April 16, 2002 By Merrill Douglas
However, doing it on their own could complicate matters. Every time a doctor's office submits a Medicaid claim, a managed-care firm approves a referral or a laboratory sends information to a state health department, if the information moves electronically, two or more organizations must agree on standards for safeguarding the data. "Collaboration is really the only way the HIPAA regulations will be effectively implemented," noted Laura Ripp, program director at HealthKey, a Seattle-based organization working on data security standards and practices for the health-care industry.
With a $2.5 million grant from the Robert Wood Johnson Foundation, HealthKey has spent two years exploring practical, affordable ways to protect medical data transmitted over the Internet. As part of that initiative, five not-for-profit regional organizations composed of private and government entities have developed and tested security technologies and practices. Completed in June, the pilot programs were conducted in Massachusetts, Minnesota, North Carolina, Utah and Washington.
Privacy and Security
The U.S. Department of Health and Human Services (HHS) issued the final version of the privacy rules on April 14 of this year. The health-care industry has until April 14, 2003, to comply. At press time, HHS had not yet released a final version of the security rules but was expected to do so by year's end. Health-care organizations will have two years from the issue date to comply with those.
A third set of regulations mandating standards for electronic data transactions was issued last year with a deadline of October 2002. A fourth set, still under development, concerns unique identifiers for health-care providers, health plans, employers and patients.
Although HIPAA adds urgency to the quest for standards, HealthKey was not born solely to deal with HIPAA compliance, said Ripp. Rather, it emerged from a long-standing effort in the health-care industry to cut costs by increasing efficiency. "The real driver for all of this gets back to the same thing the government is trying to do, and that's administrative simplification," Ripp said.
Electronic transactions will make business more efficient, but only if the industry can agree on standards for moving the data.
In Minnesota, one HealthKey project looked at how to make security systems installed in different organizations work together. One of the most promising approaches to security is public key infrastructure (PKI), said Walter Suarez, executive director at the Minnesota Health Data Institute (MHDI), which conducted the project. Each user on a system protected with PKI has two software "keys" for encrypting and decrypting messages - a private key known only to himself or herself, and a public key known also to people who exchange data with the sender. Each user must register with an administrator who certifies the electronic signature of the people using the keys.
"The problem is that each company producing these software packages is using a proprietary system to find those keys," Suarez said. Lacking national technical standards for security products, two users can
You may use or reference this story with attribution and a link to