Health-care organizations, including state agencies, are wrestling with how to meet data security requirements in the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996. Although the deadline for complying is at least two years off, the health-care industry has much work to accomplish by then. HIPAA sets mandatory goals for protecting the integrity, confidentiality and availability of patient data, but it leaves health-care organizations to decide how to meet those goals on their own.
However, doing it on their own could complicate matters. Every time a doctor's office submits a Medicaid claim, a managed-care firm approves a referral or a laboratory sends information to a state health department, if the information moves electronically, two or more organizations must agree on standards for safeguarding the data. "Collaboration is really the only way the HIPAA regulations will be effectively implemented," noted Laura Ripp, program director at HealthKey, a Seattle-based organization working on data security standards and practices for the health-care industry.
With a $2.5 million grant from the Robert Wood Johnson Foundation, HealthKey has spent two years exploring practical, affordable ways to protect medical data transmitted over the Internet. As part of that initiative, five not-for-profit regional organizations composed of private and government entities have developed and tested security technologies and practices. Completed in June, the pilot programs were conducted in Massachusetts, Minnesota, North Carolina, Utah and Washington.
Privacy and Security
A broad-ranging effort to improve health-care administration, HIPAA calls for rules to govern how organizations handle information linked to individual patients. The law has separate provisions for privacy and security. The privacy rules protect the rights of patients to control how their medical information is used, whether it's stored on paper or in electronic format. The security regulations aim to protect electronic data about patients both when it's stored and when it's transmitted across a network.
The U.S. Department of Health and Human Services (HHS) issued the final version of the privacy rules on April 14 of this year. The health-care industry has until April 14, 2003, to comply. At press time, HHS had not yet released a final version of the security rules but was expected to do so by year's end. Health-care organizations will have two years from the issue date to comply with those.
A third set of regulations mandating standards for electronic data transactions was issued last year with a deadline of October 2002. A fourth set, still under development, concerns unique identifiers for health-care providers, health plans, employers and patients.
Although HIPAA adds urgency to the quest for standards, HealthKey was not born solely to deal with HIPAA compliance, said Ripp. Rather, it emerged from a long-standing effort in the health-care industry to cut costs by increasing efficiency. "The real driver for all of this gets back to the same thing the government is trying to do, and that's administrative simplification," Ripp said.
Electronic transactions will make business more efficient, but only if the industry can agree on standards for moving the data.
In Minnesota, one HealthKey project looked at how to make security systems installed in different organizations work together. One of the most promising approaches to security is public key infrastructure (PKI), said Walter Suarez, executive director at the Minnesota Health Data Institute (MHDI), which conducted the project. Each user on a system protected with PKI has two software "keys" for encrypting and decrypting messages - a private key known only to himself or herself, and a public key known also to people who exchange data with the sender. Each user must register with an administrator who certifies the electronic signature of the people using the keys.
"The problem is that each company producing these software packages is using a proprietary system to find those keys," Suarez said. Lacking national technical standards for security products, two users can