Health Care Lags on HIPAA Security Rules

Computerworld - The data security rules mandated by the Health Insurance Portability and Accountability Act take effect next week. But a majority of health care companies are unlikely to be fully compliant with the new rules by then, according to recent surveys by two industry associations.

"There's not been a lot of forward momentum with HIPAA's security piece, which we find quite disconcerting," said Joyce Sensmeier, director of informatics at the Healthcare Information and Management Systems Society in Chicago.

HIMSS, which represents more than 15,000 individual members and about 220 companies, surveyed 400 health care firms earlier this year. Only 18% of the providers and 30% of the insurers that responded to the poll said they would be compliant by the April 20 deadline.

The American Health Information Management Association, which has about 50,000 members, today plans to release the results of a survey it conducted in January among privacy, security and compliance officers. Just 18% of the 1,140 respondents said their companies were fully compliant with the HIPAA security rules, according to Harry Rhodes, the Chicago-based association's director of practice leadership. But another 44% said they were close to achieving compliance.

"While it appears that organizations are continuing toward compliance, there are many that are still struggling," said Devin Jopp, chief administrative officer at URAC, a nonprofit accreditation agency for the health care industry. Companies are dealing with many of the same issues they cited as hurdles when Washington-based URAC conducted a similar survey last April, Jopp said.

The compliance-related problems cited in the studies include technology and process integration issues, time and budget constraints, and a lack of understanding of how to implement the rules.

The security rules, which are being administered by the federal Centers for Medicare & Medicaid Services, require all companies handling electronic health data to implement fully auditable steps for controlling access to confidential information and protecting it against compromise and misuse.
But the rules document does not specify the technologies that companies need to adopt. That "makes it kind of vague" for implementation purposes, said Mark Maher, security administrator at the Ochsner Clinic Foundation, which operates a hospital in New Orleans and 25 medical clinics throughout Louisiana.
"It tells you what you have to do, but how you do it is left open to you," Maher said. That has left a "lot of people confused about what exactly is required," he added.

Ochsner used a tool from consulting firm Meta Group Inc. to help it translate the HIPAA requirements into enterprisewide policies, standards and guidelines for complying with the security rules, Maher said.