Survey finds only 18% of providers ready for HIPAA.
Healthcare providers had until April 20 to comply with HIPAA's Security Rule, which requires them to ensure that all electronically transmitted health information on patients is safe from hackers, according to the HIPAA Compliance Survey for Winter 2005, produced by Chicago-based Health Information and Management Systems Society (HIMSS) and Phoenix Health Systems of Montgomery Village, Md.
The winter survey showed the same compliance results among providers as a survey conducted in summer 2004. But fewer providers indicated they believe they will he compliant on or before the deadline. Seventy-four percent indicated they would have necessary data security programs in place by April 20, down from 87 percent in June 2004, the study noted.
D'Arcy Guerin Gue, executive vice president of Phoenix Health Systems, called the low compliance level "surprising and worrisome."
"If healthcare organizations do not quickly deploy and maintain comprehensive electronic security measures, the ever-increasing use of HIPAA standard electronic transitions threatens to turn into patient privacy and security breaches waiting to happen," she said.
Some of the non-compliant already know that feeling. Forty percent of providers in the survey noted that their organizations had experienced at least one security breach in the past six months. The survey also noted that because compliance with the security regulation is not yet required, "it is likely that some organizations have yet to fully establish tracking methods for security breaches."
Still, others wondered why compliance has seemed so difficult. "The easiest way to do it is to keep it simple," said Tia Walker, founder and chief executive officer of Authora Inc., an encryption software maker in Seattle.
"For several thousand dollars, you can acquire software to encrypt your data. You'll need an IT guy to help set the whole thing up for you, but it's otherwise not very difficult. And that's all you have to keep in mind: keep it simple, meet the HIPAA requirements and add on whatever else you want later."
Survey respondents said the main reason for compliance delay was the overall difficulty in integrating new systems and policies within a company in a relatively short time.
Other major reasons cited were difficulty in interpreting HIPAA regulations, budget constraints, and time constraints according to the survey.
The Security Rule standard does not require specific technologies; providers may meet the requirements with whatever methods work best for their operations, according to HIPAA guidelines. The selected solutions must be "supported by a thorough security assessment and risk analysis."
Fewer companies are using outside consultants as they attempt to meet HIPAA's guidelines, according to the survey. Only 37 percent of respondents reported using a consultant as of the winter survey, down from 42 percent in June 2004.
Although steep fines of up to $250,000 can he assessed if a company does not comply with the new rule and an information breach occurs, it may be some time before the Secretary of Health and Human Services actually enforces it. The survey noted that less than 80 percent of providers are compliant with HIPAA's Privacy Rule, which went into effect in April 2003.
The Privacy Rule gave patients the right to access their medical records, restrict access by others, request changes and learn how their records had been accessed. It also restricted most disclosures of protected health information to the minimum needed for healthcare treatment and business operations.
A continuing lack of compliance by providers may compromise HIPAA's overall objectives and "jeopardize the ability to maintain privacy of protected health information," HIMSS Director of Professional Services Joyce Sensmeier said.
For the survey, 400 healthcare industry representatives, including 320 healthcare providers, participated. Seventy-five percent of the providers were hospitals, facilities or private practices with 400 or fewer beds.
|Printer friendly Cite/link Email Feedback|
|Publication:||The Non-profit Times|
|Date:||May 1, 2005|
|Previous Article:||Tech organizations decline NIA invitation.|
|Next Article:||Data entry: doing more for privacy.|