Many of the questions companies initially had about complying with the Health Insurance Portability and Accountability Act (HIPAA) have been answered. But there are still some sticking points. One key issue is how HIPAA affects companies that outsource work overseas.
"HIPAA guidelines tell you what to do, but they just don't tell you how," said Kevin Beaver, principal consultant with Principle Logic LLC. "[HIPAA is] really less of a technical issue than a business one."
This lack of technical detail leaves room for much interpretation among companies struggling to meet the various HIPAA deadlines.
There are two components that are not clearly addressed in the guidelines that are causing confusion among IT executives: offshore outsourcing and security.
Does HIPAA translate overseas?
Health care organizations are among the many types of companies trying to reap the benefits of offshore outsourcing. With this type of outsourcing, companies ship work overseas for cheaper labor. The most popular destination for offshore work today is India, with software development being the most common IT work sent over.
Many health care organizations, including Kaiser Permanente, Aetna Inc. and Cigna Corp., are utilizing offshore outsourcing for some of their IT services. Still, while offshore outsourcing can save money, it can also attract more problems than it's worth.
For instance, offshore providers are not required to comply with HIPAA. This means that they do not have to have HIPAA-mandated security and privacy mechanisms in place to safeguard protected health information (PHI). Knowing this, how can a U.S.-based health care organization safely send confidential data overseas?
But offshore outsourcing can be done, according to Kaiser -- if you proceed with care. Kaiser has, since 2002, been sending a portion of its programming work to India. The company overcame the obstacle of working with non-compliant overseas companies by performing a fair amount of due diligence. Kaiser interviewed clients from all the providers and had its partners sign formal business agreements. These agreements are made mandatory by the HIPAA guidelines. Any partner you work with must sign a document like this.
Kaiser takes one additional precaution when working with these offshore providers. The company doesn't send any of its data overseas. Instead, the Indian vendors log on to Kaiser's U.S. database to do their work. This allows Kaiser to have complete control of the information.
Beware of smaller offshore companies
But not all health care companies have found a successful formula for working with offshore companies.
In addition to IT services, some health care organizations are sending their business process outsourcing (BPO) work offshore. Some of the BPO services include medical transcription and claims processing.
"The real concern is when U.S. health care organizations (mostly clinics and group practices) deal with 'mom and pop type' transcription shops," said Saji Salam, chairman of Health Level Seven India, a standards organization for the health care arena. "These small transcription companies may not have the resources to be compliant with HIPAA regulations."
The HIPAA loophole here is that these companies are dealing with much smaller shops overseas. The vendor companies that are providing these BPO services employ only 50 to 100 people each. Although these companies are signing business partner agreements with U.S. organizations, they really don't have the bandwidth to implement the proper security systems to safeguard confidential patient data.
"The loophole is in terms of the technology," Salam said. "These companies don't have the technology in place to encrypt or decrypt files sent over from U.S. companies."
So the lesson here is to perform due diligence. If you are sending any of your medical work overseas, spend the time and money necessary to find a stable vendor that can ensure the protection of your confidential data.
Defining 'security mechanisms'
As companies hurry to meet the April 21, 2005, security deadline for HIPAA, they struggle with defining the "how" in this particular standard.
"HIPAA guidelines state that you must develop administrative, physical and technical safeguards to protect PHI," said Jon Bogen, founder and CEO of HealthCIO.com. "But it does not say 'how' or spell out the mechanisms -- therefore leaving a lot up to interpretation."
Without realizing it, many companies are well along the way in respect to meeting the security deadline using what they already have in-house, Beaver said. Some of the large hospitals and health care companies already have security policies and disaster recovery plans in place. Companies can build on these plans to create the proper HIPAA security policies.
"The security rule [in HIPAA] is scalable, and the technology is neutral," Beaver said. He suggests that companies learn from what others are doing and look at what they already have in place.
Beaver recommends utilizing the free and low-cost resources on the Web for advice and best practices on forming your security policies.
Some resources include SearchSecurity.com, SANS.org and NIHP.org, as well as ISO 1799.
HIPAA best practices
Many organizations are going through the same processes as they attempt to adhere to HIPAA guidelines. Bogen suggests looking at what other companies, like Partners HealthCare, Harvard Pilgrim Health Care and Tufts Health Plan, are doing. "It will save you lots of money and heartache."