HIPAA Compliance: Time's Up

CSO sat down with Partners Healthcare CISO Bob Pappagianopoulos to talk about the HIPAA mandate and its challenges.

June 01, 2005 — CSO — Q&A The deadline for compliance with the Health Insurance Portability and Accountability Act's Final Security Rule was April 20, 2005. Health-care CSOs across the country scrambled to make sure their organizations were in line with the federal law, which covers a broad range of security aspects, including health-records access, network data transmission and physical security.

CSO sat down with Partners Healthcare CISO Bob Pappagianopoulos to talk about the mandate and its challenges.

CSO: The compliance deadline for HIPAA security has arrived. Is Partners ready, or are you still trying to tie up loose ends?

Bob Pappagianopoulos: We put a phony date [for HIPAA security compliance] of Dec. 31, 2004, and focused on that. A lot of work involves just documenting outstanding issues and looking at gaps.

So what happened April 20?

By April 20, you had to make sure that, if you look at every [HIPAA security] regulation, you're in 100 percent compliance or have a valid, well-documented reason why you're not. We've done everything that's reasonable: employee training, updated and centrally located our policies. Everything we can do that makes good common sense, we'll do.

As I talk to other hospital organizations, they feel the same way. There are certain things that have to get done. We've identified those and will get them done. There are others where, from our perspective, you can't turn a ship quickly.

For example?

We've documented why we're not 100 percent in compliance with the regulation regarding disaster-recovery planning. The reason is that we have approximately 1,200 applications at Partners. Having a true disaster-recovery plan for all of those is cost-prohibitive. We have a plan to meet a reasonable standard. For example, all of our departments have business-continuity plans so that, in the event that they can't get to patient records, they can provide quality of care. We're also moving to a new data center and taking one of two existing data centers and replacing it with a larger data center for the top 42 applications and about 200 feeder systems initially. Things like our longitudinal medical-record clinical repository, which is where all our lab results go.

Encryption of data is considered "addressable" also, which means that you don't have to be in compliance by April 20, but you have taken steps to be as compliant as you can. We have a project for encrypted file transfer and hope to have it in place in the next three months so that all files are encrypted.