Reading between the HIPAA guidelines

By Karen Guglielmo, Site Editor 13 Dec 2003 | SearchCIO.com

Digg This!     StumbleUpon     Del.icio.us

Many of the questions companies initially had about complying with the Health Insurance Portability and Accountability Act (HIPAA) have been answered. But there are still some sticking points. One key issue is how HIPAA affects companies that outsource work overseas.

"HIPAA guidelines tell you what to do, but they just don't tell you how," said Kevin Beaver, principal consultant with Principle Logic LLC. "[HIPAA is] really less of a technical issue than a business one."

This lack of technical detail leaves room for much interpretation among companies struggling to meet the various HIPAA deadlines.

There are two components that are not clearly addressed in the guidelines that are causing confusion among IT executives: offshore outsourcing and security.

Does HIPAA translate overseas?

Health care organizations are among the many types of companies trying to reap the benefits of offshore outsourcing. With this type of outsourcing, companies ship work overseas for cheaper labor. The most popular destination for offshore work today is India, with software development being the most common IT work sent over.

Many health care organizations, including Kaiser Permanente, Aetna Inc. and Cigna Corp., are utilizing offshore outsourcing for some of their IT services. Still, while offshore outsourcing can save money, it can also attract more problems than it's worth.

For instance, offshore providers are not required to comply with HIPAA. This means that they do not have to have HIPAA-mandated security and privacy mechanisms in place to safeguard protected health information (PHI). Knowing this, how can a U.S.-based health care organization safely send confidential data overseas?

But offshore outsourcing can be done, according to Kaiser -- if you proceed with care. Kaiser has, since 2002, been sending a portion of its programming work to India. The company overcame the obstacle of working with non-compliant overseas companies by performing a fair amount of due diligence. Kaiser interviewed clients from all the providers and had its partners sign formal business agreements. These agreements are made mandatory by the HIPAA guidelines. Any partner you work with must sign a document like this.

Kaiser takes one additional precaution when working with these offshore providers. The company doesn't send any of its data overseas. Instead, the Indian vendors log on to Kaiser's U.S. database to do their work. This allows Kaiser to have complete control of the information.

Beware of smaller offshore companies

But not all health care companies have found a successful formula for working with offshore companies.

In addition to IT services, some health care organizations are sending their business process outsourcing (BPO) work offshore. Some of the BPO services include medical transcription and claims processing.

"The real concern is when U.S. health care organizations (mostly clinics and group practices) deal with 'mom and pop type' transcription shops," said Saji Salam, chairman of Health Level Seven India, a standards organization for the health care arena. "These small transcription companies may not have the resources to be compliant with HIPAA regulations."

The HIPAA loophole here is that these companies are dealing with much smaller shops overseas. The vendor companies that are providing these BPO services employ only 50 to 100 people each. Although these companies are signing business partner agreements with U.S. organizations, they really don't have the bandwidth to implement the proper security systems to safeguard confidential patient data.

"The loophole is in terms of the technology," Salam said. "These companies don't have the technology in place to encrypt or decrypt files sent over from U.S. companies."

So the lesson here is to perform due diligence. If you are sending any of your medical work overseas, spend the time and money necessary to find a stable vendor that can ensure the protection of your confidential data.

Defining 'security mechanisms'

As companies hurry to meet the April 21, 2005, security deadline for HIPAA, they struggle with defining the "how" in this particular standard.

"HIPAA guidelines state that you must develop administrative, physical and technical safeguards to protect PHI," said Jon Bogen, founder and CEO of HealthCIO.com. "But it does not say 'how' or spell out the mechanisms -- therefore leaving a lot up to interpretation."

Without realizing it, many companies are well along the way in respect to meeting the security deadline using what they already have in-house, Beaver said. Some of the large hospitals and health care companies already have security policies and disaster recovery plans in place. Companies can build on these plans to create the proper HIPAA security policies.

"The security rule [in HIPAA] is scalable, and the technology is neutral," Beaver said. He suggests that companies learn from what others are doing and look at what they already have in place.

Beaver recommends utilizing the free and low-cost resources on the Web for advice and best practices on forming your security policies.

Some resources include SearchSecurity.com, SANS.org and NIHP.org, as well as ISO 1799.

HIPAA best practices

Many organizations are going through the same processes as they attempt to adhere to HIPAA guidelines. Bogen suggests looking at what other companies, like Partners HealthCare, Harvard Pilgrim Health Care and Tufts Health Plan, are doing. "It will save you lots of money and heartache."

FOR MORE INFORMATION:

Featured Topic: Compliance guide

Seven steps to Sarbanes-Oxley compliance

Wachovia compliance chief 'joined at hip' with CIO

Compliance fears exaggerated, report says

Tags: Dealing with HIPAA,  Healthcare data management,  Financial reporting and compliance data management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Dealing with HIPAA Healthcare users struggle with HIPAA HIPAA security rules broken down Healthcare data management Data governance software has unexpected benefits for LTC Partners Business intelligence in healthcare: Special report What industries are using enterprise information management (EIM)? Top 13 master data management (MDM) buzzwords and definitions New data analysis apps part of IBM's industry-specific BI vision Data destruction requires more than just encryption Customer data integration and data warehouses for the healthcare sector Business intelligence in healthcare demands a balance between privacy and insight Data mining in the healthcare industry Spotlight on regulatory compliance Financial reporting and compliance data management Business intelligence in financial services: Special report Business Objects customer frustrated with SAP licensing, technical hiccup Microsoft gives PerformancePoint Server's financial planning component new life New data analysis apps part of IBM's industry-specific BI vision What are the best analytical tools for business intelligence for finance? Disjointed eDiscovery practices exposing companies to legal risk, rising costs Business intelligence software helps states track federal stimulus spending An overview of Sarbanes-Oxley compliance software Automating Sarbanes-Oxley compliance: Understanding SOX software Sarbanes-Oxley compliance quiz: Are you SOX savvy?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary HIPAA  (SearchDataManagement.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary