HIPAA Opportunities Lag Expectations


New federal privacy regulations for the health-care industry aren't driving business the way Internet security firms had hoped.

Security providers expected the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which includes federal requirements for keeping electronic patient data secure and private, to send hospitals and other health-care organizations scrambling to shore up their data.

But with the compliance date for privacy regulations pushed out to April 2003 and specific security standards still undecided, health-care firms aren't rushing to action, solution providers said.

"We've been tracking it [HIPAA but not with a lot of return to date," said Bob Joyce, president of Perfect Order, a Harrisburg, Pa.-based systems integrator.

"HIPAA's there, but it's not there. No one's crossed the t's and dotted the i's. It's a moving target," said Michelle Drolet, CEO of Conqwest, a security solution provider based in Holliston, Mass.

Health-care companies know they have to do something but are hesitating without set rules, she said. "Why do something if you don't have to and you don't know what the rules will be?" she said.

Executives at RedSiren, a Pittsburgh-based managed security firm, said they're alarmed at the number of health-care facilities that haven't begun preparing for HIPAA. Complying with the act will require a lot of technical evaluation, systems integration and management work, said Dain Gary, RedSiren's chief security officer.

"The health-care industry has got to get started right now," he said.

Another set of federal regulations, however, is driving security spending, solution providers said. Signed into law in 1999, the Gramm-Leach-Bliley (GLB) Act includes provisions for banks and securities firms to have and disclose privacy policies on how they handle customers' personal data.

"GLB is helping us close sales," said Duncan Alexander, vice president and principal at Alexander Open Systems, a Lenexa, Kan.-based integrator.

GLB isn't as complex as HIPAA, and federal regulators are checking for compliance, he added.

But some health-care companies are taking steps to comply with HIPAA. Born, a Minneapolis-based solution provider, said it's working with Microsoft to implement the vendor's BizTalk Accelerator for HIPAA for UCare Minnesota.

And technology firms continue to look to HIPAA for future opportunities. Mark Stevens, senior vice president of network security at WatchGuard, a Seattle-based vendor, said he expects HIPAA-related spending to pick up in the next few months.

"Right now they're [health-care organizations just trying to figure out what they need to do," he said.