My name is David Sweigert, and on behalf of OpenNetwork Technologies in Clearwater, Florida I would like to thank the committee for this opportunity to present lessons we have learned from assisting our customers in preparing for the implementation of the final HIPAA rule regarding security.
Within the last six months our firm has enabled nearly twelve organizations within the Blue Cross, Blue Shield Association of plans implement a myriad of security services that we anticipate to accommodate many of the security requirements in the future release of the HIPAA Final Rule on Security.
We have found that IT managers at most Blue Cross, Blue Shield plans have ranked Internet Applications and Internet Security as the two technology issues that are most important to them. These issues have pushed IT managers to implement incremental roll-out of Internet-based services to their constituency [providers, insurers, administrators, etc]. While these IT managers want to provide relevant access to information for their constituency, they are also very concerned about meeting HIPAA security regulations.
As a footnote: to the credit of the Blue Cross, Blue Shield Association an association-wide HIPAA Implementation Team Conference will be held in Denver, Colorado July 25th-27th to address many HIPAA implementation issues; including security. Such acts of leadership by the Association have been welcomed by the customers we have dealt with.
The organizations that are envisioning the use of the Internet to register new insurers, verify eligibility of claimants, and even for the submission of claims don’t necessarily want to put their projects on “hold” while waiting to see the impact of the final HIPAA Security rules. Rather, they believe, and we institutionally agree, that it is better to move ahead with an incremental roll-out of their new applications while monitoring HIPAA related security news and developments.
In this sense, the industry is becoming weary of the “on again, off again” nature of the release of rules. As an example, a current rumor is circulating that the digital signature guidelines will be dropped altogether from the HIPAA implementing rules. However, another rumor is circulating that the digital signature guidelines will be released in November, 2000 attached to another rule; but, not the Security Rule, etc., etc.
Industry associations and workgroups help with building awareness of the new rule releases. To their credit the Workgroup for Electronic Data Interchange [WEDI] has commenced a Strategic National Implementation Process [SNIP] initiative for members and will host a meeting related to Security issues in Chicago, Ill on August 22, 2000.
These efforts are great steps to helping the vendor community; however, as with Y2K issues, a recently designated “privacy officer” or “HIPAA Compliance Officer” should plan to spend a lot of time and effort to get up to speed on HIPAA’s complexities. An organization’s “HIPAA guru” has many tasks; to include 1) seeking senior management buy-in, 2) building organizational awareness, 3) setting up an organizational education program, 4) and putting system vendors on alert that HIPAA compliance will require vendor initiatives.
A key business driver of many of our customers is to take advantage of the cost-savings that Internet technology brings to a constituency of users. The cost-effectiveness of Internet technology is significant, and technologies like the Web can increase interaction between a health insurance payor and the insured or providers. Increasing the frequency of relevant communications between the insurance payor and the insured/provider is the goal, the business driver. Doing this in a manner that complies with HIPAA is a secondary, and achievable, goal.
However, this is not to say that these organizations have lost sight of the interests of “confidentiality” and “privacy” when implementing an Internet application that may be covered by HIPAA. These organizations desire to satisfy consumer concerns that information that is sensitive and confidential will be protected; regardless of the future HIPAA standards. This is a consumer driven demand.
Some industry surveys have reported that each time an individual handles a paper-based insurance claim the insurance provider incurs an expense of $7.00. One can see that handling of one insurance claim could cost an insurance provider $50 - $60 per claim transaction. This expensive approach is contrasted sharply to some statistics that report the average Internet-based Web transaction may cost the insurance company a few cents; an order of magnitude in savings.
However, the Internet is a public network and a playground for hackers and malicious Web site attackers, etc. Consumers are mindful of new reports of “hacked” Internet sites and want prudent security of such sites that provide convenient access to their medical-related data.
Achieving these goals is confounded by the fact that many information technology [IT] organizations within the health benefit administration, or claims processing, sector lack a sophisticated talent pool of individuals familiar with proposed security standards and emerging Internet technologies. The HIPAA proposed security regulation is voluminous and complex and difficult for many organizational staffs to understand the full impact on their operations. Additionally, many of these organizations have considerable mainframe computer assets and database systems that are not compatible with emerging Internet networking technology and lack some skills in accomplishing this.
These organizations seem to have a common problem, that can be stated in this manner, “how can confidential information be moved to the Web and remain within HIPAA compliance".
As stated above, organizational “HIPAA gurus” need to put their vendors on notice that HIPAA compliance will be mandated upon their software solutions providers. Vendors should begin to map, as we have done, their software solution set to the HIPAA regulations; especially in the case of security.
By assembling individuals familiar with both (1) HIPAA regulatory requirements, and (2) emerging Internet technologies, OpenNetwork Technologies has engineered solutions that provide many Blue Cross and Blue Shield plans with tools that drive business and cut-costs using Internet technologies.
OpenNetwork Technologies has experienced much success in addressing the needs of Blue Cross and Blue Shield plans by mapping our product features and benefits to the proposed HIPAA Security regulation. In this manner, customers understand the requirements under HIPAA and what regulatory relief a vendor’s product may provide while proceeding ahead with their business-needs driven applications.
With this approach, management, operational and technical personnel can all be provided a standardized baseline of information; (1) HIPAA security requirements, and (2) technology that meets present business requirements. In this manner representatives from these communities can all understand HIPAA impacts on planned application roll-outs; i.e. making decisions regarding the costs of identification and authentication of users, privilege management of users, access control, etc.
These organizations have all stated to us their concern to be fully HIPAA compliant, and most have appointed specific HIPAA compliance officers. Legal departments of these organizations have also been active in reviewing planned IT applications for HIPAA compliance issues. We work closely with these dedicated professionals; however, it is not entirely clear what the final HIPAA regulations will look like, so in a sense we are operating with an idea of what we think HIPAA might eventually “look like”. But, the general consensus is that HIPAA covered information must be protected.
To this end we have selected several major categories of the proposed security regulation to be addressed. They are:
I. Access Control
Enterprises are faced with the problem of providing governed access control services. The solution to this problem needs to encompass:
We have developed such solutions with-in a unified directory management tool.
II. Role-based access control
Initial issues to be addressed by an organization supporting RBAC:
We have engineered an RBAC solution that helps organizations accomplish these requirements.
III. Authentication
We have engineered product features that allow selective access to different portions of the record, so that, for example, administrative personnel get access to only certain fields, and medical personnel get access to other fields. This is an area of study commonly known as Privilege Management Infrastructure [PMI]. This is addressed at 64 FR 59918, *59944
IV. Comprehensive Security
A unified enterprise-wide directory service can be provided by interconnecting cooperating databases that interact with clients and among themselves to provide a unified privilege management infrastructure [PMI]. Motivation for a centralized PMI is the cost-savings obtained by having a centralized privilege manager to control access to various resources. This concept promotes a unified security approach that can control access to many different databases and repositories.
V. Chain of Trust Agreements
The management difficulty faced by chief information officers is how to effectively manage potentially hundreds of “trust” relationships with business to business [B2B] partners. Not only must “chain of trust” agreements be in writing; but, these agreements must be maintained and enforced by covered entities. We are exploring methods and procedures that such agreements could be managed and enforced by these software technologies.
Most organizations that we work with see HIPAA as an over-due necessity to upgrade existing infrastructure and resources. We have attempted to meld software engineering expertise familiar with state-of-the-art Internet-based technologies, software and protocols with familiarity with the regulatory constraints mandated by HIPAA.