HIPAA’s barking — and it may just bite

Although it differs markedly from Sarbanes-Oxley, HIPAA demands as much serious interpretative and operational gymnastics on the part of IT managers, requiring them to navigate a similar sea of guidelines, some mandatory, others seemingly less so.

One of HIPAA’s looming deadlines is case in point. By April 21, midsize and large health care organizations must meet the regulation’s security compliance standards. The law stipulates that patient records must be protected not only for confidentiality but also against “reasonably anticipated threats or hazards to the security or integrity of such information.”

But you’ll be hard-pressed to find anyone who can tell you exactly what that means. “In fact, the law can’t be too specific here,” says Phebe Waterfield, an analyst at Yankee Group. “We would like to be able to say, ‘Follow best practices to ensure security of patient health records,’ but in fact, systems are still too immature to specify what those are.”

Catholic Health Systems left little to chance and built a separate datacenter. “We are doing data mirroring between our production site and the new one,” says Doug Torre, IT director at Catholic Health. “This was a big investment; we acquired additional storage and bolstered our WAN with fiber optics.”

Although Torre makes it clear that HIPAA does not in fact require this kind of effort, he maintains that the lengths Catholic Health went to made sense from a purely operational standpoint. Yankee’s Waterfield agrees: “Do you have to build out a separate DR [disaster-recovery system] to meet the upcoming HIPAA security deadline? No, you do not. But think about the information: patient health records. If I am allergic to penicillin, for example, and the record of that gets lost, I could die in the hospital. Lives are at stake, not to mention the financial liabilities involved.”

There are some things that get closer to absolutes when it comes to meeting requirements for the upcoming deadline. “Strong authentication is essential,” Torre says. “We use RSA Secure ID together with a Juniper SSL VPN. This ensures role-based access and session time-outs.”

William Gillespie, vice president and CIO of WellSpan Health, turned to a buzzword of the late ’90s for security help, the “network computer.”

“We deployed about 1,000 thin clients from Wyse,” Gillespie says, noting that the Wyse Technology machines are powered by MetaFrame software from Citrix. According to Gillespie, the network-centric model makes it easier to secure patient records, and it reduces TCO because thin clients are far cheaper to maintain than a distributed network of PCs.

Gillespie thinks most HIPAA requirements reflect best practices. If you have a reasonably secure infrastructure in place, it shouldn’t be that difficult to pass muster, he maintains. “To some extent, HIPAA just formalizes things you probably should be doing anyway,” he says.

Although this may make it tempting to say the April deadline’s bark is worse than its bite, Gillespie cautions IT to not let its guard down: “These are very real concerns that affect all of us as health care consumers and providers. This is real.”