Business Imperatives:

• HIPAA is a warning signal to any organization that collects or processes sensitive data about individuals. IT executives of healthcare organizations such as payers and providers must take assertive steps to implement data protection processes and policies whether or not HIPAA rules become effective.
• Data protection means more than information security products such as firewalls, digital certificates, and data encryption. True data protection is a combination of products, personnel, policies, and procedures. There is also a need to consider physical, organizational, and training aspects of security. IT executives should evaluate the completeness of existing data protection tools and procedures and revise these if necessary to address privacy requirements.
• U.S. based organizations should not rely on compliance with U.S. laws as the sole standard behind data protection and information security in general. International standards are much more likely to be de rigueur for multi-national organizations and those who seek to transfer data across borders. To reduce the legal exposure to the U.S. regulations, IT executives should move toward compliance with broader global privacy requirements.

The U.S. HIPAA rules consist of three sections: privacy, security, and confidentiality. The privacy section is the only that has been published and the regulations became final on April 14, 2001 with compliance due by 2003. The Bush administration announced the decision following a 60-day delay during which it considered many comments from industry, interest groups, and individuals. However, the administration left open the possibility of modification of the HIPAA ruling, as it deems appropriate.

The American Hospital Association estimates that the cost to satisfy the privacy rules alone is $22 billion. Other organizations project the ongoing cost per organization for HIPAA compliance in the millions of dollars annually and that the overwhelming majority of organizations will require some type of consulting or systems integration assistance.

For the most part, the U.S. tends to follow a self-regulation model while other nations, such as those within the European Union, are prone to comply with national laws. ISO 17799, for example, goes beyond any proposed U.S. law and addresses 10 compliance areas. These include Information Security Policy, Information Security Responsibility Allocation, Information Security Education and Training, Security Incident Reporting, Business Continuity (formerly Disaster Recovery) Planning, Software Reproduction Controls, Organizational Record keeping and Safeguards, Data Protection and Security Policy Compliance. IT executives should take reasonable and prudent steps to comply with international standards that are generally stricter than U.S. regulations.

International standards and practice among military and government organizations has combined protection of information with policies and practices concerning physical security of facilities and equipment as well as personnel vetting and training. Over time, organizations dealing with sensitive personal data will be forced to take these measures as well.

The ISO and to some extent HIPAA recognize the need to integrate all forms of protection under a policy and procedure umbrella. There is an implicit need to inform employees, contractors, and others of these policies and procedures, monitor compliance, and deal appropriately with violations.

The need for training and cultural changes as well as potential physical movement of equipment will come as a shock to many organizations. Multi-use environments are particularly vulnerable. For example, a myriad of people may use and view a nurse’s station. Physicians, nurse practitioners, aides, and clerks may all end up using much of the same equipment. Yet, each has different roles and responsibilities with correspondingly different data access rights. User functionality that limits access transparently based on role and process will have to be implemented across all platforms. IT executives have the responsibility to ensure that data access functionality maps closely to company policies and procedures.

In parallel with these cultural and procedural changes is the increased pace of technological innovation. The principle of safeguarding information based on its value rather than its location takes on new meaning as health professionals and others rely on personal digital assistants (PDAs) and other wireless devices to conduct their business.

There are certain fundamentals that are very likely to be embodied in any data privacy or data protection legislation. They are best summarized by the UK Data Protection Act of 1998 which states:

1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

IT executives, even those not affected by HIPAA, should keep these guidelines in mind. Those affected by HIPAA should remember that the goal of HIPAA was to provide a sort of cookbook approach to information security.

A particularly interesting aspect of HIPAA is the responsibility to vouch for business associates. As stated in CFR Part 164, Security and Privacy, all organizations in the chain of processing must comply with the law. Data creators are responsible for insuring the compliance of those with whom they do business. Key areas of concern for IT managers include validation of patient consent (and an audit trail for it), confirmation of disclosure policy, and confirmation that each business associate in turn recognizes their obligations as far as those with whom they do business.

Consent is especially important because a flawed consent is among the best grounds for a lawsuit. Key ingredients of a solid consent policy include notice that is clear, complete, and understandable by the data subject, such as a consumer or patient. Where necessary, the burden is on the data processor to translate into a language the data subject can understand, or that of the country hosting the data processor. Clear statements of the patient's right to ask for restrictions on the use and disclosure of information they provide are important. In addition, solid evidence of voluntary disclosure, perhaps a good old-fashioned signature is also needed.

There are four areas of checklists: Administrative Procedures, Physical Safeguards, Technical Security Service, and Technical Security Mechanisms. The major topics addressed by each:

Copyright © 2001 Robert Frances Group, Inc. All rights reserved. Agenda products are published by Robert Frances Group, Inc., 22 Crescent Road, Westport, CT 06880. Telephone (203) 291-6900. Facsimile (203) 291-6906. http://www.rfgonline.com. This publication and all Agenda publications may not be reproduced in any form or by any electronic or mechanical means without prior written permission. The information and materials presented herein represent to the best of our knowledge true and accurate information as of date of publication. It nevertheless is being provided on an "as is" basis. Reprints are available.