News Stay informed about the latest enterprise technology news and product updates.

In the end, is it worth it?

From the tech guy to the compliance consultant, everyone seems to agree HIPAA's security rule is necessary -- pain and all.

Fred Rickabaugh's take on the HIPAA security rules is shared by every IT professional and compliance expert interviewed for this series: It may be a pain in the neck, but it's a necessary response to the threats of the information age.

"When I got here in 2000, my goal from the beginning was comprehensive security," said Rickabaugh, CISO for Premier Inc., a San Diego-based alliance of non-profit hospitals and healthcare systems across the United States. "Before HIPAA's privacy and security rules came along, we had been demanding these standards."

Getting there is hard. With a growing mobile workforce armed with laptops and ever-advancing, ever-more-integrated technology, it's going to get harder, he said. It's especially challenging for an organization like Premier, which helps members find ways to improve their quality of care and do it in a more cost-effective way.

We are the stewards of customer data. We have a responsibility to them so they can protect those who matter the most -- their patients.
Fred Rickabaugh
CISOPremier, Inc.

"One of the big challenges is making sure IT staff is on top of who is using the network, who has what access and getting people to fall in line with the rules of usage," Rickabaugh said. "But it gets better with time. People see the value in the long run. Encryption for laptops is an example: If the data is encrypted and the laptop is lost, the integrity of the information is still there."

In the end, his point is the same as others interviewed. "We are the stewards of customer data," he said. "We have a responsibility to them so they can protect those who matter the most -- their patients."

Harry Reynolds, vice president of HIPAA and information compliance officer for BCBS of North Carolina, said the key to meeting the HIPAA challenge is understanding the threats that come with doing business online.

"With personal information so critical, with healthcare information so important and with threats like identity theft, organizations can't afford to ignore security," he said. "HIPAA offers a structure to help protect people's rights and information. There are different obstacles and the solutions are imprecise across the board. But despite the shakeout period ahead, it's all for the good."

And whether the organization is a small office, a large insurance company or a nonprofit hospital chain, it's important to remember HIPAA doesn't demand a one-size-fits-all approach.

Related stories in the series

HIPAA tools you can use: HIPAA's security requirements affect companies that store and transmit protected health information electronically. This includes healthcare providers, insurers and clearinghouses. Enterprises that serve clients in the healthcare industry.

HIPAA security rules broken down: The HIPAA security requirements have been described by the Department of Health and Human Services, ArticSoft, and the Centers for Medicare & Medicaid Services (CMS).

HIPAA rules force health insurers to secure sensitive data: HIPAA is forcing a majority of health insurance companies ensure the security of sensitive data

"I try to tell the average practice that there's a lot of flexibility in the security aspect of HIPAA," said Jennifer Daniels, a lawyer specializing in health issues for Blank Rome, a firm with offices up and down the East Coast. "They need to understand that the requirement is for them to meet the requirements to the best of their ability, based on their size and budget."

Another point organizations must remember is that as technology advances and new threats emerge, existing laws may change and new laws will likely appear, said Lisa Gallagher, a consultant with Maryland-based Javelin Technology Group.

"This doesn't end with the April deadline," she said. "There will probably be some tweaking to HIPAA and we might see new regulations. Ultimately, in the information age you need to make security and compliance a part of the daily business practice."

Dig Deeper on Financial services data management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.