How to Meet Tomorrow’s Privacy Rules Today

In late June 2000, Tom Martin made the bone-chilling discovery that no CIO ever wants to make: His network had been hacked. As CIO of the University of Washington Academic Medical Center in Seattle, Martin had good reason to be concerned; his hospital, like most, was moving toward electronic records and communication with patients. An anxious Martin investigated the breach immediately, and to his relief he concluded that for the past month the hacker had been using sniffer software to gain access to a computer in the pathology department?not the core medical systems. Thankfully, no data was lost. Martin chalked it up to a learning experience and wisely upgraded the hospital’s firewall.

Then on Dec. 6, a third party published a handful of the university’s medical data on the Web?including patient names, addresses and Social Security numbers?as a way to point out security flaws at the center. It also reported that the hacker, a 25-year-old Dutchman named Kane, had 5,000 such records. In a matter of days, the story, complete with sensationalized interviews with bewildered patients, was all over the news.

A shocked Martin renewed his search, eventually tracing the stolen information’s origin to an Access spreadsheet used by quality assurance personnel. For the first time the CIO understood the scope of the security challenge he was facing. “The hacking made us rethink our approach and realize that [the IT department] doesn’t have control over all the medical data.”

Fittingly, the hack occurred while Martin was in the process of tightening access to the hospital’s core medical systems in response to impending security regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA). The original intent of HIPAA, which Congress passed in 1996, was to create EDI transaction standards in the health-care field?a move that would save the federal government, the nation’s largest health-care payer, $32 billion a year. Turning a good idea into effective legislation is not a simple process, however, particularly when it involves technology policy.

“Before the computer era, there was an established ethic,” says Jim Klein, a Washington, D.C.-based vice president and research director for Gartner. “No one would think about walking into the pharmacy and asking for your medical records, just like the hardware store wouldn’t tell your neighbor what you are buying.” The Internet-fueled proliferation of data?and data availability?has created a paradox: Businesses demand the benefits of a technology-enabled world along with the relative anonymity, or privacy, that the pretechnology world provided. The government’s response to that paradox is regulation that balances business’s need for increasingly detailed data with the public’s demand for privacy. The Graham-Leach-Bliley Act of 1999 set rules for the financial services industry, and two yet-to-be-passed bills, the Cyberterrorism Preparedness Act of 2002 and the Consumer Privacy Act of 2002, will set security standards for the public sector and govern the use of online information, respectively (see “Be Prepared,” this page). HIPAA will do the same for health care.

HIPAA’s final bill gave Congress three years to come up with a comprehensive set of privacy and security regulations. When the deadline came and went without any progress, Congress had to turn the task over to the U.S. Department of Health and Human Services (HHS), which kicked it around for another three years. As of press time, HHS was expected to publish completed regulations on Oct. 16?less than six months before the April 14, 2003, go-live date. As many health-care CIOs recognized, six months is not enough time to prepare. So for the past couple of years, they put themselves in the awkward position of implementing systems and policies in order to meet an unknown set of requirements.

It’s a challenge that CIOs in all industries will face as the give-and-take between technology advances and public wariness continues. Luckily, their health-care counterparts have developed a process that could serve as “the blueprint you would follow to comply with any regulation,” says Claudia Allen, CIO of St. John Health, a $1.6 billion Detroit-area health-care network. Here’s a look at that blueprint.

Do the Obvious Things Now

Health-care CIOs have a simple yet effective approach to impending regulation: Don’t wait for final legislation to make obvious enhancements. “For instance, we know that we are not going to be able to put protected health information on the Web without encryption and authentication,” says Rick Skinner, CIO for the Oregon region of Seattle-based Providence Health System. “And we know that we will need to add role-based access to our systems.”

Acting well in advance not only saves time in the long run, it also gives CIOs a chance to make changes that will improve the quality of the business operations. “If you [view these changes] simply as federal regulation, then they have little intrinsic business value,” says Skinner.

Sam Miller, CIO of the University of Arizona Medical Center in Tucson, notes that one of the most pervasive security problems in health care is that doctors don’t take the time to log in and out when entering patient information into hospital computers. And when they do, “passwords often wind up written [on the side of the computer], held on with sticky tape,” he says. “It is essentially unsecure.”

In addition, Miller anticipates that password protection alone won’t cut it under HIPAA?and even if it does, it’s a sloppy practice. So two years ago he piloted a biometric-based sign-on system, in which doctors scan their fingerprints and immediately see a list of applications they can access. The system improved security and eliminated a half-dozen keystrokes, saving doctors’ time and encouraging more secure behavior. “[With biometrics] they get logged in automatically; when they walk away, they are clocked out,” says Miller. “That is a tremendous improvement in workflow for the staff.” (The vendor that supplied the biometric system has since ceased operations, and Miller has closed the program. He is, however, now evaluating alternatives to restart it.)

Use Common Sense

Process improvements don’t have to be as flashy as biometrics, however. The rule of thumb is common sense. For example, when St. John Health’s Allen upgraded the hospital’s desktops in order to ensure that no patient data could be stored on C drives, she standardized on one desktop configuration, simultaneously meeting a probable HIPAA requirement and making her support staff’s job much easier. “We’re always looking to make things better and lower the cost,” she says.

