Security Regulations For HIPAA Are Set

The health-care industry has waited for more than four years for the final regulations. As anticipated, a section in the original proposals requiring electronic signatures was removed from the final regulations. But to the surprise of many, the final regulations offer much more flexibility than anticipated.

Gartner analyst Jim Klein said the major change is that every section of the regulations is now specified as either "required" or "addressable." Twenty-two of the 42 implementation specifications that are addressable involve IT security technology, Klein said.

One of the things now addressable rather than required is e-mail encryption. But while the more flexible security regulations will reduce the costs of compliance by half,particularly for small organizations,they carry more risks, Klein said.

"The changes are more comprehensive than we expected, but I believe they will help health-care organizations focus on what needs to be done," said Elizabeth Wood, IBM's health-care national practice executive.

While that means there is less specificity regarding which solutions will be needed for certain applications, Bill Jensen, health-care marketing manager at Check Point Software Technologies, said it will actually give customers and solution providers more flexibility. For example, the draft regulation said if patient information is transmitted over an open network, it must be encrypted. "But it failed to define what an open network is," Jensen said. "It created a lot of confusion."

But eliminating the requirement to encrypt e-mail doesn't mean that those exchanging patient information shouldn't consider doing so. In a recent conference call, Tom Walsh, consultant at CTG Healthcare Solutions, told customers they have to determine the best way to secure shared information.

The new security regulations mean that customers have to decide what level of risk they want to take. The problem is, most organizations haven't conducted full risk and vulnerability assessments, according to Walsh. "They are giving us some flexibility in how you implement security, but it's all based on your risk analysis," he said. "What I have found is most organizations haven't even assessed their risk, let alone analyzed risk."

Jeffrey Schwartz is Senior Editor for VARBusiness.

Read HIPAA Compliance: Channel helps pave the way for organizations to adhere to new privacy regulations.