InformationWeek: The Business Value of Technology

A key ingredient in moving the industry online is the ability to access medical records. To automate a supply chain that includes hospitals, doctors' offices, insurance companies, pharmacies, clinics, drug and medical suppliers, and consumers, there must be access to medical records. They are the nucleus of online health care.

However, as the race speeds up to move the health-care industry online, federal lawmakers are setting up rules in two key areas--security and privacy--that raise some roadblocks. The new regulations will help to make an already complicated challenge even more difficult.

Congress is focusing on the issue of authentication--how to ensure that only properly authorized persons can access medical records and conduct transactions, while ensuring security and privacy. To address those and other issues, in 1997 Congress enacted the Health Insurance Portability and Accountability Act. Rules and regulations implementing the act are being developed.

This spring, HIPAA rules will contain new security and privacy regulations and give the health-care industry two years to implement changes to comply with the new laws. The new regulations were supposed to be finalized before Jan. 1, 2000, but the deadline was postponed, indicating the complexity of this issue.

"I have no idea yet what I'm supposed to do," says Sagiv Oren, director of information systems at City of Hope Medical Center in Los Angeles. "I've just downloaded some 72 pages of the document in progress, so I have my reading cut out for me."

The regulations mean delays. "There are many Internet projects we'd like to start, but first we have to find out what HIPAA compliance is going to mean before we can begin adding new functionality," Oren says. "I don't want to budget new projects and then have to redo them to comply with HIPAA."

Oren's caution says a lot about how much time it will take before there are pervasive health-care services online. Companies and health-care providers who have anything to do with private medical records must see what's involved in HIPAA compliance before starting to implement security products from technology vendors such as Datakey, Entrust, Intel, Microsoft, and VeriSign.

Oren is not alone in his confusion. John Fraser, information-systems director at the Minnesota Health Data Institute, is heading up a $4 million pilot program designed to enable secure and private health-care communications over the Internet. "We don't know what we'll have to do yet for HIPAA, but essentially the security and privacy rules will be much stronger," Fraser says. "It will mean that the security component and privacy component of communication will have to work together, incorporating encryption, authentication, and an audit trail."

The institute, in St. Paul, Minn., is a nonprofit organization developing an integrated, statewide health-care data system to support providers, consumers, health plans, researchers, and policy makers. "Our grant is for accomplishing secure and private communication anyway," Fraser says. "We are developing a system to enable medical records to be safe online."

Fraser says the institute will meet the HIPAA rules by building a system that uses military-level encryption, hardware-based smart cards, and key security mechanisms for computers. The institute is using hardware security keys from Datakey for the project. Datakey Inc. has partnerships with Entrust Technology Inc. and VeriSign Inc. to include authentication systems and standard encryption in their security mechanisms.

But still, this new law will be a key guideline for Fraser and others interested in an online medical-records system--and that means just about everyone in the health-care industry.

return to page 1, 2

Photo of Oren by Tom Keller