pageTitle = "Decoding HIPAA: Are You Ready?"
localnav = ""
section = "Archive"
author = "Kristen Bole"
contributer = "BIO-IT World"
publicationDate = "2002-03-07"
description = "The Health Insurance Portability and Accountability Act's privacy and security provisions will force many bioscience companies to rebuild information systems."
idgurl = "http://www.bio-itworld.com/archive/030702/hippa.html"
copyright = "2002"
keywords = ""
adsite = "idg.us.bioitw.archives"
ad468x60 = "yes"
ad150x800 = "yes"
ad336x280 = "no"
adSpecial1 = "no"
adSpecial2 = "no"
adSpecial3 = "no"
adSpecial4 = "no"
serviceCenterComment = "no"
serviceCenterSubscribe = "yes"
serviceCenterReprint = "no"
serviceCenterPrint = "yes"
serviceCenterClickability = "yes"
serviceCenterEmailPage = "yes"
serviceCenterEmailArticle = "no"
> Mar 7, 2002
By Kristen Bole
March 7, 2002 | Ken Schwartz, lead software developer for Genzyme Genetics, has an enormous task ahead of him. Over the next two years, he and his team will rewrite roughly 80 percent of the software used by their division. What started as a planned technology upgrade has expanded in scope and urgency in order to comply with the new health care privacy rules taking effect this spring under the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. It's a rush job that is also a classic hurry-up-and-wait scenario: Despite more than a year of anticipation, no one at Genzyme knew until this spring what the new systems had to include.
"It's all based on projections," Schwartz says. "It's like trying to eat the bull while it's still running around the field. To eat it, you've got to catch it and you've got to cook it, and you can't do that yet."
Known to the industry as HIPAA, the new law was originally intended to simplify billing and administration for hospitals and doctors' offices, in part by establishing standards for electronic record keeping. The law developed tentacles as it moved through Congress, however, adding new provisions that stretch far beyond the average doctor's office.
Only in the last year did HIPAA reach the bioscience industry, where it has created an electronic nightmare expected to surpass many firms' Y2K preparations in both the scope and cost of required systems changes. Although the exact changes will vary according to the amount of access each company has to patients' medical records, HIPAA is expected to become standard protocol for hospitals, forcing virtually any health technology company that runs clinical trials, provides software, or uses genetic samples to overhaul its computer systems.
Michelle Dougherty, practice manager at the American Health Information Management Association (AHIMA), says, "What I hear from the industry is that Y2K efforts helped prepare [companies] for these changes, but this is a very big undertaking, particularly on the security side. Many of the systems they have in place do not meet the requirements of HIPAA and it means a major upgrade." AHIMA has been helping health-care organizations nationwide come up to speed on the new rules.
The Scope of the Problem
At its core, HIPAA has almost nothing to do with biotechnology, which is why it caught the industry by surprise. Until now, most of the attention given the new law has focused on how hospitals and other health-care providers would set up systems and procedures to protect patients' privacy. Those provisions went into effect last April with a two-year deadline for compliance, but were hotly contested and changed numerous times along the way. "We didn't know the details of the requirements until it was passed," Dougherty says, adding that the authors of the bill never considered how bioscience companies might be affected.
|HIPAA at a Glance
|What it is: New federal law creating security standards to ensure the privacy of patients' medical records
When it takes effect: Spring 2002
Deadline for full compliance: Spring 2004
Who it affects: Primarily hospitals, health-care providers, insurance companies, and anyone who has access to a patient's medical data. Secondarily, vendors and "business associates" of health care providers, including those who run clinical trials.
What it requires:
A cross-functional senior management team dedicated to ensuring compliance
Upgrades of computer systems to track who has accessed patient information and on what date
Staff training on privacy and security
Changes in contracts with health-care providers to guarantee that patient information is safeguarded
Ability to document internal practices and records for DHHS upon request
Destruction of all protected information upon termination of contract with health care provider
The concept of the security provision is fairly straightforward: Any company that has access to medical information must be able to document who accessed that information, when, and to what purpose. Because medical information is now being kept in computers rather than filing cabinets, software systems need to have a log attached that shows who entered a patient's record and when, even if it was during a system upgrade. That type of log is already available on software programs in many privacy-conscious fields such as insurance and human resources, as well as in many word-processing applications, in a modified form.
