FASTNET Gets Hip to HIPAA

The consequences of the 1996 Health Insurance Portability and Accountability Act are only coming into play now. We take a look at what one ISP had to do to certify that its data centers are HIPAA-compliant.

by Alex Goldman ISP-Planet Associate Editor [November 6, 2002]

Consultants are calling it "the Y2K of the health care industry." Storage specialists are claiming that it will increase demand for secure data storage exponentially. No matter what you call it, the Health Insurance Portability and Accountability Act (HIPAA) is changing the way the health care industry handles its data, as well as the way Internet service providers transfer and store it.

HIPAA was designed to encourage the health care industry to switch from paper-based to electronic record keeping in order to help contain health care costs over the long term. The U.S. Department of Health and Human Services (HHS) said that "uniform national standards will save billions of dollars each year for health care businesses by lowering the costs of developing and maintaining software and reducing the time and expense needed to handle health care transactions."

In the short term, however, health care companies are incurring new costs as they make the switch to electronic record keeping systems. In one corner of the nation sits Bethlehem, Pa.-based FASTNET, a regional provider of Internet access, backbone, and hosting services in the northeast. In mid-October, the company announced that some of its data centers were certified HIPAA "Best Practices" Compliant by WeAreHIPAA, a HIPAA consulting company.

Companies are "compliant" but not "certified" because HIPAA is a law with several layers of rules, some of which have been issued and others that are still under review. According to the HHS, the following HIPAA rules are at different stages of development:

• Final rules issued: Electronic health care transactions, health information privacy, and unique identifier system for employers
• Proposal issued, final rules in development: Security requirements, unique identifier for providers, unique identifier for health care plans, and enforcement procedures.

Of these rules, the first, concerning transactions, came into force on October 16, 2002 (but companies were allowed to file for a one year extension). The second rule, concerning privacy, will come into force on April 14, 2003 (with similar opportunities for extensions).

Sonny Hunt, FASTNET co-founder and executive vice president, explained that a happy coincidence of customers and resources presented the company with an opportunity.

"We have a number of customers in the health care and pharmaceutical industries, and we have our data centers," Hunt said. "We saw an opportunity to help our clients and to reach out to outsourcers who are helping other companies become HIPAA compliant."

Hunt said that FASTNET intends to reach out to data storage outfits that will need HIPAA-compliant data centers.

"HIPAA is a three-legged approach. It covers applications, hardware, and the data center. We are the third leg, the data center leg, and are compliant," Hunt said. "If a health care concern cannot be ready and needs to outsource everything, we could be a permanent or temporary solution allowing them to put their servers in a compliant facility."

Becoming HIPAA-compliant involves more than mere technology upgrades. Health care businesses will spend money on training and on technical support staff. Concerns about security and privacy will require doctors, nurses, and other staff to learn new procedures when handling patient data.

Hunt said that part of the challenge of HIPAA is that businesses have to look at each link in the chain not only inside, but outside of their network as well, which is why the company brought in WeAreHIPPA to help.

"When we brought in WeAreHIPAA, they looked at more than our firewall," Hunt said. "They examined how we audited our services, what alarms we had in place, how we set up and defined responsibilities and accountability, and how we explained our policies to our employees."

Hunt added that WeAreHIPPA taught FASTNET the importance of an audit trail.

"Telecommuters have to be HIPAA-compliant. Each one needs an audit trail and an encrypted VPN. Some of our clients work with labs, and they need the labs they work with to be HIPAA-compliant," Hunt said. "Any business with access to patient data is affected."

According to Hunt, becoming HIPPA-compliant was an arduous process that required the company's full resources.

"Our CTO, Philip Weller, had undergone a similar audit at another job, and that helped. But we did have to make this our top priority," Hunt said. "We focused our people on this project for about two months."

Hunt said he believed that the security expertise required for HIPAA compliance would catch the attention of potential customers in other industries that are also concerned about security.

"We think that our HIPAA compliance will gain us respect from potential customers in other industries such as finance," he said.

ISPs with storage and security expertise may want to look at HIPAA as a business opportunity. As FASTNET's experience shows, there's a great deal of work involved. They say that those who sold shovels in California during the gold rush of the mid-nineteenth century make more money than those who were actually digging the gold. Consultants are looking to HIPAA as a gold mine, but they'll certainly need VPNs, data centers, and other secure products that only expert ISPs can offer. HIPAA security is more complex than the shovel business, but some ISPs may find it equally profitable.

— End