December 27, 2000, 2:35 PM — The recent hacking of 5,000 administrative patient files from one of the country's top hospitals underscores the lack of firm, clear, universal standards to ensure the security of online medical records. But although officials are crafting regulations governing electronic patient records for the health care industry, some analysts and industry players are skeptical about how effective these specifications will be.
In an attempt to remedy the situation, the U.S. government is finalizing and releasing the security and privacy portions of the Health Insurance Portability and Accountability Act (HIPAA), which will define interface and security standards and policies. Unless it is derailed by the new administration, the HIPAA privacy regulations will be enforced by both the regulatory commissions that accredit hospitals and the federal agencies that receive complaints.
Bumpy Road Ahead
But the industry has a long way to go.
"The privacy provisions are a quagmire," said Peter Tippett, chief technology officer at TruSecure Corp., an Internet security consultancy in Reston, Va. "A lot of it is onerous and expensive, and a lot of it hard to interpret."
One of the problems is that the HIPAA is supposed to offer specifications to cover all privacy implementations, from one-doctor offices to giant health care organizations. It's too strict in many respects and too loose in others to offer adequate regulations across the board, Tippett said.
|Originally signed into law by President Clinton to protect health insurance coverage for people who change or lose their jobs, HIPAA legislation contains provisions governing how health care institutions must protect patients health records online.|
It remains uncertain when the final privacy specifications will be issued, but theyre expected to by released by years end.
After theyre issued, there will be a 60-day comment period.
Once the HIPAA rules are finalized, health care organizations will have up to two years to comply with the HIPAA; otherwise, they will face penalties.Nevertheless, some health organizations are already prepared for the HIPAA. One such organization is CareGroup Healthcare System, a Boston-based health provider network that includes Beth Israel Deaconess Medical Center.