At the 13th annual Health care Information and Management Systems Society (HIMSS) conference in Atlanta this week, MSPs (managed service providers) Digex Inc. and Divine Inc. joined Sun Microsystems Inc. in announcing separate solutions designed to ease HIPAA (Health Insurance Portability and Accountability Act) implementations through outsourced means.
The news underscores the trend of MSPs and large IT vendors joining the rush to help health care companies comply with security and privacy standards set fourth by the U.S. government's looming HIPAA deadline of April 2003.
Sun has bundled a few of its security-related products, including Trusted Solaris, iPlanet software, Java Card smart cards, and Sun Ray thin-client solutions, with transaction-compliance applications from its partners for its HIPAA solution set, said Michael Haymaker, global health care development manager at Sun, based in Palo Alto, Calif.
The hardware and software behemoth will rely on MSSP (managed services security provider) ComTrust to bring online identity management, authentication and authorization, PKI (public key infrastructure), and physician credential verification hosted services to Sun health care customers.
At HIMSS, Divine introduced a workflow data collection tool to unify customers' full range of HIPAA internal and external initiatives. The latest addition to Divine's HIPAA services set, the new Web-based tool allows health care representatives to monitor and receive real-time status of compliance efforts, said officials of the Chicago-based MSP.
Also at HIMISS, managed hoster Digex announced at HIMSS that its managed security services have been validated to meet proposed HIPAA requirements through an independent assessment by security vendor TruSecure. The validation is Digex's response to customers wary of an MSP's security expertise and compliance with HIPAA planning and implementation, officials said.
First created in 1996 by Congress to ensure the protection and confidentiality of electronic health information, HIPAA has forced all facets of the health care industry to undergo a radical transformation of updating antiquated back-end legacy systems and paper-based processes with required technology changes. Although the security portion of HIPAA has yet to be formally established, the government has mandated that doctors, hospitals, and insurance companies must fall under HIPAA compliance no later than April 14, 2003.
Failure to comply with HIPAA will result in severe civil and criminal penalties as well as fines as much as US$250,000 and imprisonment of as many as 10 years. Government estimates have placed the massive IT overhaul associated with HIPAA regulations in the private and public sectors upwards of $22 billion dollars.
Allan Carey, senior analyst at Framingham, Mass.-based IDC, said nontraditional security companies wading into a competitive HIPAA-hungry solution market are trying to get a jump by customizing their in-demand management solutions to meet specific HIPAA customer needs.
"They're wrapping services around solutions to combine hardware and software because health care will need assistance in deploying solutions, and what they need to do [in order] to meet compliance," said Carey.
But Carey noted that because most companies are awaiting the final security regulation disclosure before moving forward, it's too soon to tell how the HIPAA security market will shake out between outsourced solutions and off-the-shelf security products.
Still, with HIPAA's deadline less than 15 months away, Jim Quist, CEO of ASP health care data processor, MedeFinance, said time is running out to ensure everyone is on the same security page -- a role he entrusts to his hosting provider, Digex, to take care of.
"We handle a tremendous amount of patient and financial detail. Our customers are typically hospitals that can dial in and look at their specific patient detail information out of our databases. Security is absolutely more important than anything we're talking about here, even uptime," said Quist. "It's absolutely critical that a member of one hospital cannot look at [information] from another."