Complexity wont prevent insurers from meeting deadlines
By Matt Brady
As they enter the homestretch for becoming fully compliant with the regulations outlined in the Health Insurance Portability and Accountability Act, insurers are finding that, although still complex, the process is not an overwhelming task.
“Basically, this is an entire organization-wide change,” says Pushpendu Pal, chief technology officer at Anthem Blue Cross Blue Shield, Indianapolis.
However, Pal says Anthem is “very, very confident” that it will be fully HIPAA-compliant before the deadline, adding that the companys target date for full compliance is mid-February, well ahead of the official deadline of April 21, 2005.
Fred Laberge, a spokesman for Aetna, Hartford, Conn., expresses similar confidence, saying his company would “absolutely” be prepared for compliance in time.
HIPAA was passed in 1996, although it did not take effect until April 14, 2003. Much of the law is focused on ensuring the confidentiality of medical records and patient information, as well as helping to inform patients as to how their health information is being used and disclosed.
For insurers, HIPAA established new rules and regulations in five separate areas. Specifically, those rules applied to the electronic transfer of information, the code sets used by insurers to identify drugs or procedures, patient privacy, unique identifications for patients, and security, according to Laberge. Each of the different areas had a separate deadline for compliance.
After Congress and those crafting the rules had done their work, Pal says, “we did an assessment of what that means to us as an organization.” Based on that assessment of the different areas of business affected by HIPAA, Pal says Anthem established 8 separate projects for reaching compliance.
Among those projects was establishing an application inventory system. Although Anthem “spans across 9 different states,” as Pal notes, the company also has a significant amount of local level and area-specific applications. To better track exactly what is happening within the company, Pal says Anthem established a “very detailed application inventory,” which tracks where each application is based and who specifically “owns” that application. If someone at Anthem wants to use an application, “the applications owner will have to give access.”
On the security front, Pal says Anthem now encrypts all data that move outside of its system, including e-mail. Anthem, he says, has been working with an outside company to establish a high level of encryption for its system.
Most of the deadlines for companies to achieve compliance with the regulations of HIPAA have passed, with the April deadline for security the sole remaining major date.