There's more to managing privacy than simply minding your own business. You have to swallow a whole dose of alphabet soup, from HIPAA to FMA to the latest one: DNC for Do Not Call, which isn't the same as "don't ask, don't tell," but may soon become equally well known.
The Health Insurance Portability and Accountability Act is just the most recent in a string of regulations affecting the way companies handle customer information, and it won't be the last. The federal Financial Modernization Act (commonly known as Gramm-Leach-Bliley, for its authors) was enacted in July 2001 to regulate what financial-services firms can do with data and how customers could opt out, and this year U.S. lawmakers created the Do Not Call list, which restricts telemarketing activity.
State lawmakers have jumped in, too. Most notable is California's Security Breach Notice Law, which mandates that, as of this month, companies, state agencies, and nonprofit organizations must notify Californians if their personal information is in a database that's been breached. That law will likely have national impact, too. "Are you going to tell your customers in California and nowhere else?" asks Alex Fowler, a privacy-practice leader at auditor PricewaterhouseCoopers.
What's the best way to manage privacy in this era of fast-changing regulations and increasingly invasive security threats? Understanding the immediate regulatory conditions is the first step, followed by translating those into broad action areas.
The first of several HIPAA compliance deadlines--ensuring privacy--came in April, so many organizations are still dealing with the impact of becoming compliant, and their experiences offer lessons for any company that keeps information about individuals. HIPAA legislation covers four main areas, all of which have corollaries to business processes outside of health care:
Electronic transactions and code sets: Health-care transactions ranging from patient records to insurance claims must move to a unified format set by the American National Standards Institute. In addition, uniform codes must be adopted for referring to health problems, treatments, and related information. These systems are in testing, with a compliance deadline of Oct. 16, though smaller hospitals have a later compliance date.
Security: Patient records must be stored, maintained, transmitted, and accessed in a secure fashion. The rules also outline provisions for electronic signatures.
Unique identifiers: Patients, care providers, employers, and health-care plans will be assigned their own identification numbers.
Privacy: Patient information can't be disclosed unnecessarily, and patients have the right to access their records and know who else has had access.
Businesses can think of these in terms of three critical elements: customer needs, data issues, and business processes.
The first step is to put the customer at the center of regulatory discussions. "Don't focus on compliance. Focus on what the customer needs," says Dennis Behrman, an analyst at Financial Insights, which advises financial-services companies on technology issues. He says companies such as American Express Co. have managed to go through such regulatory efforts looking first at what's important to the customer and implementing that. Often, that effort will put a company ahead of regulations and thus allow it to spend less time on compliance.
As far as data issues and technology, protecting data involves familiar security technologies such as authorization, access control, data monitoring, encryption, and intrusion detection. Mark Loveless, a senior security analyst at Bindview Corp., a maker of security and policy-enforcement tools, calls much of the technology needed to achieve HIPAA compliance "Security 101."
But Security 101 is a demanding course. While the technology has become mainstream, successful implementation usually requires companies to change the way they work. HIPAA's focus on protecting the patient means that health-care providers need to consider every interaction from the moment a patient walks into a doctor's office or a hospital emergency room. In other words, HIPAA forces organizations to try to address a universal security Achilles' heel: people. That's where extensive business-process change is often needed.
In general, organizations need to concentrate on three areas: changing training to deal with evolving processes, physical layouts, and budget practices.
Training: Hospital workers, from the most senior doctors to new volunteers, must be trained. Because the HIPAA regulations are still evolving, there must be a means of repeated training. Part of that training is to help explain to customers why health-care workers must take certain steps, so that customers come to see those steps as a benefit rather than a burden. Right now, customers may find they can't get information as easily as they could before HIPAA, which is annoying for, say, a parent applying for insurance for a child over 18. "We don't know who's really calling. It might not be a parent, or they might not have legal custody. Prior to HIPAA, we didn't have to deal with that," says Nick Patel, VP of regulatory compliance at eHealthinsurance Services Inc., an insurance brokerage. Training salespeople and customer-service representatives not to give out information has been a major focus of HIPAA compliance at eHealthinsurance.
Physical layout: Some spaces may need to be reorganized to keep information protected. For example, making sure only authorized staffers can see a file on a computer screen.
Carol Diamond, managing director of a health-care technology project at the Markle Foundation, a nonprofit organization that works to boost technology use in society and health care, encourages companies to see the advantages to electronic protections. Yes, even the best system might still be hacked. "But the same is true for paper," Diamond says. "We can no better protect that, and there are lots of anecdotes about how people got at paper records they weren't supposed to see." Unlike paper, electronic records create an audit trail that makes it easier to tell if there was inappropriate access. It's also easier to restrict access to certain parts of an electronic record for legitimate use.
Plan for ongoing spending: There's no question that the cost of HIPAA-related changes are a burden for cash-strapped health-care organizations, and the changes are sure to continue. The U.S. Department of Health and Human Services last year estimated that health-related organizations will spend $17 billion over 10 years to comply with HIPAA's privacy regulations. The department contends that organizations will save $29 billion, for a gain of $12 billion in efficiencies.
HIPAA's privacy regulations create a sweeping framework for information security. For at least the next several years, as pieces of HIPAA roll out, health-care providers and their business partners will need to continually test systems, train workers, and maintain business processes to ensure compliance. This focus on continual development presents a model for how any business facing privacy regulations should function. Companies and organizations shouldn't expect vendors to develop compliance-in-a-box, since much of the work involves changing business processes and people's behavior. But adopting such a focused, ongoing approach just might make all businesses--and their customers--more secure.
Illustration by Doug Ross