HIPAA compliance: Time’s up

The deadline for compliance with the Health Insurance Portability and Accountability Act’s Final Security Rule was April 20, 2005. Health-care CSOs across the country scrambled to make sure their organizations were in line with the federal law, which covers a broad range of security aspects, including health-records access, network data transmission and physical security.

CSO sat down with Partners Healthcare CISO Bob Pappagianopoulos to talk about the mandate and its challenges.

CSO: The compliance deadline for HIPAA security has arrived. Is Partners ready, or are you still trying to tie up loose ends?

Bob Pappagianopoulos: We put a phony date (for HIPAA security compliance) of Dec. 31, 2004, and focused on that. A lot of work involves just documenting outstanding issues and looking at gaps.

CSO: So what happened April 20?

Pappagianopoulos: By April 20, you had to make sure that, if you look at every (HIPAA security) regulation, you’re in 100 percent compliance or have a valid, well-documented reason why you’re not. We’ve done everything that’s reasonable: employee training, updated and centrally located our policies. Everything we can do that makes good common sense, we’ll do.

As I talk to other hospital organizations, they feel the same way. There are certain things that have to get done. We’ve identified those and will get them done. There are others where, from our perspective, you can’t turn a ship quickly.

CSO: For example?

Pappagianopoulos: We’ve documented why we’re not 100 percent in compliance with the regulation regarding disaster-recovery planning. The reason is that we have approximately 1,200 applications at Partners. Having a true disaster-recovery plan for all of those is cost-prohibitive. We have a plan to meet a reasonable standard. For example, all of our departments have business-continuity plans so that, in the event that they can’t get to patient records, they can provide quality of care. We’re also moving to a new data center and taking one of two existing data centers and replacing it with a larger data center for the top 42 applications and about 200 feeder systems initially. Things like our longitudinal medical-record clinical repository, which is where all our lab results go.

Encryption of data is considered “addressable” also, which means that you don’t have to be in compliance by April 20, but you have taken steps to be as compliant as you can. We have a project for encrypted file transfer and hope to have it in place in the next three months so that all files are encrypted.

CSO: Chain-of-trust issues have been a key component of HIPAA compliance at every stage. How has Partners handled these issues? How do they affect your compliance for HIPAA security?

Pappagianopoulos: Some of that work has already been done. We need to modify our business associates’ agreements so that they include security. The task at hand now is to go back to our business associates and get the new version in place, which we’ve already started. Most people just agree with (the modified agreement), but there’s some push-back, especially with the way the regulations are written.

CSO: Employee training is part of HIPAA compliance. How did you break down the IT security concepts of HIPAA for the advanced IT personnel and the rest of the staff?

Pappagianopoulos: Well, what we were going to do was to look at our staff and determine who needs training and who doesn’t. But we figured out that we couldn’t do it that way. If you had 25 slides covering all of security, 15 might make sense for one department and 20 for another. What we ended up saying was, “Any employee with the possibility of touching patient health information has to have training.”

CSO: What is your position on wireless and mobile device security?

Pappagianopoulos: We have wireless security here, and it’s pretty secure for the devices we control. Rogue access points are the main anxiety for all hospitals, and we try to control and stop those. If people need wireless access, they have to go through our standard secure environment.

CSO: Any reflections on HIPAA security compliance?

Pappagianopoulos: It’s been a long process but also a good process. What we’re trying to do is eliminate the word HIPAA, and just talk about good practices. Good information security. We want to get the culture to change because it’s the right thing to do — so (HIPAA’s) not perceived as a government mandate but as a best practice. HIPAA isn’t anything we shouldn’t have been doing anyway.