Privacy, of course, is nothing new to a company like Genzyme, which performs molecular tests to determine whether patients are predisposed to genetic diseases. "Like hospitals, we've been dealing with privacy forever, so it was easy for us in some ways to put on the HIPAA mantle," says Trace Custer, Genzyme's vice president of compliance in its Santa Fe, N.M., facility. "When it comes to IT though, where they haven't had the regulations around them, it's much harder."
Part of the problem is that the bioscience industry has developed much of its software in-house, in an environment where a high level of documented security wasn't an issue. In fact, the goal for software engineers was to develop systems open enough for scientists to collaborate on projects, improve communication, and further developments.
"There was nothing out there [that could] do what we wanted," Schwartz says, which is why Genzyme built its own systems in the early 1990s. "At the time, there was nothing available and no need to track [access to patient records]." Another issue: Anyone revising a system last year had only a vague idea of what those HIPAA revisions should entail, says Schwartz.
Scott Clarke, CEO of BioSpace Inc. and former chief information officer at Incyte Genomics, says the main problem was the complexity of the proposal as it was first written. "The question of how it's going to affect the biotech community is anybody's guess right now," he said just a few months ago. Clarke says that although the intent of the proposal was to protect confidentiality of genetic information, the original text was so broad that it was unclear whether the bill would stymie research into protein therapeutics. "It was so complicated that it wasn't consistent or even clear on what you could or couldn't do."
Worse, it was also unclear who would be affected by the regulations.
So Who Is Affected?
Unlike many bioscience companies, Genzyme knew it would be affected by HIPAA because it has direct access to patients' medical records—the key qualification for status as a covered entity. Thus required to assemble a team that would ensure the company complied with HIPAA's privacy provisions, Genzyme was also primed to respond to HIPAA security legislation as it made its way into the Congressional Record.
Other companies, though, are still in the dark. "This is the part that keeps lawyers in business in health care," says Dougherty. "It's hard for you and me to sit here and determine who's covered and who's not."
Technically, the law applies only to companies or professionals who have access to a patient's medical case file. That means doctors and nurses, hospital billing staff, insurance companies, and any information systems engineers who might need to enter a patient file in order to update the technology. Therefore, Dougherty says, most bioscience companies are not directly covered under the new regulations. But Biospace's Clarke says there are specific types of life science companies to whom the rules will likely apply: protein therapeutics companies and those doing research into next-generation phenotype-specific drugs.
Most bioscience companies will end up being classified as "business associates" or vendors to a covered entity (such as a hospital or doctor's office). "As a vendor, there are many elements that [bioscience companies] have to be aware of and will have to follow," Dougherty says. Among these are the rules covering contract language, staff training, and the ability to verify compliance for the Department of Health and Human Services (DHHS). Verifying compliance means ensuring that computer systems can track every person who has touched a file.
A typical vendor, for example, would be a cardiovascular device company that sells its catheters to a hospital
system. The company needs to evaluate the effectiveness of its catheters as they are used in individual patients, so it must have access to patient records. Thus, the company will be required to maintain a log of the people who accessed those records and on what dates, either electronically or in hard copy. Similarly, any company working on clinical trials or conducting follow-up research will be required to meet the same standards.
Even if a company is not a covered entity as defined by law, if a company deals at all with the health-care industry, chances are high that you will be forced to comply with HIPAA regulations.
All boiled down, HIPAA remains a murky issue for bioscience companies. Confusion persists over both the nature and scope of HIPAA-required security provisions, and the need to retrofit less-documented "home-grown" applications will drive up compliance costs for many companies. Now is the time to learn as much as possible about HIPAA and develop clear plans for compliance.
PHOTO BY GARY BUSS/FPS