For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Subscribe to
Computerworld 40 years of the most authoritative source of news and information for IT leaders.
Health Care Lags on HIPAA Security Rules
or
Other Security Stories
|
|
|
|
April 11, 2005 (Computerworld) -- The data security rules mandated by the Health Insurance Portability and Accountability Act take effect next week. But a majority of health care companies are unlikely to be fully compliant with the new rules by then, according to recent surveys by two industry associations.
"There's not been a lot of forward momentum with HIPAA's security piece, which we find quite disconcerting," said Joyce Sensmeier, director of informatics at the Healthcare Information and Management Systems Society in Chicago.
HIMSS, which represents more than 15,000 individual members and about 220 companies, surveyed 400 health care firms earlier this year. Only 18% of the providers and 30% of the insurers that responded to the poll said they would be compliant by the April 20 deadline.
The American Health Information Management Association, which has about 50,000 members, today plans to release the results of a survey it conducted in January among privacy, security and compliance officers. Just 18% of the 1,140 respondents said their companies were fully compliant with the HIPAA security rules, according to Harry Rhodes, the Chicago-based association's director of practice leadership. But another 44% said they were close to achieving compliance.
"While it appears that organizations are continuing toward compliance, there are many that are still struggling," said Devin Jopp, chief administrative officer at URAC, a nonprofit accreditation agency for the health care industry. Companies are dealing with many of the same issues they cited as hurdles when Washington-based URAC conducted a similar survey last April, Jopp said.
The compliance-related problems cited in the studies include technology and process integration issues, time and budget constraints, and a lack of understanding of how to implement the rules.
The security rules, which are being administered by the federal Centers for Medicare & Medicaid Services, require all companies handling electronic health data to implement fully auditable steps for controlling access to confidential information and protecting it against compromise and misuse.
But the rules document does not specify the technologies that companies need to adopt. That "makes it kind of vague" for implementation purposes, said Mark Maher, security administrator at the Ochsner Clinic Foundation, which operates a hospital in New Orleans and 25 medical clinics throughout Louisiana.
"It tells you what you have to do, but how you do it is left open to you," Maher said. That has left a "lot of people confused about what exactly is required," he added.
Ochsner used a tool from consulting firm Meta Group Inc. to help it translate the HIPAA requirements into enterprisewide policies, standards and guidelines for complying with the security rules, Maher said.
As part of the process, the foundation has implemented measures for encrypting all outgoing e-mail that contains protected data, eliminating the use of the file transfer protocol and requiring business partners to connect only via virtual private networks.
Even so, the integration of system logs from multiple sources—which is needed to ensure that an audit trail exists for all access to protected data—has been a huge challenge, Maher said. Ochsner is currently evaluating products for integrating its logs.
"One of the key issues with HIPAA is the audit-trail concept of having procedures in place [and] having accountability," said Christopher Borod, supervisor of network and technical services at Good Samaritan Health System in Lebanon, Pa. Good Samaritan has deployed a security dashboard from NetIQ Corp. that automates the collection of log information from multiple systems, Borod said.
But Jopp noted that he knows of "large contingents of companies that are struggling with integrating their system logs for review."
The HIPAA rules set noncompliance penalties of up to $25,000 per violation. But the enforcement process will be initiated only if a complaint is filed against a health care organization.
The lack of a strong enforcement component has resulted in a somewhat "lackadaisical attitude" among some companies, HIMSS's Sensmeier said. There's no urgency, she added, "because no one is going to be waiting to come into your organization on April 21 to see if you are compliant."
Data Mandates
The HIPAA security rules require health care companies to address the following areas:
Security standards for protection of personal health data stored electronically.
Administrative safeguards for managing information security measures.
Physical safeguards for protecting health data.
Technical safeguards relating to the technology used to protect information.
Organizational requirements, including standards for contracts with business partners.
Policies, procedures and documentation requirements.
Source: National Institute of Standards and Technology
Security Standing
What is your organization’s level of compliance with HIPAA’s data security rules?
Base: 1,140 privacy, security and compliance officers surveyed in January
Source: American Health Information Management Association, Chicago
|
Print this Story |
|
Send Us Feedback |
|
E-mail this Story |
|
Digg this Story |
|
Slashdot this Story |
|
|
|
|
|
 |
|
All Zones Application Performance Zone Business Continuity Zone Data Center Management Zone Enterprise-Class Security Zone The File Data Management Zone Grid Computing on Windows Zone Security Management Zone ITIL Best Practices Zone The SAS Zone Storage Virtualization Zone Business Intelligence and Analytics Zone |
 See your link here
|
 |
||||||||
| ||||||||
| ||||||||
| ||||||||
|
Why SaaS is Vital to Email and Web Security
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
Get this white paper now!
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
- Microsoft promises four patches next week
- Google gives away home-cooked Web application security scanner
- Storm botnet stages Fourth of July attacks
- More top stories
Security Management ZoneSecurity management is the process of developing a comprehensive data protection plan. It takes into account all potential threats, the existing network environment, the future needs of the organization, and lays out a multi-tiered blueprint to integrate the security technology needed to combat these threats. CDW can help keep your network and data secure. Visit the CDW Security Management Zone now See All Zones
|
 Fired up about IT? Join Sharkbait and share your true tales of IT. SharkBait is the place for you to sound off about everything IT – the good, the bad, and the rest of the weird stuff you deal with every day.New baits 
|
"Security Directions" virtual trade show2008's Code-Red Security Issues for Protecting the EnterpriseWebcasts, white papers, demos, and more. Presented in a unique 3-d environment. Enter our show right now! Click here to enter
|
 In SecuritySecurity's important, and risk must be addressed, right? Sure, but watch for four signs your policies go a bit overboard. Click here to read the latest column by Jon Espenschied |
CIO
Computerworld
CSO
DEMO
GamePro
Games.net
IDG Connect
IDG World Expo
Infoworld
The Industry Standard
ITworld
JavaWorld
LinuxWorld
MacUser
Macworld
Network World
PC World
Playlist
Copyright © 2008 Computerworld Inc. All
rights reserved. Reproduction in whole or in part in any form or medium
without express written permission of Computerworld Inc. is prohibited.
Computerworld and Computerworld.com and the respective logos are
trademarks of International Data Group Inc.
|