Health-care CIOs advise locking yourself in a room and coming up with 10 actions you can take immediately to improve information security. That’s basically what the policy-makers are doing, says Catherine Schulten, a Bethesda, Md.-based Sybase health-care business development manager who has testified before committees working on HIPAA. Furthermore, the privacy and security workgroups are staffed by knowledgeable people who are trying not to overwhelm health-care organizations, adds Schulten, who has also written reviews of HHS policies for her company and its customers. CIOs agree and add that about 70 percent of the draft legislation is common sense. “In the absence of HIPAA, I would probably do most of these things anyway to ensure a reasonable amount of security,” says Schulten.

Look to the Past

David Marckel, an IT manager with BlueCross BlueShield of Tennessee, headquartered in Chattanooga, advocates checking draft legislation against previously passed legislation as another way to reassure yourself. Marckel notes that many of the security and privacy proposals in HIPAA, such as electronic signature guidelines, are similar to those that have evolved through recent Medicare legislation, which dictates rules for health-care organizations that expect to be reimbursed by the government. HHS is in charge of setting both HIPAA rules and Centers for Medicare & Medicaid Services (CMS) standards. It follows, Marckel believes, that HHS wouldn’t contradict itself. “We used CMS privacy and security audit guidelines as a basis,” he says. “We figure if it passed a CMS audit, it should pass HIPAA regulations.”

Teach Your Organization Well

At first glance, HIPAA may look like a textbook IT project. But just as controlling the flow of data isn’t as easy as tightening a few core systems, CIOs have learned that meeting HIPAA requirements is not just an IT project. “As we learned more about HIPAA we realized that it was weighted more toward health-care operations,” says St. John’s Allen. CIOs must make sure everyone?from the CEO down to the individual contributor?knows that protecting information is a companywide initiative that will require new behavior.

A CIO can build the world’s most impenetrable firewall, but if a resident who works in an HIV clinic loses his PDA, for example, then all bets are off. Likewise, there is no point in restricting access to a patient’s record if doctors discuss the case within earshot of nonauthorized personnel (or reporters). Although educating the organization at large is not the CIO’s job?”You can’t just tell someone to rearrange the furniture in a clinic office to make sure the printers aren’t accessible,” says Providence’s Skinner?it is the CIO’s responsibility to make sure the CEO understands the impact of the regulations.

Fortunately, it’s easy to make a compelling argument: If a health-care organization violates HIPAA and doesn’t have a clear, written policy to prove that it was an honest mistake, top executives can go to jail. The end result of the privacy clause, says Skinner, is that “tens of thousands of people have to receive some amount of training.”

But before behavior can be modified, organizations must first conduct a gap analysis to assess how much training is necessary. That job is best done by a consultant, says Bradley Harslem, CIO of Addison, Texas-based health-care management services provider Concentra. Despite the stigma that consultants are opportunistic profiteers, Harslem says that their objectivity is more important than any stereotype. “Consultants gave us a framework for not reinventing the wheel,” he says. “They helped us jump-start the brain work.” With help from consultants, Concentra has devised more than one type of training program to see which works best. Harslem hopes taking those steps will help Concentra avoid the bad publicity that could stem from an honest mistake.

Plan, Don’t Do

Regardless of how well-crafted draft legislation is, there are inevitably parts that could have debilitating consequences. In these cases, it is important to plan as if they will make the final bill. But instead of making changes now, “you wait for [the regulations] to get decided and hope you will not be thrown into a crisis,” says Dutch Dobish, vice president for regulatory law and privacy officer for Rite Aid in Camp Hill, Pa. One hot-button issue with HIPAA, for instance, has been consent requirements, which Dobish says “defied common sense.” The consent requirement was intended to protect patients whose information falls into the wrong hands by forbidding the recipient of the information from using it without expressed written permission. For instance, an optometrist who has access to an eye exam study from a nearby university hospital would be restricted from using the information as a way to target potential customers.

However, the regulation as originally written also made it illegal for pharmacists to fill prescriptions that a doctor phones in. In other words, the pharmacist couldn’t fill the prescription until the patient gives written consent that the information can be used?a giant inconvenience for a sick person. Dobish had planned to set up a national consent tracking database within his organization so that he would have been prepared for that requirement. Fortunately, Health and Human Services announced in late August that it would drop the requirement. However, Dobish’s work in that area was not lost; Rite Aid now intends to use that framework to comply with an acknowledgement tracking form that is expected to be included in the final regulation.

Lobby for Change

Those who strongly believe a piece of legislation is blatantly wrong have another alternative: lobbying. Professional groups such as the American Medical Association, the American Hospital Association and the national BlueCross and BlueShield Association all lobby on behalf of their members. But that isn’t always enough. Most CIOs interviewed for this story have talked or written to their congressional representatives. Mary Henderson, executive director of the national HIPAA program for Oakland, Calif.-based Kaiser Permanente, testified before an HHS committee against the consent requirement, which she adds “was of no value and cost a lot of money.” She also worked with Kaiser Permanente’s lobbying group in Washington to make her case.

Health care will continue to evolve as new technologies go mainstream. And it’s the same for any industry. “When it comes to privacy,” says Martin, “it is everyone’s responsibility, and as service providers we need to be more conscious of it. Whether I am dealing with financial information or health information, it has become part of our culture to respect privacy.” Besides, he adds, “it is generally the right thing to do.”