Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

"There are a lot of little quirks that weren't addressed in the past, but now you have to deal with it. It's that kind of process change that's going to be the largest work," Moroses says. "An oil tanker needs about five miles to turn left. Health-care institutions are like that."Spread the WordOnce the policies are in place, the education challenge begins. In this instance, at least, health-care institutions have experience with the HIPAA privacy rule to guide them. At Carilion Health System in Roanoke, Va., Tom Newton, information security officer, remembers that it took four months to educate 10,000 staff members about the changesboth in terms of what the rule entailed, why it was important and how it should be applied correctly in an everyday environment.

The questions were far-ranging: What information can be left on an answering machine? When can a receptionist tell a caller whether an individual has a doctor's appointment that afternoon? How does a nurse identify a patient calling in for lab results? Where can patient names and room numbers be posted? All of these questions needed to be answered with policy and then passed on to employees.

If it sounds like employees get fire-hosed with rules, then you're right. "Oh, it's awful," Newton says. "It just inundates them with things."

In September, Carilion will begin the training process for the security rule. It will be easier this time around. The privacy rule applies to all kinds of protected health information, electronic and otherwise, but the security rule covers only electronic PHI.

Newton decided to rework existing policies to include new sections resulting from the security ruleas he did for the privacy compliance.

One thing he does know for sure: It was a waste of money last time to offer Web-based training because less than 15 percent of employees used the Web modules, and it was, Newton believes, less effective than in-person training. For the security rule, employees will be able to attend a live session or read the handbook on their own.A Matter of InterpretationEven as organizations chip away at HIPAA compliance employee-by-employee, a bigger question remains: How will HHS interpret and enforce the HIPAA security rule once next April's deadline passes? This, perhaps most of all, is something for other CISOs to watch because it could have a tremendous impact on how future information security regulations are crafted and enforced.

The security rule, by design, leaves plenty of room for interpretation. In particular, it was written to be technology-neutral, to allow diverse entities to comply and also to keep it from going out-of-date. "Any kind of federal regulation, I think by definition, is going to be fairly high-level," explains Borten of The Marblehead Group. "If you get too specific, you'll shoot yourself in the foot."