Tech Guide: Privacy: Keeping Regulators Happy - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

10:36 AM

Tech Guide: Privacy: Keeping Regulators Happy

As tough new privacy protections are put in place, lessons are emerging about savvy ways to keep regulators at bay

But Security 101 is a demanding course. While the technology has become mainstream, successful implementation usually requires companies to change the way they work. HIPAA's focus on protecting the patient means that health-care providers need to consider every interaction from the moment a patient walks into a doctor's office or a hospital emergency room. In other words, HIPAA forces organizations to try to address a universal security Achilles' heel: people. That's where extensive business-process change is often needed.

In general, organizations need to concentrate on three areas: changing training to deal with evolving processes, physical layouts, and budget practices.

Training: Hospital workers, from the most senior doctors to new volunteers, must be trained. Because the HIPAA regulations are still evolving, there must be a means of repeated training. Part of that training is to help explain to customers why health-care workers must take certain steps, so that customers come to see those steps as a benefit rather than a burden. Right now, customers may find they can't get information as easily as they could before HIPAA, which is annoying for, say, a parent applying for insurance for a child over 18. "We don't know who's really calling. It might not be a parent, or they might not have legal custody. Prior to HIPAA, we didn't have to deal with that," says Nick Patel, VP of regulatory compliance at eHealthinsurance Services Inc., an insurance brokerage. Training salespeople and customer-service representatives not to give out information has been a major focus of HIPAA compliance at eHealthinsurance.

Physical layout: Some spaces may need to be reorganized to keep information protected. For example, making sure only authorized staffers can see a file on a computer screen.

Carol Diamond, managing director of a health-care technology project at the Markle Foundation, a nonprofit organization that works to boost technology use in society and health care, encourages companies to see the advantages to electronic protections. Yes, even the best system might still be hacked. "But the same is true for paper," Diamond says. "We can no better protect that, and there are lots of anecdotes about how people got at paper records they weren't supposed to see." Unlike paper, electronic records create an audit trail that makes it easier to tell if there was inappropriate access. It's also easier to restrict access to certain parts of an electronic record for legitimate use.

Plan for ongoing spending: There's no question that the cost of HIPAA-related changes are a burden for cash-strapped health-care organizations, and the changes are sure to continue. The U.S. Department of Health and Human Services last year estimated that health-related organizations will spend $17 billion over 10 years to comply with HIPAA's privacy regulations. The department contends that organizations will save $29 billion, for a gain of $12 billion in efficiencies.

Tech Guide

Tech Guide: How Secure is Your SAN? 08/04/03

Tech Guide: Vertical CRM Stands Up to Scrutiny 08/04/03

Tech Guide: Putting Enterprise Webcasts To Work 07/21/03

See More Tech Guides....

But the bond-rating firm Fitch Ratings noted in a May report that cost estimates range from $5.8 billion over 10 years put forth by the Centers for Medicare and Medicaid Services to Blue Cross Blue Shield's estimate of $43 billion. A Cap Gemini Ernst & Young study released this year found that managed-care organizations spent 92% more on IT in 2001 than they did in 1999, largely because of HIPAA-compliance efforts. A critical consideration is that compliance will remain an ongoing expense, particularly for training. That's been the lesson from the financial-services industry. Behrman of Financial Insights says spending on Gramm-Leach-Bliley compliance will be $50 million this year and will continue to rise (see story, "Quick Take: Mistakes Banks Make About Privacy").

HIPAA's privacy regulations create a sweeping framework for information security. For at least the next several years, as pieces of HIPAA roll out, health-care providers and their business partners will need to continually test systems, train workers, and maintain business processes to ensure compliance. This focus on continual development presents a model for how any business facing privacy regulations should function. Companies and organizations shouldn't expect vendors to develop compliance-in-a-box, since much of the work involves changing business processes and people's behavior. But adopting such a focused, ongoing approach just might make all businesses--and their customers--more secure.

Continue on to the sidebars: Quick Take: Mistakes Banks Make About Privacy
and Tips For Safeguarding Customer Information

Illustration by Doug Ross

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2 of 2
Comment  | 
Print  | 
More Insights
2021 State of ITOps and SecOps Report
2021 State of ITOps and SecOps Report
This new report from InformationWeek explores what we've learned over the past year, critical trends around ITOps and SecOps, and where leaders are focusing their time and efforts to support a growing digital economy. Download it today!
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Remote Work Tops SF, NYC for Most High-Paying Job Openings
Jessica Davis, Senior Editor, Enterprise Apps,  7/20/2021
Blockchain Gets Real Across Industries
Lisa Morgan, Freelance Writer,  7/22/2021
Seeking a Competitive Edge vs. Chasing Savings in the Cloud
Joao-Pierre S. Ruth, Senior Writer,  7/19/2021
Register for InformationWeek Newsletters
Current Issue
Monitoring Critical Cloud Workloads Report
In this report, our experts will discuss how to advance your ability to monitor critical workloads as they move about the various cloud platforms in your company.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll