With new federal privacy regulations coming on faster than a bad head cold, officials at WellMed late last year asked legal advisers for a prognosis: Would the health care education Web site be subject to the new HIPAA privacy requirements?
Probably not. While WellMed does collect and store medical records from some 700,000 consumers, it is neither a health maintenance organisation nor a hospital, the main targets of the Health Insurance Portability and Accountability Act regulations.
The assurances of HIPAA immunity notwithstanding, however, IT managers at WellMed decided to comply with HIPAA privacy regulations. Why spend the time and money when you don't have to? Officials at the e-business saw compliance as a potential competitive advantage rather than an unnecessary hurdle. Being able to tout their adherence to strict privacy standards, officials said, will make it easier for WellMed to reassure and attract consumers and health care industry partners. Plus, they said, complying now could head off trouble later, should lawsuits or legislation expand the scope of HIPAA.
"The public has become much more educated on the issue of health records privacy now," said John Meek, vice president of development at WellMed. Consumers, Meek said, increasingly expect that companies handling health records will safeguard their personal information from snooping marketers and potential employers who could wrongly use the information to deny them job opportunities.
As privacy regulation takes hold in more industries, not just health care, IT managers would do well to emulate WellMed and get a jump on compliance, experts say. That's particularly true, they say, for companies that collect and store sensitive consumer data such as home phone numbers, Social Security numbers, financial records or personal data on children. Even if they're unsure now whether HIPAA or other pending data privacy laws apply to them, such companies may soon be required to get customers' consent before gathering or sharing personal information, experts say.
Erecting privacy barriers
In WellMed's case, the cost of complying with HIPAA regulations did not require major budget surgery. The company, which allows users to store and transfer their full medical histories online and offers personalised health tutorials, already had internal processes for separating information that could be used to identify individuals from other medical history information. So the bulk of WellMed's efforts, which began last June, centered on erecting an improved encryption barrier around its patient-records database. The company began by encrypting individual online transmissions among itself, its consumers, and the HMOs, pharmaceutical benefits managers and insurance companies with which it partners, using the PGP E-Business Server from Network Associates's PGP Security unit. The product, used to secure databases and, at the application level, to secure data as it passes from server to server, works across disparate platforms and provides digital signature capabilities. A perpetual license of the PGP E-Business Server such as the one obtained by WellMed is priced at US$10,000, according to PGP Security.
WellMed also instituted a sweeping privacy policy addressing the various uses the company might make of anonymous as well as personally identifiable patient data and allowing users to control any information bearing personal markers. Consumers can authorise or deny authorisation of the use of their private information via e-mail, phone or letter. Without the user's prior authorisation, such patient records won't be shared with third parties. The company does share health statistics in the aggregate, however.
Finally, the company ensured that its servers, on-site at its Web hosting provider in Seattle, were accessible only to authorised personnel.
