07:24 AM
Will HIPAA Efforts Fall Short?
With the April 14 compliance deadline just around the corner for HIPAA's (Health Insurance Portability and Accountability Act) privacy provisions, health insurance companies are making final touches in their processes. However, from a technology perspective, a more daunting task lies in meeting HIPAA's October 16 transaction and code sets deadline, especially since, the final security rule (released just as this story went to press), mentioned no specific technology requirements.
Last-Minute Touches
"There is a lot of work being done toward both the privacy deadline in April and the October transactions deadline, because those who filed the extension from last October 16 must be in testing by April," says Rosemary Abell, director of consulting firm Keane's (Boston) HIPAA practice.
In anticipation of the April deadline, Empire Blue Cross Blue Shield (New York, $2.8 billion in total assets) is concluding a broad range of measures, including revising policies and procedures, undertaking training initiatives, and issuing notices to members and business associates. The systems supporting those activities are already in place, says Linda Tiano, senior vice president and general counsel. "When the draft regulations were issued in 1999, we put member privacy policies in place, as well as systems protection," according to Tiano. "We expect to be fully in compliance."
However, not all carriers have approached HIPAA with such foresight, according to David MacLeod, director of information systems security, The Regence Group (Portland, OR, $6 billion in annual premium revenue). MacLeod sees "renewed frenetic activity around privacy, and a lower level of activity on transaction code sets and identifiers."
One of the chief worries for insurers is their responsibility for technology-based breaches of the privacy rule, MacLeod suggests. "The level of security evoked by privacy is very ambiguous," he says. "HIPAA was codified in US Code 42, where it says we have to reasonably anticipate against anythreat to confidentiality, integrity and availability of information assets, and take every step to ensure against the compromise of that information. That's a very broad statement." As a sign of where this will likely lead, MacLeod notes that legal experts have begun to cite as precedent the T. J. Hooper case, adjudicated by the Supreme Court in the 1930s. In Hooper, a firm that lost cargo in a storm was held liable for failing to adopt available technology-radio-that could have prevented the loss.
Unfortunately, many health insurers have not adequately prepared, according to MacLeod. "They have relied on procedure and policy statements," he argues. Regarding technology, "they have put in at a very high level monitoring tools to detect break-ins to systems, but they have not fundamentally changed the business model or the systems that support it."
The single greatest mistake carriers are making is relying on traditional perimeter security measures, according to Scott Nevins, president and CEO of Protegrity, a Stamford, CT-based database security solutions provider. "Security must be accomplished at the lowest layer in the structurethe data itself."
Limited Resources
Delta Dental of New Jersey (Parsippany, NJ, $372 million in premium income) "depends on multiple layers of security to protect both applications and data," says Steve Stoll, vice president, information services. Despite limited resources, Stoll's organization was able to work toward transaction compliance by leveraging a relationship with Concurrent Technologies (Liberty Corner, NJ). "They were able to pick up implementing the translator package for transformation of HIPAA standards into the local system's version and do the data mapping for us between the HIPAA transactions and our legacy systems," Stoll says. While the compliance challenge is more a matter of getting moving for larger carriers, "smaller companies are going to have a harder time because they don't have the wherewithal to spend on multiple layers of security," he adds.
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio