Fred Rickabaugh's take on the HIPAA security rules is shared by every IT professional and compliance expert interviewed...
for this series: It may be a pain in the neck, but it's a necessary response to the threats of the information age.
"When I got here in 2000, my goal from the beginning was comprehensive security," said Rickabaugh, CISO for Premier Inc., a San Diego-based alliance of non-profit hospitals and healthcare systems across the United States. "Before HIPAA's privacy and security rules came along, we had been demanding these standards."
Getting there is hard. With a growing mobile workforce armed with laptops and ever-advancing, ever-more-integrated technology, it's going to get harder, he said. It's especially challenging for an organization like Premier, which helps members find ways to improve their quality of care and do it in a more cost-effective way.
"One of the big challenges is making sure IT staff is on top of who is using the network, who has what access and getting people to fall in line with the rules of usage," Rickabaugh said. "But it gets better with time. People see the value in the long run. Encryption for laptops is an example: If the data is encrypted and the laptop is lost, the integrity of the information is still there."
In the end, his point is the same as others interviewed. "We are the stewards of customer data," he said. "We have a responsibility to them so they can protect those who matter the most -- their patients."
Harry Reynolds, vice president of HIPAA and information compliance officer for BCBS of North Carolina, said the key to meeting the HIPAA challenge is understanding the threats that come with doing business online.
"With personal information so critical, with healthcare information so important and with threats like identity theft, organizations can't afford to ignore security," he said. "HIPAA offers a structure to help protect people's rights and information. There are different obstacles and the solutions are imprecise across the board. But despite the shakeout period ahead, it's all for the good."
And whether the organization is a small office, a large insurance company or a nonprofit hospital chain, it's important to remember HIPAA doesn't demand a one-size-fits-all approach.
"I try to tell the average practice that there's a lot of flexibility in the security aspect of HIPAA," said Jennifer Daniels, a lawyer specializing in health issues for Blank Rome, a firm with offices up and down the East Coast. "They need to understand that the requirement is for them to meet the requirements to the best of their ability, based on their size and budget."
Another point organizations must remember is that as technology advances and new threats emerge, existing laws may change and new laws will likely appear, said Lisa Gallagher, a consultant with Maryland-based Javelin Technology Group.
"This doesn't end with the April deadline," she said. "There will probably be some tweaking to HIPAA and we might see new regulations. Ultimately, in the information age you need to make security and compliance a part of the daily business practice."