Progress is slow on HIPAA security rules

Jaikumar Vijayan schreibt unter anderem für unsere US-Schwesterpublikation CSO Online.

Almost five months after the data security rules mandated by the Health Insurance Portability and Accountability Act went into effect, many health care companies still aren"t fully compliant with them, according to IT managers and analysts. They said technology, process and budgetary issues continue to delay compliance efforts, along with what is seen as a weak enforcement component that has many health care organizations feeling that they can take a wait-and-see attitude toward the rules.

Tim Harrison, information security officer at Cincinnati-based Catholic Healthcare Partners, said the US$3.2 billion not-for-profit company doesn"t expect to be fully compliant with the security mandates for another two years.

CHP, which operates 29 hospitals, has implemented many of the requirements but still needs to address the disaster recovery component, Harrison said. That part of the process has been put off because of a lack of IT staffers to dedicate to the task, he said, noting that CHP"s security team has just two workers who are responsible for securing more than 2,000 servers across two data centers.

In addition, HIPAA requires that people with access to protected health information be uniquely identified to an IT system each time they use it, Harrison said. But, he added, that capability can be "next to impossible" to implement efficiently, especially in busy areas such as hospital emergency rooms.

"I"m not sure that any health care organization is ever going to be fully compliant," said William Gillespie, CIO at WellSpan Health, a York, Pa.-based not-for-profit provider that serves over 650,000 people in central Pennsylvania and northern Maryland.

Unlike Y2k compliance, "this takes continuing investments," Gillespie said. WellSpan is about 90 percent compliant with the security requirements, according to Gillespie. But like CHP, it has yet to address the disaster recovery rules. In addition, WellSpan is still trying to get all 76 of its business partners to sign HIPAA-mandated agreements for protecting confidential health information. A June survey of 353 health care companies by the Healthcare Information and Management Systems Society (HIMSS) showed that many companies are in the same situation as CHP and WellSpan. Only 74 percent of the insurers and 43 percent of the health care providers that responded to the survey said they were fully compliant with the security rules, which took effect April 20. Although those figures were an improvement compared with the results of a similar survey done in January, they"re still "very surprising," said Joyce Sensmeier, director of informatics at the Chicago-based HIMSS, which represents more than 15,000 individual members and 220 companies.

Several organizations that responded to the June survey said they had chosen not to implement all of the security requirements because they didn"t anticipate that it would result in any image problems or legal issues, Sensmeier said.

HIPAA"s security rules are being administered by the federal Centers for Medicare & Medicaid Services (CMS). They require companies handling electronic health data to implement fully auditable steps for controlling access to confidential information and protecting the data against compromise and misuse.

HIPAA provides for civil penalties of up to $25,000 and criminal penalties of up to $250,000 per year for noncompliance. But the CMS initiates an enforcement process only if a complaint is filed against a company.

As a result, many businesses are unwilling to invest the money and resources needed to comply, said James Bragg, a former HIPAA security officer at a Tulsa, Okla.-based hospital. Bragg said he was laid off earlier this year after he had implemented "very basic levels of access and audit controls" for the hospital.

Stanley Nachimson, a senior technical adviser in the CMS"s Office of Electronic Health Standards and Services, said that the agency has received 26 complaints that are being investigated. But it"s "not even close to thinking about assessing any penalties as yet," he added. Instead, the emphasis is on working with companies and giving them a chance to develop corrective action plans, Nachimson said.