Health industry must prepare for privacy regulations

Health care providers may soon face the problem of making computer systems comply with pending rules that are likely to raise the bar for information security in the industry.

Evan Hansen Staff Writer, CNET News.com
Department Editor Evan Hansen runs the Media section at CNET News.com. Before joining CNET he reported on business, technology and the law at American Lawyer Media.
Evan Hansen
4 min read
With a deadline looming for the introduction of sweeping regulations governing the privacy of medical records, health care providers may face a bigger problem than Y2K: bringing computer systems into compliance with pending rules that will almost certainly raise the bar for information security in the industry.

Although the rules have not yet been finalized, one struggling health information technology company hopes to find redemption by staking an early claim on what promises to be a multibillion-dollar makeover of information systems for health care providers in the United States.

Quadramed, a Richmond, California-based health care information technology company, today introduced a desktop security product, called One Look, aimed at the health care market. The company says the product is the first of its kind to comply with proposed national medical privacy rules outlined by the Clinton administration just last month.

Among a host of medical start-ups racing to the Web with everything from home remedies to promises of simplifying medical claims processing, Quadramed stands out for its refusal to immediately embrace the Internet for salvation.

Although the company says it has Internet plans down the road, it has instead waded into the politically charged arena of private medical records, focusing in the short run on marketing a security solution for the industry's client-server technology.

Adam Frisch, an analyst with Warburg Dillon Read in New York, said Quadramed is fairly well positioned to capitalize on the Health Insurance Portability and Accountability Act of 1996 (HIPAA), also known as the Kassebaum-Kennedy law, which mandated an overhaul of medical privacy rules.

"HIPAA compliance is what everybody is talking about," Frisch said. "Quadramed has a pretty strong presence in the medical records and business office arenas...where a lot of the HIPAA regulations will take effect."

Frisch cautioned, however, that there is uncertainty over what the law will eventually require. The Clinton proposal stands to receive a close reading by privacy advocates and can be amended between now and February 21, the statutory deadline under HIPAA to finalize medical privacy regulations. The rules are scheduled to take effect two years from then.

HIPAA compliance could dwarf costs of the Year 2000 bug overhaul. Quadramed estimates that expenses could run as high as $250,000 for each of the nation's more than 6,000 non-government hospitals in the next two years, for example.

Investors, however, have so far remained cool to the company. Quadramed's stock has been hammered since the beginning of the year, dropping from more than 28 to less than 6. According to Quadramed chief executive James Durham, the stock's drop can mostly be attributed to Y2K fears, which have punished the medical sector particularly harshly.

Durham said he believes Y2K fears have been overblown and predicts the stock will bounce back in the new year on the strength of products such as One Look.

Biometrics rebirth?
According to the company, One Look allows users to log on to a network using a so-called biometrics device that scans a thumbprint to verify identification. Once on the system, One Look can customize an individual's access to files and programs, keeping parts of the network off limits as desired.

It also can keep track of which emergency room doctors are on duty at any given time in a hospital.

"This is the first all-encompassing solution"

at a glance

HQ: Richmond, California  
CEO: James Durham  
President: John Cracchiolo  
Employees: 2,674  
Annual sales: $159.39 million  
Annual income: ($18.61 million)  
Date of IPO: October 1996  
Ticker: QMDC  
Exchange: Nasdaq

Quadramed quotes
Quadramed news

Source: Bloomberg 11/10/99

for health care providers, Durham said.

One Look already has been picked up by at least one customer, Burdette Tomlin Memorial Hospital, a 242-bed hospital located in Cape May County, New Jersey.

Edward Duryee, chief information officer of Burdette Tomlin, said the hospital chose One Look in part to simplify its log on procedures.

"At a hospital, it's not uncommon for a doctor to have four usernames and four passwords," he said. "And each computer has a card taped to it with all the usernames and passwords. So the system is wide open to anyone, from a nurse to a janitor."

Quadramed's Durham said One Look provides a balance of security and privacy features.

"The concept of a single patient identifier is politically charged," he said. "But the secure electronic movement of medical records...is an exceedingly important issue."

Not everyone is happy with the notion of creating a security system that stores a unique individual identifier for each user of the system, however.

David Kennedy, a consultant with Reston, Virginia-based Internet security firm ICSA.net, said that biometrics technology "is a good and useful thing, but it's not a catch-all."

Kennedy said thumbprint identification could become a problem if the prints are collected as access IDs by more than one organization, for example.

"If I work for six or seven employers who all use my thumbprint to access their system, then there will be six or seven copies of my print out there," he said. "That increases the possibility of misuse."

Kennedy said he favors "smart cards," which store electronic information in magnetic form, as a security tool that can also help address the problem of multiple passwords.

A bigger problem, Kennedy said, is whether anyone should be gathering identification such as thumbprints in the first place. "When did I give the government or health care provider permission to do that, anyway?"