Now, what if a vendor tried to sell you hardware or software it claims is "HIPAA (Health Insurance Portability and Accountability Act)-compliant"? You could ask a truckload of questions but you wouldn't like the answers: There's no such thing as an HIPAA-compliant product, at least not yet.

HIPAA (aka Public Law 104-191) is a federal law intended to combat fraud and abuse in health care, standardize health-care transactions and implement privacy controls on patient records. It applies to all health-care providers that conduct electronic transactions for health claims and related information, such as eligibility and enrollment in health plans, payment and remittance advice, claim status and benefits coordination, and to clearinghouses that process such transactions. It covers all private sector health plans, including HMO and ERISA (Employee Retirement Income Security Act) plans, as well as government health plans such as Medicare and Medicaid. Small, self-administered health-care providers are excluded from HIPAA, but it's difficult for them to ignore a law that's destined to have such a tremendous impact on their industry.

HIPAA includes more than 70,000 words: Title I is designed to ensure ongoing health coverage for people who lose or change jobs; Title II is designed to simplify and improve health-care administration by encouraging the electronic interchange of health-care data. The law also requires the Department of Health and Human Services to establish national standards for health-care- provider identifiers, security and electronic signatures, transaction code sets for health claims, and privacy of individually identifiable health information, such as patient records.

But while the rules for privacy in patient records and transaction code sets for health claims have been finalized and are scheduled for implementation in April and October 2003, respectively, the rules for provider identifiers and security and electronic signatures are still in the proposal stages.

How, then, can PoliVec claim that PoliVec Builder walks you through an entire HIPAA-compliant security scheme? How can Medinex Systems bill MxMail as an HIPAA secure electronic messaging system for hospitals? And how can Blue Ridge Networks boast that HIPAAGuard is the first network to exceed all federal requirements for secure electronic health-care transactions? These products may comply with some parts of HIPAA, but they are far from comprehensive solutions.

Take just the privacy rules that will go into effect April 14. They require health providers and clearinghouses to inform patients of their privacy rights and how their personal data is used; adopt clear privacy procedures and implement them in their practices, hospitals or plans; train employees to understand the privacy procedures; designate an individual to oversee the adoption and implementation of those privacy procedures; and secure patient records that contain individually identifiable health information so those records can't be accessed by anyone inappropriate. Granted, authentication and encryption schemes may provide secure access to patient records. But secure access is only one aspect of one rule under the big HIPAA umbrella.

So don't buy into the HIPAA hype. Don't take any wooden nickels and don't buy any bridges, either.