HIPAA legislation does not lay out a specific, standardized course of action or “best practice.” Rather, the language often suggests “reasonable and appropriate” action to protect and secure business assets and protect private data. This openness puts the burden on providers and payers to chart new territory and implement changes across a broad range of electronic, paper, and physical practices that includes:

· Policy (at organizational and department levels)

· Applications upgrade and redeployment

· Physical security

· Accountability and audit measures

· IT infrastructure improvements (especially for authentication and access control)

· Training and deployment

Most institutions dealt with this complex environment by starting with a HIPAA compliance architecture and road map. They tackled each of these areas with careful planning, coordination, and, finally, effective execution. As stated, the tasks and challenges permeate every aspect of healthcare organizations’ operations. The words of the director of information security at a provider network summarized the situation: “[HIPAA] needs to be part of your daily environment.”

A Business and Policy Challenge First

Given these perspectives, most healthcare organizations recognize the complexity of the problem. They understand that no one technology or single process solution provides a quick answer. In fact, most executives dismiss sales pitches that claim to provide a simple fix. The words of two compliance officers at provider organizations captured the view that was common during the planning stage. One noted, “There’s not a product out there that’ll systemize privacy right now. And I don’t think we could afford it if it was there.” Said the other, “There are little pieces of the puzzle that everybody needs, but there’s not one full solution. The hard part is piecing together your puzzle.”

Mapping Requirements to Infrastructure

Finally, the enterprise began to map HIPAA’s privacy requirements to its infrastructure. Again, early and immediate actions involved setting clear policy and ensuring its compliance. For example, one area that had suffered from uneven policy compliance involved user account management – a simple, common, but critical security component. To avoid the issue of user access accounts “hanging around” after employee transfer or termination, the provider network set up zero-tolerance policies for immediate account termination and explicit account startup procedures. That policy included steps toward building a “role-based” account management structure. The network, in its early implementation, would like to establish simple role-based access rights for business, research, and clinical roles within the hospital. That same recognition of data classification (business, clinical, or research) opens a set of efforts to both classify and control access to that data once roles are in place.