The Push For Privacy

Health-care companies rush to build new processes to comply with HIPAA
The new Xyloc MD system keeps patient information more secure, prevents paper files from getting lost, and "brings the nurses back to the bedside of the patient, reducing time spent with documentation and giving patients better quality of care," says Memorial VP and CIO Tom Ogg.

Texas Health Resources Inc. is also making progress on the security front. The operator of more than a dozen hospitals in Texas is deploying a "security proxy" device from Array Networks Inc. that acts as a "Web wall" to protect data on the company's clinical servers as physicians access patient records via the Web.

Before installing the security proxy device, doctors would need to travel to Texas Health Resources' hospitals to access patients' data electronically, or they would have to call the hospitals and ask nurses or others to look up the information. Now, they can securely access this information via the Web from anywhere. "Doctors now have more accurate information accessible to them as they see patients," says Andy Sutton, Texas Health Resources' manager of network services.

Some organizations say the deployments they're making to meet the April deadline are helping to improve business overall--and that will give them a competitive edge.

Kindred Healthcare Inc. is pursuing its HIPAA privacy-compliance work with the same attitude with which it tackled the Y2K problem, says Kathy Markham, VP of IS planning and architecture at the operator of 300 nursing homes, 65 long-term-care hospitals, and 35 hospital pharmacies. "The work we needed to do for Y2K was a booster to convince the company that we also needed new financial systems," she says. "While solving Y2K, we also improved our financial systems."

Similarly, HIPAA privacy rules have spurred the company to upgrade its PC and server operating environment from Windows 95 to Windows 2000. Doing so let Kindred put in place a better process to ensure that "only the right eyes see the right data," Markham says. Windows 2000 provides role-based security through Active Directory. Nurses can be assigned roles that give them access to certain patient data that other health workers with different roles won't have access to, she says. Kindred can also provide an audit of who looked at the data.

The upgrade helps the organization in other ways, too. "Had we not upgraded, we would've been left behind" competitively in application support and functionality, Markham says. Also, because Kindred needed to test each of its applications running on the Windows 2000 platform, the company saw what software modifications needed to be done for HIPAA compliance. "We feel very confident that we'll make the privacy deadline," she says.

Nevertheless, there's some resentment among health-care providers who see HIPAA as an irritant that's distracting them from their struggles with nursing shortages and financial pressures. "Many hospitals feel that they already protect their patients' privacy," Phoenix Health executive VP Gue says. "They see HIPAA as a real problem because they have to muster resources that they don't have."

Everyone recognizes that HIPAA is here to stay, though. It's just a matter of time before every health organization must comply.

Editor's Choice
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Terry White, Associate Chief Analyst, Omdia
John Abel, Technical Director, Google Cloud
Richard Pallardy, Freelance Writer
Cynthia Harvey, Freelance Journalist, InformationWeek
Pam Baker, Contributing Writer