Just when healthcare administrators and information technology (IT) experts thought they could return to the routine duties of daily facility operation, the U.S. Congress and the Department of Health and Human Services has plopped the Health Insurance Portability and Accountability Act of 1996 (HIPAA) into healthcare’s collective lap.
Although final requirements are not complete, the industry nonetheless is becoming increasingly familiar with the spirit of Section 45, CFR Part 142. What HIPAA really means is stricter security of patient information. The document encourages the development of an electronic data interchange (EDI) and/or healthcare information system (HIS); the security and confidentiality of all identifiable patient information on an EDI or HIS; and the authentication of anyone sending, receiving or viewing those records.
HIPAA covers all healthcare providers — from large delivery networks to clinics and single physician offices — payers, such as insurance companies and health plans, and clearinghouses that perform intermediary services for providers and payers.
Currently, the scheduled date for final HIPAA regulations is May. Healthcare institutions and related entities, as proposed now, would then have until May 2002 to comply with HIPAA rules.
While the finer details of HIPAA still must be finalized, healthcare providers are well aware that they must have security measures completed on time.
“I think that a large percentage of facilities will need work,” opines Robert Neil, healthcare purchasing analyst at Medical Data International Inc. (MDI of Santa Ana, Calif.). “There is no one who will be able to put a few chips into a system and be compliant with the new regulations.”
Y2K d?j? vu
Reaction to the coming HIPAA regulations has been mixed. Some healthcare providers, still hung over from spending considerable amounts of money to exterminate the Y2K bug, are not sure two years is enough time to implement more stringent security safeguards in HIS infrastructure.
“They want to be prepared, but a large portion of hospitals want longer to deal with this issue,” says Neil. “They feel it is just too soon after Y2K to put them through something else that potentially can be as expensive.”
As one would suspect, large hospital networks with greater financial and human resources have begun to work on securing internal and remote HIS networks. Smaller facilities, such as clinics and physician offices, generally are taking a wait-and-see approach, opting to evaluate final HIPAA rules before taking any action.
“Some providers are taking Y2K task forces and turning them into HIPAA task forces — not because of the IT expertise, but because of the project management expertise,” says Frederick Rickabaugh, manager of e-Security for Ernst & Young’s National Healthcare Practice (Greenville, S.C.). “Healthcare providers are more concerned about the security and privacy. They have traditionally taken that as a serious attribute they want to maintain, while payers look much more to the EDI standards, because it very much affects their workflow.”
Certainly, some security safeguards are in place already as part of a healthcare provider’s or payor’s standard practice. However, if the Internet is used as the conduit for transmitting patient information, concerns escalate.
“That’s where the public is questioning the effect of security and confidentiality,” adds MDI’s Neil. “You don’t want hackers getting in or having information accidentally sent someplace it isn’t supposed to be sent.”
Security for all
Security and authentication measures essentially are based on three criteria:
• Information that the user knows, such as his or her name and password;
• An item one has, such as a device which provides information to a user, who, in turn, supplies that information with a password as a second authentication factor;
• A unique personal characteristic, such as a fingerprint image, iris scan or voice or handwriting sample.
“It is two-factor authentication that gives the additional degree of security by assuring the authentication,” says Ernst & Young’s Rickabaugh. “You would have to lose control of more than one factor in order for someone to masquerade as someone else.”
Perhaps the most important component of HIPAA’s security mandates is a healthcare-related entity to audit and record which individuals access which records and when. Those identities must be tracked to an individual for accountability.
“If you can’t hold individuals accountable,” Rickabaugh adds, “then you can’t enforce the standards.”
In addition, if a patient were to ask a healthcare-related entity for a record of whom accessed his or her records and when, the entity must be able to comply with the patient’s request.
The Internet
The most stringent HIPAA security and confidentiality requirements likely will cover patient information and transactions that are transmitted over the Internet. Because the information is crossing a public network, HIPAA likely will require virtually irrefutable evidence that only the appropriate person gains access to the information through two-factor authentication.
