Change HIPAA from headache to opportunity with role-based access control.
While some healthcare insurers perceive HIPAA as a hurdle, more forward-thinking organizations view its guidelines as building blocks to a successful e-business strategy.
Concerns surrounding the security and privacy of medical records are not new. Health information maintained on paper files stored in cabinets is as vulnerable as records stored and transmitted electronically. In today's wired world, privacy is an increasingly valued and elusive commodity. Headlines blare with news of security breaches and violations of privacy. Nowhere is the threat of liability from these actions as overt as within the healthcare industry, where organizations must balance heightened concerns and fears of multiple audiences with the pressure to quickly bring their services to the Web.
A security breach can lead to loss of reputation, market share and revenue in today's competitive managed care environment. To mitigate these vulnerabilities and reap the rewards of streamlined operations and enhanced cost efficiencies, healthcare organizations should take the necessary steps to develop secure e-business infrastructures that maintain the basic tenets of patient privacy, regardless of governmental regulations.
Roles Determine Access
According to the FBI, 70 percent of all breaches originate internally, where unauthorized individuals access private information. In healthcare, multiple individuals have authorized access to medical records, including physicians, nurses, lab technicians and administrators-each with the authority to view specific portions of the records necessary to do his or her job. An administrator may not be allowed to check a patient's medical history, but may need to check claims status; a nurse may access all health information, but need not modify eligibility status.
To maintain the highest levels of security and privacy while eliminating administrative burdens, healthcare organizations should base access on roles that define who is allowed to view, update or modify what information, and how and when they are authorized to access that information.
A secure infrastructure not only defines roles, but also enforces information entitlements and security privileges by providing a variety of mechanisms for authenticating and authorizing users before allowing them access to specific Web services. Organizations can leverage these roles further to create personalized "portals," or views of Internet services, for each group of users based on their defined roles.
Policies and Partners
Role-based policy management is one access-control option suggested by HIPAA that provides far-reaching business benefits. Managing users via roles enables organizations to scale their e-business rapidly, streamline authorization methods and ultimately reduce the administrative time and costs required to manage access on a user-by-user basis.
The appropriate security infrastructure can also authenticate users and retrieve data stored and maintained on older, mainframe systems, thereby eliminating the time required to re-enter data. Furthermore, a security infrastructure can extend these benefits outside the organization to the vast numbers of business partners and constituents accessing an e-business system.
Although not a requirement of HIPAA, a security infrastructure may enable an organization to delegate user management to business partners, suppliers and customers who can manage their own groups of user profiles. End users can register themselves for access to those Web services that organizations deem appropriate, based on predefined security policies. This feature not only decreases the centralized burden of managing potentially millions of users and their corresponding security profiles, it also provides tremendous administrative cost savings and a greater level of customer service-two key drivers behind e-business goals.
Blue Cross and Blue Shield of South Carolina launched its e-initiatives in 1999 and currently provides more than 100,000 individuals with self-service capabilities and secure transaction via its Web site, at www.southcarolinablues.com. By integrating a security infrastructure early on, Blue Cross and others are ahead of the curve, not only in HIPAA compliance, but also in realizing the early administrative and economic benefits inherent in bringing services to the Web. Despite the urgency to comply with HIPAA, organizations seeking to reap the rewards of e-business should view the regulations as a wake-up call.