The Health Insurance Portability and Accountability Act of 1996 (HIPAA) sounded a wakeup call throughout the healthcare industry - patient data is an asset and it needs to be protected. IT departments are now facing the challenge of implementing HIPAA's three provisions - electronic data exchange of transactions (EDI), privacy and security. Though many providers find HIPAA Byzantine and its implementation is sometimes painful and frustrating, they can obtain many business benefits from working to develop an administrative simplification system that makes sense.

The HIPAA rules are clear for EDI and privacy, but the security rule has not yet been finalized. Faced with competing strategic priorities and shrinking budgets, CIOs at healthcare organizations must convince senior management to comply with these evolving rules.

CIOs throughout the country often complain about board members and senior executives who are not taking HIPAA seriously. Healthcare executives argue that it will take years of case law to clarify what constitutes a HIPAA violation, how to apply sanctions and how to provide ongoing enforcement. The federal government has few staff to enforce HIPAA currently and the strategy for auditing compliance is not well defined.

What precisely are Privacy and Security? Privacy is the right of the individual to control how, to whom and when confidential information is released. Security encompasses the technical tools needed to control this release.