Medical groups that are moving towards electronic transactions need to start thinking now about their security precautions.
Federal regulations to oversee the security and confidentiality of those electronic transactions are on the horizon.
"Providers shouldn't be waiting for the final rule to get busy," says William Braithwaite, M.D., senior advisor on health information for HHS. "There's significant planning and work to be done on security for organizations, and they need to start assessing what their risk vulnerabilities are so they can plan for doing the right thing."
The federal standards requiring providers to implement specific technical and administrative procedures to ensure the security of electronic health data were expected last month (see December, page 20), but HHS recently announced it was delaying the release of those rules until later this month or next month.
In 1996, Congress passed the Health Insurance Portability and Accountability Act to much fanfare. The act allows workers to change jobs without losing their insurance, but buried within the act were seven provisions that establish standards for electronic healthcare transactions and exchanges. The provisions are intended to improve the flow of information between healthcare organizations while protecting individual privacy and preventing fraud.
HHS estimates the provisions could save health plans, healthcare clearinghouses and providers anywhere from $5 billion to $10 billion a year and estimates the five-year cost of compliance to be about $3.8 billion. Many healthcare providers, however, claim that the cost of complying with the new regulations will far exceed the cost of their Y2K preparations.
"HHS has just missed the target entirely as to what the impact these regulations are going to have on healthcare delivery," says Ed Shay, an attorney specializing in healthcare administrative and regulatory issues at Saul, Ewing, Remick and Saul in Philadelphia. "That's not to say there's not a very legitimate policy argument, and you've got to have security (and privacy) . . . but they've underestimated the cost."
The standard considered to be one of the most troublesome by providers has to do with protecting the security and confidentiality of individual health information. In August 1998, HHS released its proposed security standards. The proposed guidelines require health organizations to secure communications on private and public networks for accuracy, confidentiality and effectiveness.
Communications includes all types of patient-identifiable information, including health claims, eligibility and payments.
The standards require all health plans, healthcare clearing houses and providers--regardless of size--to establish and maintain responsible and appropriate safeguards by such means as appointing an information security officer, developing a security plan, providing training for employees and securing physical access to records.
The security standards affect health providers subject to HIPAA and any e-health companies considered a business partner of those organizations.
Standards violations are punishable by up to five years of prison and $250,000 in fines for unauthorized disclosure of personally identifiable information, but it is unclear who will be responsible for enforcement.
While the security regulations will protect the integrity of the data, the privacy rules will dictate how identifiable healthcare data is used. Some analysts believe the proposed privacy regulations have caused the delay in the security rules, as HHS makes sure the two are compatible.