mike Rothman, vice-president of marketing at messaging security provider CipherTrust.
There are still a lot of unknowns around HIPAA's security rules, including how they will be enforced, he says. "A lot of these things just make it an uncertain situation for a lot of people."
Andres Kohn, director of products at messaging security supplier Proofpoint, says companies have been faced with the challenge of figuring out exactly what they need to do to comply. "In part, it's like every other policy that companies implement – they're trying to measure risk versus cost," he says.
He has seen organizations fall into two camps – ones that were adamant about being compliant by the April deadline and others that are playing it by ear.
"We've certainly talked to companies that are saying 'If we have a plan in place by April and don't deploy anything until later, that's probably fine because it shows that we're moving in the right direction'," he says.
Paul Kurtz, executive director of Cyber Security Industry Alliance, says that his organization hopes to serve as a bridge between its security vendor members and HHS in order to have more clarity to the security rules.
"This is complex and resources are tight. We want to know what the enforcement regime will be," he says.
Since April 2003, HHS has received 11,280 complaints of HIPAA privacy violations and closed 63 percent of them, according to an agency spokesperson who requested anonymity. Some were closed because they were either filed against entities not covered by HIPAA or did not in fact allege violations of the law. Others were investigated and closed after the alleged offender agreed to comply. No case has resulted in penalties.
To Conrad, HIPAA's security rule amounts to best practices: "A lot of it is nuts-and-bolts information security – backups, firewalls, environmental controls. All the things you should have anyway."
Among the tools his organization uses is Fortinet's FortiGate system, which provides anti-virus and firewall protection plus other security functions.
But the HIPAA security rule is more than IT. It includes facilities and human resources, so compliance is complex, he stresses. "We're the second-largest health care provider in New England, so we have a very large challenge, but I feel confident we're addressing it."
For its part, BHC has taken a variety of steps to address the security requirements, including beefing up its backup and recovery capabilities. Those capabilities were put to the test when Hurricane Ivan tore through the area last year, recalls Donaldson: "Our IT infrastructure came back up fairly quickly."
BHC also is ensuring systems are continually patched and assets are tracked. Also, the organization has implemented technology to prevent viruses and worms from entering its network, especially after a virus disrupted the network last year.
"If you have a virus that's impacting response times in computers, then it's also impacting response times in digital film scanners, MRI machines and lab equipment," says Donaldson.
BHC uses CipherTrust's IronMail appliance for scrubbing viruses and spam out of its email, and fine-tuned its policies to bar employees from checking their personal webmail at work.
But an issue BHC is grappling with is generic logins to workstations and applications, adds Donaldson. Having a unique identifier for all 30 nurses, doctors and other employees who might access the same workstation over a 24-hour period is difficult. It places an enormous burden on the employees, and a single sign-on or biometric solution is cost-prohibitive for a nonprofit such as BHC, he says.
Blue Cross Blue Shield of North Dakota, also known as Noridian Mutual Insurance Company, has worked extensively on a number of fronts to ensure compliance by the April deadline, reports Troy Aswege, the firm's assistant vice-president of information services.
For two years, a task force at Noridian has worked to update policies and communicate the need for secure procedures. "One of the biggest things we've realized is to keep common sense in mind and look at your risks," says Aswege, adding that a million dollars should not be spent on an asset of small value.
Meanwhile, Jeff Slotnick, director of network operations at Oklahoma Health Care Authority – Oklahoma's Medicaid agency – says the key to HIPAA's security rule is to document everything.
"Everyone had security in place, but the documentation to support what they were doing at a security level wasn't there," he says.
Ultimately, HIPAA has been effective, believes Slotnick: "It should give the citizens whose data we're trying to protect a real good feeling that their information is going to be protected."