BCBST Reacts To Privacy Reg

When it considered the various ways to comply with the security rule included within the Health Insurance Portability and Accountability Act (HIPAA), Chattanooga, Tenn.-based BlueCross BlueShield of Tennessee identified its "incident response" capabilities as a viable compliance strategy.More specifically, the Tennessee Blues plan formed an incident response team (IRT) to respond to information systems incidents that could potentially compromise the security of personal or protected health information of its customers. The Blues plan can now better respond to information systems incidents as a cohesive team and minimize impact of incidents on its business and customers, says a security analyst at the company.

Deadline looms

The group's program has so intrigued other health insurance providers that BCBST executives are fielding many requests-many from fellow health insurance companies-to discuss the particular components of the program with its security experts.

It's no wonder BCBST's initiative is garnering so much attention: The HIPAA Security Rule deadline is April 21, 2005, and to this point many health care organizations have a long way to go to implement a health information security program that meets baseline regulatory and business requirements, according to a new report released by Washington, D.C.-based URAC, an independent organization that promotes health care quality through its accreditation and certification programs.

Written to minimize potential disruptions and security breaches to personal or protected health information, the HIPAA security rule is expected to impact how health care organizations handle information that contains protected patient health information.

The rule will also influence how organizations communicate with consumers, providers and other third parties, as well as how they educate patients and obtain information about them. HIPAA also affects how protected health information is collected, used and shared both internally and externally.

BCBST appears to have a solution to address these challenges. According to the company, the incident response team serves as a "united front" enjoining various operational units in handling IS incidents. Roles have been established in dealing with incidents and response times to security breaches have been enhanced.

In the end, the formation of the incident response team-which consists of staff from multiple IS groups throughout the company-has helped reduce the potential impact regarding unauthorized activity on BCBST affecting the company's protected health information.

The success BCBST has had in coping with the HIPAA security rule is an exception for an industry struggling with establishing a blueprint for compliance. URAC's report highlights key challenges confronting covered entities and other organizations as they upgrade their security programs in anticipation of next year's security deadline, and offers recommendations on what health care organizations can do to address these challenges. It identified four barriers to compliance, including:

  • Incomplete or inappropriately scoped risk analysis efforts.
  • Inconsistent and poorly executed risk management strategies. For example, does a health care organization actively address technical issues and employee practices that affect security?
  • Limited or faulty information system activity review. For example, does a health care organization actively collect data on how its systems and employees are performing?
  • Ineffective security incident reporting and response: Does an organization even detect when patient data has been compromised (i.e., stolen by an unauthorized person) and how do they deal with the issue?

In response to these challenges, the URAC report recommends that HIPAA compliance should not be seen as a costly regulatory burden, but as a way to appropriately manage ongoing security risks in a way that reduces overall business risk, reduces costs, and improves quality.

For reprint and licensing requests for this article, click here.
Security risk Core systems Data security Compliance
MORE FROM DIGITAL INSURANCE