Health-care organizations are stepping up their efforts to put business practices and information technology in place to comply with the data-privacy and security requirements of the Health Insurance Portability and Accountability Act. April 14, 2003, is the deadline for compliance with HIPAA's privacy rules, even as the U.S. Health and Human Services Department continues to draft HIPAA's data-security regulations.

The good news is that a wide variety of tools and services are available to help health-care companies prepare for HIPAA. Blue Cross Blue Shield of Minnesota uses software that helps get around the problem of how to employ patient data when testing new applications. Lehigh Valley Hospital and Health Network in Pennsylvania has an application that documents who in the organization knows specific details about security policies. And health information service provider WellMed Inc. leverages the services of a nonprofit certification organization to overcome consumer mistrust of the Internet.

Forty-one percent of consumers are so concerned with data privacy that they won't submit health-care data to a commercial Web site, according to the results of a Jupiter Media Metrix survey released last year. For WellMed, gaining and maintaining the trust of its clients is paramount. "We didn't feel our business model would work unless we had that trust," says Michael Rozen, WellMed's chief privacy officer.

The Portland, Ore., health-information service provider stores self-reported health information from consumers and delivers health-care advice and health-risk assessments. It offers the service to employees of self-insured companies and government agencies, as well as through health-insurance companies and national retailers. WellMed also sends aggregated data back to the sponsoring company or organization, which can use it to manage health-care costs. WellMed's clients include Ford, General Electric, and Microsoft.

Although HIPAA doesn't cover health-care Web sites, WellMed owns two clinics that must abide by the regulations. So WellMed has adopted patient data-privacy policies across the company, including an opt-in requirement for the company to include patient information in the data it sends to business clients.

To assure users that it complies with those policies, WellMed turned to Trust-e, a nonprofit organization that provides a range of privacy-related services, including education, dispute resolution, and certification of compliance with privacy policies. Online businesses that pass Trust-e's audits can post the Trust-e seal on their Web sites. "That's been very helpful in building trust and credibility with our clients," Rozen says.

Trust-e evaluates the online and offline privacy practices, policies, and procedures of applicants seeking its seal of approval. The organization considers such criteria as how well a company communicates its privacy policies to customers, how well practices follow privacy policies, the kinds of feedback mechanisms the company has in place, and how well a company such as WellMed complies with its own opt-in and opt-out policies. Certifications are renewed each year.

Trust-e's services have also helped WellMed comply with other privacy regulations, including the U.S. Department of Commerce's so-called "safe harbor" rules for complying with European Union privacy regulations. While Trust-e doesn't certify compliance with those standards per se, Rozen says, going through the Trust-e certification process effectively puts a company in compliance with the European standards.

Properly testing newly developed applications often requires using real data. But that raises troubling privacy concerns in the health-care industry, where pending HIPAA regulations will strictly control who has access to patient information: The rules only allow employees (or contract employees) to see patient data if it's necessary for them to do their jobs. So developers can see patient data when it's absolutely necessary to test new applications, such as at the end of a project when they conduct live tests, but not when simulated data will do.

No health-care company wants to run the risk of a contract programmer gaining unauthorized access to a patient's medical records. Blue Cross Blue Shield of Minnesota often has to manage such situations, such as when it developed applications that link its claims-processing systems to several thousand business partners, from individual doctors to the Mayo Clinic, and when it developed its new Web site, which went live Jan. 1 and lets subscribers review their medical information online.

Protecting privacy is good business, says Stevens at Blue Cross Blue Shield

"Privacy is about making sure that people who are supposed to see some data see that data and nothing more," says John Stevens, testing environment and testing support manager at the Egan, Minn., health-care insurer.

Simply creating dummy data often isn't an option. Applications designed to read names won't work with scrambled letters. And software designed to recognize five-digit subscriber numbers must be tested with five-digit numbers, Stevens says. Also, Blue Cross Blue Shield of Minnesota works with 89 databases--including claims histories, employer data, worker's comp information--running on multiple mainframes, all of which use variants of the same data. Creating fake data across all those databases would be a complex, time-consuming chore, Stevens says.

The insurer uses Compuware Corp.'s File-Aid/Data Solutions software, which hides patient data from unauthorized eyes by translating and aging sensitive data fields. The tool can randomly substitute fake names for real names, such as "Johnson" for "Smith" in name fields, and scrambles subscriber ID numbers when developers use production data to build and test applications. The software also ages dates by adding, say, five years to a patient's birth date or three months to the date a medical procedure was performed.

The software does this for developers and testers according to their level of authorization to view the data. An internal developer who has signed nondisclosure forms might be given access to real information, while File-Aid/ Data Solutions might be used to hide patient data from contract employees.

Blue Cross Blue Shield of Minnesota isn't taking these steps to protect patient data privacy solely because of HIPAA, Stevens says. Minnesota already has strict patient-confidentiality laws, he says. "We do it just because it's good business practice. As a medical insurance company, we've been sensitive to this for a long time."

Blue Cross Blue Shield of Minnesota has been using the Compuware tools to scrub data and protect patient confidentiality as part of a project to migrate from legacy databases to Oracle database systems. The health-care insurer also used the Compuware tools to transform identifiable information before sending 29 months of claims data to American Healthways Inc., a Nashville, Tenn., provider of disease and health-care management services. American Healthways analyzed the data and sent back the names--still scrambled--of patients whom it believed could make use of its services. The health-care provider unscrambled the names and provided American Healthways with information to contact the subscribers who were given the option of opting in or out of the program.

HIPAA data-security regulations are still being written by the Health and Human Services Department. But maintaining a health-care company's data-security policies and tracking who has access to those policies are sure to be critical elements of any new rules, says Brian Martin, information systems security manager at Lehigh Valley Hospital and Health Network in Allentown, Pa.

Last fall, the hospital installed software from PentaSafe Security Technologies Inc. to manage its security policies. It stores written policies in a document repository that records when policies are updated and by whom, Martin says. Policies, for example, spell out who has access to certain data, to whom health workers should report data-security incidents, and what to do if a computer virus is discovered. The policies also define the health-care company's IT system configuration and its security provisions.

Before using PentaSafe, the hospital's security policies were stored in paper manuals. That made it almost impossible to track just how familiar employees were with the policies.

The system also logs who accesses the documents and when, and who has been tested on the policies--critical points given that HIPAA is expected to mandate varying levels of security policy training and awareness for different employees. "Everyone who touches a computer here has to have some kind of training," Martin says. Such an audit trail can be important if a security-related incident results in litigation, and determining whether an employee was properly trained or aware of a relevant policy becomes critical to the case, Martin says. "It's not so much that we're controlling access as logging access," he says.

The deadlines for complying with HIPAA's security regulations are at least two years away, Martin estimates. But other IT infrastructure security legislation is pending in Congress as a result of the Sept. 11 terrorist attacks, and those laws, if enacted, could include provisions similar to HIPAA. Says Martin: "If HIPAA went away tomorrow, we'd still be doing everything we're doing."

Illustration by James Kaczman