The data security rules mandated by the Health Insurance Portability and Accountability Act take effect next week. But a majority of health care companies are unlikely to be fully compliant with the new rules by then, according to recent surveys by two industry associations.
"There's not been a lot of forward momentum with HIPAA's security piece, which we find quite disconcerting," said Joyce Sensmeier, director of informatics at the Healthcare Information and Management Systems Society in Chicago.
HIMSS, which represents more than 15,000 individual members and about 220 companies, surveyed 400 health care firms earlier this year. Only 18% of the providers and 30% of the insurers that responded to the poll said they would be compliant by the April 20 deadline.
The American Health Information Management Association, which has about 50,000 members, today plans to release the results of a survey it conducted in January among privacy, security and compliance officers. Just 18% of the 1,140 respondents said their companies were fully compliant with the HIPAA security rules, according to Harry Rhodes, the Chicago-based association's director of practice leadership. But another 44% said they were close to achieving compliance.
"While it appears that organizations are continuing toward compliance, there are many that are still struggling," said Devin Jopp, chief administrative officer at URAC, a nonprofit accreditation agency for the health care industry. Companies are dealing with many of the same issues they cited as hurdles when Washington-based URAC conducted a similar survey last April, Jopp said.
The compliance-related problems cited in the studies include technology and process integration issues, time and budget constraints, and a lack of understanding of how to implement the rules.
The security rules, which are being administered by the federal Centers for Medicare & Medicaid Services, require all companies handling electronic health data to implement fully auditable steps for controlling access to confidential information and protecting it against compromise and misuse.
But the rules document does not specify the technologies that companies need to adopt. That "makes it kind of vague" for implementation purposes, said Mark Maher, security administrator at the Ochsner Clinic Foundation, which operates a hospital in New Orleans and 25 medical clinics throughout Louisiana.
"It tells you what you have to do, but how you do it is left open to you," Maher said. That has left a "lot of people confused about what exactly is required," he added.
Ochsner used a tool from consulting firm Meta Group Inc. to help it translate the HIPAA requirements into enterprisewide policies, standards and guidelines for complying with the security rules, Maher said.
As part of the process, the foundation has implemented measures for encrypting all outgoing e-mail that contains protected data, eliminating the use of the file transfer protocol and requiring business partners to connect only via virtual private networks.
Even so, the integration of system logs from multiple sources—which is needed to ensure that an audit trail exists for all access to protected data—has been a huge challenge, Maher said. Ochsner is currently evaluating products for integrating its logs.
"One of the key issues with HIPAA is the audit-trail concept of having procedures in place [and] having accountability," said Christopher Borod, supervisor of network and technical services at Good Samaritan Health System in Lebanon, Pa. Good Samaritan has deployed a security dashboard from NetIQ Corp. that automates the collection of log information from multiple systems, Borod said.
But Jopp noted that he knows of "large contingents of companies that are struggling with integrating their system logs for review."
The HIPAA rules set noncompliance penalties of up to $25,000 per violation. But the enforcement process will be initiated only if a complaint is filed against a health care organization.
The lack of a strong enforcement component has resulted in a somewhat "lackadaisical attitude" among some companies, HIMSS's Sensmeier said. There's no urgency, she added, "because no one is going to be waiting to come into your organization on April 21 to see if you are compliant."
| Data Mandates | |
|
| Security Standing | |
|
