71.7 F
San Diego
Sunday, Jul 21, 2024

Lead Medical industry addresses security in technology age

Medical Industry Addresses Security in Technology Age

Prying eyes in the office find their way to sensitive health care information.

Prying eyes on the Internet do the same.

While idealists dream of a streamlined medical records system , with easily portable, electronic files taking the place of cardboard folders , a vision of hackers, looky-loos and opportunists easily spoils the dream.

It’s behavior the federal government is working to discourage.

To that end, the government is threatening prison terms as long as 10 years and fines as large as $250,000 for people who might make a business of selling other people’s electronic medical information. Even the accidental disclosure of information could bring a fine of $100.

The penalties are spelled out in the Health Insurance Portability and Accountability Act.

The act, abbreviated HIPAA, made headlines in 1996 because it allows people to more easily transfer health benefits from one job to another.

In recent years though, medical officials have been sizing up the privacy and security demands of HIPAA, along with its mandate to put medical and insurance records in a common, electronic format.

Remaking the records system will cost time and money, said Glenda Owens, a spokeswoman for Prescription Solutions, a unit of Santa Ana-based PacifiCare Health Systems Inc., which employs 300 people at its mail-order pharmacy in Carlsbad.

– Industry Begins To Accept Change

Denial that change is at hand is giving way to acceptance, said Dixie Baker, who noted the industry is approaching the HIPAA as if it was going through the classic stages of grief.

Baker, a vice president with San Diego-based Science Applications International Corp., works with companies on HIPAA compliance. Part of her job is keeping a “white paper” analysis of the HIPAA regulations, which is posted on the SAIC Web site, up to date with the latest developments.

HIPAA is still a work in progress. Only certain parts are finalized. Specifications for uniform electronic records, for example, are finished and set to take effect in 2002.

Standards related to privacy and security are not done yet. The Bush administration could signal its direction on records privacy by the middle of this month.

Generally, the government will require people to comply with the regulations two years after they are finalized.

Health care companies may easily pay more to comply with HIPAA than they did to avoid the millennium bug, said Jana Aagaard, legal counsel for San Diego-based Sharp HealthCare, which runs several local hospitals and medical groups.

– Complying Is A Strategic Move

Baker, though, said the comparison may not work in all respects. The millennium bug scare was “diversionary,” she said. The changes brought by HIPAA, on the other hand, can be part of a health care company’s strategic direction.

Part of HIPAA deals with records security. The federal government has yet to publish its final rule on the matter.

“The biggest impact on a health care organization , whether it be a provider or a payer , is not really the technology,” Baker said. “It’s really that HIPAA changes the way they do business.”

With the new security regulations, companies will have to make sure only the proper people get access to data.

Even if a customer service representative is called away from her work station, the technology and the procedures must prevent a colleague from seeing a customer profile, said Prescription Solutions’ Owens.

Security is more than just confidentiality. By Baker’s account, it means making sure the medical file is available when needed. And it means maintaining the integrity of medical data , making sure it is not corrupted.

On the technical side, the rule will likely contain provisions on data audits, authentication, system integration and digital signatures.

– Systems Set Up As Paper Trails

Computer systems will likely track who gets into a record and when, leaving a kind of electronic paper trail.

Some systems are not configured to do that, Baker said. A health worker may be using a personal computer to tap into a separate database and may be able to do it anonymously.

That will have to change. What’s more, the system will have to authenticate that the proper person is gaining access to information.

The security standard may require a digital signature , an encrypted form of the document sent along with the document itself, which ensures the user the document is unaltered.

It may also require a digital certificate, kind of an electronic identification card. One company that would like a share of that work is Entrust HealthCentric LLC of Nashville, Tenn.

– Security Addressed At Health Care Summit

Entrust officials were in San Diego last week, promoting their services during an “e-healthcare summit” sponsored by Gartner Group, a Stamford, Conn.-based technology consulting firm.

A digital certificate provides “a high level of assurance” a person is who he says he is, said Dan Nutkis, general manager of Entrust HealthCentric. Entrust stands behind that identification with a warranty, he said. He acknowledged the warranty comes with monetary compensation if things go wrong.

Strong encryption will be important when medical records go online, said Beth Givens, director of the San Diego-based Privacy Rights Clearinghouse.

Also important will be electronic audit trails and employee training.

“Creating a culture of confidentiality is so important,” she said.

Givens said she could not speak about a specific company’s product. Yet she did say computer security isn’t foolproof.

Consider that a person will need to know a secret “key” to get access to his medical records. An outsider could get that key using a private investigator’s technique called the “pretext interview.”

It’s similar to someone calling up a bank and saying, “Hi, this is John Doe. I’m out in the middle of the desert and need to get some account information. Could you give that to me?”

Often the weak link in the security chain is not technology but a dishonest insider, Givens added. Employee background checks may be a good safeguard, she said.

At first glance, security may seem to be the same thing as privacy. It is not, especially when speaking the specific language of HIPAA.

Privacy , the subject the Bush administration will soon weigh in on , relates to who may view medical records and how they may be used.

SAIC’s Baker calls it a human rights issue, not to mention a shift in power, from the provider to the patient.

By her account, HIPAA says, “Look, patient, here are your rights with respect to your health information.”

HIPAA will require a culture change in the medical community, she said, and that will be difficult.

Many members of the medical community are not exactly welcoming this change. A recent Privacy Rights Clearinghouse newsletter notes ” the Bush administration is being bombarded by the health care and health insurance industries to reject the regulations as being too costly to implement.”

Yet a key dilemma with HIPAA, said Sharp’s Aagaard, is the tension between privacy regulations and a medical professional’s need to know all he can about a patient and his condition.

At Prescription Solutions, Owens said, a pharmacist may need a patient’s permission to consult with doctors about the kind of medication a patient is taking. What if a new medication comes out, she asked, and the pharmacy wants to speak to doctors who prescribe the old one?

For all of its dilemmas and controversies, several observers said HIPAA promises many good things.

It will speed data processing, said Owens.

Think of receiving insurance benefits explanations via e-mail, said Entrust’s Nutkis.

What’s more, people covered by two insurance carriers will quickly be able to see how both handle the claim, Baker said.

“HIPAA is the best thing that’s happened to health care in a long, long time,” she said.


Featured Articles


Related Articles