The April deadline for compliance with the Health Insurance Portability and Accountability Act's privacy regulations is only five months away. While the privacy regulations are less technology-oriented than HIPAA's requirements for electronic transactions and security, those rules will require doctors, hospitals, and other providers to build new processes as part of their technology infrastructures that will let them continue sharing patients' medical information with other caregivers while protecting their privacy.

In brief, HIPAA's privacy rules mandate that health-care providers give patients notice of their privacy policies and have patients confirm that they've been notified of these policies. Under HIPAA, patients also have increased rights to have immediate access to their medical records. Health-care companies must also protect individuals' medical information, which could mean limiting worker access to patient records based on a need-to-know basis and providing an audit of who accessed patients' records.

"Privacy is difficult. There's a lot of education, culture, workflow, and process issues involved," says John Halamka, CIO at CareGroup Healthcare System, which operates five Boston-area hospitals and expects to meet HIPAA's deadline.

Collaboration is at the core of health care, and with HIPAA it extends to improved patient access to information. So CareGroup has implemented a Web site called PatientSite, from which all patients can access their records electronically, amend their records, run their own security and privacy audits to see who has looked up their records, and communicate with doctors.

After deploying the site, one thing CareGroup quickly learned was that the process for registering patients was inefficient and taking up practice administrators' time, so it created a self-registration process to automate part of the task. On the plus side, the processes for how physicians handle electronic messages improved right away. For instance, physicians can have prescription renewals automatically routed to the clinical nurse who handles that, rather than having to manually renew the prescriptions themselves.

Many organizations aren't as far along as they'd like in terms of developing the processes and infrastructure to meet the April HIPAA privacy deadline, though. A survey of 655 health-care providers and 167 insurance companies conducted in October by Phoenix Health Systems, an IT consulting firm for the health industry, indicates that more than 80% of them expect to meet the deadlines. Those expectations might be just wishful thinking, says D'Arcy Guerin Gue, co-founder and executive VP at Phoenix Health Systems. That's because the survey also indicated that more than half of companies are still conducting "gap analysis"--evaluating their processes for compliance with HIPAA standards to see what needs to be fixed. That analysis must be done before changes in procedures, systems, and policies can be implemented and employees educated on the changes.

"Implementing the changes--and providing the training to accompany those changes--is time consuming," Gue says. "There will be a lot of companies panicking, going into crash-mode come January," she predicts.

Complicating the matter is that protecting patient privacy and securing patient data are intertwined issues, yet the U.S. Department of Human Health and Services, which oversees HIPAA, has delayed issuing its final regulations for security.

"Companies are reluctant to make privacy changes and then have to do them again once the security regulations come out," Gue says. Still, companies expect that much of the final security rules will include commonsense requirements that companies should do as a matter of protecting their data regardless of legislation, such as having tighter controls on data access.

Memorial Healthcare, an independent 131-bed nonprofit community hospital in Owoso, Mich., is enhancing security, privacy, and business processes in one fell swoop. Memorial has PCs running Citrix Systems Inc. software at the side of 86 beds. Authorized individuals only, such as nurses, gain access to patient records through wireless Xyloc keycards from Ensure Technologies Inc., which they wear along with their hospital security badges, and then they can update the records. For extra security, nurses must type in their passwords, too. Before this system was deployed, nurses would go from room to room with paper files and later enter everything they wrote down into PCs at the nursing station.