The most prevalent technology available on the Internet is public key infrastructure (PKI). PKI technology currently is incorporated into major Web servers and Internet browsers and has become the primary authentication technology on the Internet.
PKI is based on software and encryption technology. The encryption method uses a two-part key, or code, that consists of a public and private component. The message is sent encrypted with the public key and then is read by the recipient who has his or her own private key.
A public key is an encrypted code that is accessible to an established group, such as a company and its partners. A private key also is an encoded number set, but this key is only accessible to one person. When the correct private key is used with the corresponding public key, the message is unscrambled, allowing the appropriate person access to the transmission.
| HIPAA Facts |
| What is HIPAA? Health Insurance Portability and Accountability Act of 1996 • Signed into law by President Clinton in August 1996 • Addresses requirements for portability of health insurance Section 45 CFR Part 142 was introduced in August 1998 What is Section 45, CFR Part 142? Healthcare organizations can achieve this objective through the |
“Essentially, every single browser in the world — as long as it’s reasonably current — is capable of providing strong authentication services,” says Jeremy Wyant, senior technology analyst at CyberTrust Solutions Inc. (Needham Heights, Mass.). “That is the ability to identify who you are and the ability to provide digital signature capability.”
(Note: Wyant will present “An Introduction to Public Key Infrastructure” at HealthTech 2000 at the end of this month in Dallas. See “HealthTech 2000 Preview: Exploring New Frontiers” on page 72 for more information.)
Wyant describes a digital signature as a shortened version of a digital message. During a transaction, a digital signature acts as an electronic seal, providing evidence if a message has been illegally opened.
CyberTrust is a certificate authority, a third party that vouches for the identity and authenticity of entities or individuals involved in a transaction. A certificate authority creates or issues digital certificates.
A digital certificate is an electronic document that identifies and binds an individual or group to a public key. A digital certificate is the public key — comparable to an identification card — which has been digitally signed by the certificate authority.
The real world
Quorum Health Group Inc. (Brentwood, Tenn.) began evaluating its HIS infrastructure about two years ago in the 21 hospitals it owns. Quorum also manages 200 other facilities, which handle their own technology and funding.
In 1998, Quorum signed a contract with then-HBO & Co. (now McKessonHBOC Inc. of San Francisco) to enhance the sanctity of information transmissions. As of early March, Quorum had stricter protocols implemented in eight of its hospitals.
Quorum started its security campaign at individual workstations with relatively simple solutions. When employees accessed confidential information and left their desks unattended for a short period of time, the records were “wiped off” the screen. When the user returned, he or she had to sign on again.
Quorum also instituted a procedure to change everyone’s password periodically to prevent colleagues from learning others’ passwords. “It sounds mundane,” says David Joiner, Quorum’s vice president of technology and CIO, “but that is a big cultural thing you have to be careful with.”
Quorum and McKessonHBOC currently are collaborating on key satellite technology. McKessonHBOC’s device looks like an electronic car lock that fits on a key chain. It has a liquid crystal display (LCD) window with six digits displayed on the screen.
“Every 60 seconds, this number is changing,” says Robert Connely, vice president of Web technology for McKessonHBOC. “When someone signs into the system, he or she enters the six numbers displayed, plus a four-digit personal identification number, or PIN. That’s how one gains two-factor authentication.”
When the user signs on, the system determines what the six-digit number on the device should be, adds the PIN and verifies whether the user entered the correct numbers.
“We are controlling who comes in and what they gain access to,” Connely says. “This does not say what data they saw, just that they went to the system in this timeframe. We’ll have to work on our applications to modify who saw what, where, when and why. That will be a much more complex function and [we’re] working on that.”
Connely says that the company has been live with key satellite technology for approximately nine months and is operational in approximately a dozen hospitals across the country.
Biometric authentication
Troy Stillwagon, chief security officer at Scott & White Hospital and Clinic (Temple, Texas), has the task of coordinating HIPAA compliance among Scott & White’s 600-bed main hospital and clinic, as well as 19 remote facilities. Scott & White has approximately 500 physicians in its network and offers a health insurance plan that covers some 160,000 lives.
