Nearly a year remains before the April 21, 2005, deadline for the HIPAA security rule, which sets standards for the security of protected health information (PHI), but compliance readiness is in doubt for many healthcare industry companies. Insurers are likely to be in better shape than other industry parties " such as clearinghouses and small healthcare providers " but approaches to the security rule vary widely, and verifying compliance isn't necessarily a straightforward matter.
Medical Mutual validated its security model against the HIPAA security notice of proposed rule making (NRPM) in 2002 and made appropriate changes, Frolich relates. "Once the security rule was finalized in February 2003, we did another gap analysis," he adds.
Frolich believes that coupling privacy and security made security compliance easier, but his experience working with other companies on HIPAA compliance suggests that Medical Mutual's approach is not standard. "I believe there are insurance companies that are hustling, trying to get their arms around this regulation," he comments.
A study conducted by Washington, D.C.-based accrediting organization URAC draws similar conclusions. The study, "An Assessment of HIPAA Security Preparedness: Most Health Care Organizations Remain Noncompliant," is based on formal and informal interviews with more than 300 healthcare industry companies, nearly 70 of which were payer companies. "We're concerned that some of the fundamentals of security compliance are not readily apparent to a lot of stakeholders within the companies charged with meeting the deadline," says Garry Carneal, URAC's CEO.
URAC's study identifies four major barriers to HIPAA security rule compliance: incomplete or inappropriately scoped risk analysis efforts; inconsistent and poorly executed risk management strategies; limited or faulty information system activity review; and ineffective security incident reporting and response. While these shortcomings may be more characteristic of other industry participants, "a majority of health insurance carriers are not in compliance with the security rule," Carneal asserts.
URAC is offering a new accreditation for HIPAA security compliance, for which American Specialty Health Networks (ASHN, San Diego, $107 million in revenue) was one of the first takers. "The main driver was to obtain independent, third-party evaluation of our security practices," says Kevin Kujawa, ASHN's vice president of IS. "Also, we were already aligned with URAC and saw this as another type of accreditation we could pursue."
Marne Gordan, director of regulatory rules at IT security consultancy TruSecure (Herndon, Va.), expresses skepticism about the value of the URAC security rule accreditation - while admitting TruSecure is in some respects a competitor - but says that URAC is stepping up where the Department of Health and Human Services (HHS) has not. "Someone has to give an opinion as to, 'You've done the right thing,' and HHS hasn't," she says. "The enforcement rules contain a laundry list of penalties, but there's no positive reinforcement. URAC is a natural fit because they run so many other accreditation programs," she continues, "but they need to refine their accreditation."
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio