New HIPAA security rules could open door to litigation

Computerworld - New federal security standards that cover how personal health information is electronically maintained or transmitted could create a legal nightmare for the health care industry, will require a massive training effort and could cost millions of dollars, according to hospital industry personnel who specialize in health care IT.
The Health Insurance Portability and Accountability Act (HIPAA) security standards (download PDF) become law today with their publication in the Federal Register, but don't take effect until April 21, 2005, according to the Centers for Medicare & Medicaid Services (CMS), part of the U.S. Department of Health and Human Services.
Despite that time lag, the new standards will hit the nation's $1.3 trillion health care industry quickly because they become the de facto security guidelines for federal privacy standards regarding health care information. Those privacy standards, which govern electronically protected health information (PHI), go into effect April 14, according to Mary Henderson, vice president of IT compliance and director of the national HIPAA program at Kaiser Permamente Health Plan.
Kaiser is the nation's largest nonprofit health maintenance organization, with 8.4 million members, 29 hospitals and 423 medical offices staffed with 11,000 doctors.
According to CMS, the new security standards will affect 2.6 million "covered entities," a group that includes the whole swath of the health care industry, from individual doctors to hospitals to major insurance plans such as Kaiser. While it doesn't mandate specific security technologies or procedures that should be used to meet the security standards, the CMS does spell out what information must be protected and what the industry should strive to do.
Specifically, according to the CMS, health care organizations should: Insure confidentiality, integrity and availability of all electronic protected health care information; protect against threats to the security or integrity of such information; protect against unauthorized disclosure or use of protected health care information; ensure compliance by the entire workforce.
Karen Trudel, deputy director of the office of HIPAA standards at CMS, said she doesn't disagree that the security standards could become the de facto standard for PHI, even though they don't go into effect until 2005. But, Trudel said, the privacy rules cover paper and oral communications as well as electronic health information; the security regulations cover not only privacy but also the integrity and availability of information. They are designed to ensure that health care data is preserved and backed up in case of a system failure.
Richard Marks, a lawyer at the Seattle-based law firm of Davis Wright Tremaine LLP, said the combination of the