Scott & White is developing several telemedicine initiatives using the Internet as the information conduit.
“The way we’re moving is affected very strongly by HIPAA, because we’re giving the ability to the patients to get their patient information, to make appointments and to fill prescriptions more easily,” says Stillwagon. “A lot of that information will use Internet-based and browser-based technology to provide more information to the patient and have more remote access users on our systems, so we can grow our business beyond central Texas.”
Scott & White uses biometric authentication technology from Integrated Visions Inc. (IVI of Sebastian, Fla.). IVI’s technique plots ridges throughout a person’s fingerprint and uses an algorithm to convert those points into a digital, numeric representation. Every time a fingerprint is presented, the technology checks the points to confirm the user’s identity.
“Authentication is the cornerstone to security infrastructure. Being able to irrefutably authenticate a user accessing this confidential information builds accountability into the security process and ensures that only those individuals with the right and need to know are given access,” says Mariann Yeager, IVI’s director of industry relations. “That’s why the requirements around authentication and access controls are so important.”
IVI also provides a single sign-on feature, which allows a user to authenticate his or her identity once and have access to the suite of applications that person is authorized to use.
As of mid-February, S&W had IVI’s technology installed in approximately 100 workstations and some 200 users at the main hospital. The plan was to have implementation for the main hospital and clinic finished by the end of March.
“We do not believe passwords — which is what we use now — are a strong enough authentication method,” Stillwagon says.
With the biometric fingerprint scan, Stillwagon says he feels “99 percent sure” it is that person using that machine.
Scott & White employees have adapted to the biometric fingerprint technology very well, once it is explained that the scan is producing a digital numeric representation and not re-creating the fingerprint itself.
“If the government came down and wanted us to produce a fingerprint image of a person, there is no way we could do that,” says Steve Raynes, Scott & White’s manager of testing, auditing and compliance. “There is no image; it’s just data.”
“The digital representation can’t be changed back into a fingerprint and the finger has to be live for authentication,” adds IVI CEO Sheila Schweitzer.
The eyes have it
Another form of biometric authentication technology is iris scan.
IriScan Inc. (Marlton, N.J.) is the exclusive owner and developer of iris recognition technology and holds patents in the U.S. and abroad on iris recognition.
As with fingerprints, no two irises are alike in their mathematical detail. IriScan describes the random patterns of an iris as a “human barcode.” The iris recognition process begins with video-based image acquisition that locates the eye and iris. IriScan takes a picture of the eye as far as three feet away using a standard camera.
Thomas DeWiner, IriScan’s manager of business development, says the company has several healthcare sites in beta testing for its iris scan technology, which has been used primarily in the financial industry and other high-security environments.
IriScan has a strategic alliance with CitX Corp. (Quakertown, Pa.) and CitX’s healthcare affiliate, IntraMedX Corp. (Quakertown). CitX, which specializes in secure Internet e-commerce and e-business solutions, will integrate IriScan products and technologies into new security-enabled products. The first product will be developed for and marketed to the healthcare industry by IntraMedX, which provides secure subscription-based Web-hosted e-healthcare services and solutions to the healthcare industry over the Internet.
IntraMedX also operates HCSIN (Health Care Services Information Network), a secure distributed Internet-based private healthcare network that connects physicians, healthcare providers, hospitals, payers, laboratories and other healthcare entities. HCSIN currently services more than 50,000 healthcare providers.
HCSIN uses PKI technology to package and transmit confidential information. Baltimore Technologies plc (Basingstoke Hampshire, United Kingdom) supplies the PKI technology to CitX, as well as CyberTrust.
CitX also adds a second layer of security with its own software called PTXP. PTXP removes all personal information on a patient record and encrypts the entire package.
The software then “reconstructs the individual’s identity at the destination, once it is established that the destination is a trusted receiver,” explains Bernie Roemmele, founder, chairman and CEO of CitX and IntraMedX. “If a hacker were to break through the PKI encryption, all he or she would get is the medical record minus the personal information.”
Legal issues
Behind the technological aspects of HIPAA are the legal ramifications. As with virtually all government-sanctioned regulations, facilities need to have a clear understanding of how the rules will apply to them.
“There is always the ever-ready excuse of reliance on advice of counsel when trying to interpret vague laws,” says Robyn Meinhardt, partner in the law firm of Foley & Lardner (Denver). “So far, the proposed rules, especially the privacy and confidentiality regulations, are very complex and ambiguous in their application and length.”
To complicate matters, federal laws differ from state laws in many cases regarding access to patient records. One example is the release of patient information for a criminal investigation or to a state or federal agency.
“Many states require a warrant or a subpoena before such information is supplied,” says John Eggertsen, partner in the law firm of Honigman Miller Schwartz and Cohn (Detroit). “If you’re a healthcare provider responding to a New York request, there may be a different answer than if you were responding to a Michigan or Louisiana request.”
Another unresolved issue, Eggertsen says, is payment for services. As the proposed regulations stand, an insurance company or third-party administrator for a healthcare plan only may receive a bill from a healthcare provider with whom the payer has a contract that ensures confidentiality obligations.
“Does that mean I would have to have a contract with every healthcare provider that I might ever write a check to on behalf of a medical plan?” Eggertsen asks.
HIPAA proposes both civil and criminal penalties for non-compliance. Civil monetary penalties range from $100 per day per violation to a maximum of $25,000 per year per violation. Criminal penalties start at $10,000 and one year in jail per violation and can reach a fine of $250,000 and 10 years in jail.
The penalties are linked to “a very ambiguous rule that can be very easy to break, if it is not clarified well,” warns Meinhardt.
For example, HIPAA proposes a penalty for using patients’ health information for marketing purposes, if done without a patient’s authorization. That proposed rule begs the question: What constitutes marketing?
Much of what hospitals do is focus on improving the health of their communities. Say, a hospital sees a rise in a particular health problem in the area it services. The facility very well may wish to look at individual patient records to determine the extent of the problem and devise an awareness campaign. The strategy may include offering classes, thus drawing potential patients to that hospital, rather than a competing facility.
“Will these activities be considered marketing? If so,” Meinhardt says, “failure to get authorization of each patient whose record is examined at the outset would be a violation with a very severe penalty attached to it.”
The bottom line
The biggest question is: How much will HIPAA cost healthcare institutions when all is said and done?
There are two schools of thought. Some industry observers believe healthcare providers will have to allocate more money on HIPAA compliance than they spent on Y2K safeguards.
Other analysts would not be surprised if HIPAA spending is less than Y2K. They say HIPAA deals primarily with the more narrow realm of healthcare information systems, whereas Y2K issues addressed all facets of an institution from computer systems to power sources to emergency lighting.
Scott & White has a capital budget of $1.2 million for HIPAA projects in this fiscal year, which ends in August. Most of those funds have been allocated for single sign-on and biometric technology.
Stillwagon estimates that Scott & White will spend between $5 million and $8 million to become HIPAA-compliant, given its various telemedicine and e-commerce projects. By comparison, Scott & White spent between $7 million and $8 million on its Y2K initiative.
Quorum’s Joiner declined to estimate what the company may allocate to have its systems ship-shape for the HIPAA deadline.
“We are confident that our normal plans and process — and the fact that we’ve been working on it for a couple of years — will be able to sustain what we’re doing on an expenditure level,” he adds. “I don’t think anybody can say [HIPAA] is going to cost this [amount].’”
As for the proposed two-year timetable to implement HIPAA regulations, Joiner is confident Quorum will fall into compliance.
“Traditionally, when the government sets that date, it takes longer to coordinate between the government and the healthcare industry,” he says.
Ernst & Young’s Rickabaugh has wide estimates on HIPAA costs. “In general, it will be one half of Y2K costs up to two or three times Y2K costs,” he says. “A lot of these costs will be organizational and administrative in nature. They’ll be internal dollars and how [facilities] account for people’s time and internal time.” 
