Progress is slow on HIPAA security rules

Computerworld - Almost five months after the data security rules mandated by the Health Insurance Portability and Accountability Act went into effect, many health care companies still aren't fully compliant with them, according to IT managers and analysts.

They said technology, process and budgetary issues continue to delay compliance efforts, along with what is seen as a weak enforcement component that has many health care organizations feeling that they can take a wait-and-see attitude toward the rules.

Tim Harrison, information security officer at Cincinnati-based Catholic Healthcare Partners, said the $3.2 billion not-for-profit company doesn't expect to be fully compliant with the security mandates for another two years.

CHP, which operates 29 hospitals, has implemented many of the requirements but still needs to address the disaster recovery component, Harrison said. That part of the process has been put off because of a lack of IT staffers to dedicate to the task, he said, noting that CHP's security team has just two workers who are responsible for securing more than 2,000 servers across two data centers.

In addition, HIPAA requires that people with access to protected health information be uniquely identified to an IT system each time they use it, Harrison said. But, he added, that capability can be "next to impossible" to implement efficiently, especially in busy areas such as hospital emergency rooms.

"I'm not sure that any health care organization is ever going to be fully compliant," said William Gillespie, CIO at WellSpan Health, a York, Pa.-based not-for-profit provider that serves over 650,000 people in central Pennsylvania and northern Maryland.

Unlike Y2k compliance, "this takes continuing investments," Gillespie said. WellSpan is about 90% compliant with the security requirements, according to Gillespie. But like CHP, it has yet to address the disaster recovery rules. In addition, WellSpan is still trying to get all 76 of its business partners to sign HIPAA-mandated agreements for protecting confidential health information.
A June survey of 353 health care companies by the Healthcare Information and Management Systems Society (HIMSS) showed that many companies are in the same situation as CHP and WellSpan. Only 74% of the insurers and 43% of the health care providers that responded to the survey said they were fully compliant with the security rules, which took effect April 20 .
Although those figures were an improvement compared with the results of a similar survey done in January, they're still "very surprising," said Joyce Sensmeier, director of informatics at the Chicago-based HIMSS, which represents more than 15,000 individual members and 220 companies.

Several organizations that responded to the June survey said they had chosen not to implement all of the security requirements because they didn't anticipate that it would result in any image problems or legal issues, Sensmeier said.