Maybe it's because so many companies have focused most of their attention on complying with Sarbanes-Oxley this past year, but a significant portion of health insurers and health care providers will not meet the security requirements of the Health Insurance Portability and Accountability Act (HIPAA) by the April 20 deadline.Only 30% of payers and 18% of providers said they were already compliant with the HIPAA security regulations in a survey released in February by Phoenix Health Systems, a Montgomery Village, Md.-based consulting firm to hospitals.
What's more, the number of organizations that expected to be fully compliant by the deadline actually declined since the last survey. Only 74% of providers (down from 87% in a summer 2004 survey) and 80% of payers (down from 91% in the summer survey) indicated they will be compliant on or before this month's deadline.
"These low levels of required patient data security protection are surprising and worrisome," said D'Arcy Guerin Gue, executive vice president of Phoenix Health Systems, at the time the survey results were released.
"If health care organizations do not quickly deploy and maintain comprehensive electronic security measures in particular, the ever-increasing use of HIPAA standard electronic transactions threatens to turn into patient privacy and security breaches waiting to happen." (Editors note: At press time, Gue had not returned phone calls.)
Some progress
Although the number of lagging organizations is troubling, the industry is making progress in two key areas of HIPAA security compliance, according to the survey-designating a security officer and training. Ninety-eight percent of payers have designated a security officer, and 93% of providers have also done so.
In addition, 37% of payers have already conducted the required HIPAA security training, with an additional 58% expecting to finish prior to the deadline.
Similarly, 32% of providers have conducted the security training, with an additional 60% expecting to finish prior to the deadline.
Payers and providers differ slightly in terms of which HIPAA security requirements they're having the most trouble implementing. When asked which HIPAA security standards they find most difficult, the survey respondents indicated the following:
- 32% of payers and 55% of providers said audit controls are most difficult.
- 34% of payers and 49% of providers said risk management/risk analysis.
- 40% of payers and 48% of providers said information system activity review.
- 29% of payers and 39% of providers said data backup/disaster recovery/emergency mode operation plan.
"The industry has just gotten tired of HIPAA," says Chris Apgar, president of Apgar & Associates LLC, a Portland, Ore.-based consulting firm. "They're at the point where they think, 'We don't need to worry about it; it's not a big deal.'"
Nonchalant attitude
In part, the nonchalant attitude can be attributed to the lack of enforcement of the HIPAA privacy regulations, Apgar says. Although the compliance deadline for HIPAA privacy was two years ago, 10% of payers and 22% of providers are still not fully compliant, according the Winter 2005 Phoenix Health Systems survey.
"The Office for Civil Rights (which is responsible for enforcing HIPAA privacy compliance) is understaffed and has not been able to follow up on complaints," Apgar says.
What's more, the Centers for Medicare and Medicaid Services has indicated it will enforce HIPAA security compliance the same way the OCR enforces privacy-based on complaints.
But payers and providers shouldn't take that statement to mean the CMS isn't going to use audits to enforce HIPAA security, which is a more effective approach, says Apgar.
"Unlike the OCR, the CMS already has an auditing staff in place. So if you're a Medicare carrier, CMS already does periodic compliance audits-and you can bet they're going to add security to that audit."
The industry also shouldn't be tackling HIPAA and other regulations as separate events, according to industry sources (see "SOX Keeping You Awake At Night?" page 22).
"Part of the reason the industry is lagging on HIPAA compliance is because it is overwhelmed by regulations," Apgar says.
"You have HIPAA. You have Gramm-Leach-Bliley. You have Sarbanes-Oxley. And organizations are looking at all these laws as discrete compliance activities-saying, 'Where do I start? I'm not staffed for this.'"
Instead, insurers and providers should be identifying where the various regulations overlap, and approach compliance strategically, sources say.
"Insurers should be saying, 'What's my master game plan for complying with all of this, and where do these laws overlap--so I don't have to do this twice?'" Apgar says.
Nonetheless, despite the fact that HIPAA privacy and security breaches can result in fines-and even criminal penalties for intentional violations, the industry won't drastically change its approach until a major lawsuit is filed or fine is levied against a carrier for a violation, according to Apgar.
"Then, at that point, they'll say, 'Oh wow, maybe we should do something about this,'" he says.
