Many Health Care Organizations Noncompliant With HIPAA Security Rule, Report Finds

In recognition of the HIPAA security rule pre-anniversary deadline that passed this month, Washington, D.C.-based nonprofit URAC released a report examining the state of preparedness in the health care industry in complying with the security rule. 

The report identifies four key stumbling blocks that hamper the ability of organizations to satisfactorily meet the demands of the rule, and finds many health care organizations remain noncompliant. URAC's report identifies the following as barriers to compliance:

• Incomplete or inappropriately scoped risk analysis efforts. For example, does the health care organization understand whether or not patient data is at risk of compromise on their systems?

• Inconsistent and poorly executed risk management strategies. For example, does the health care organization actively address the technical issues and employee practices that affect security?

• Limited or faulty information system activity review. For example, does the health care organization actively collect data on how its systems and employees are performing?

• Ineffective security incident reporting and response. For example does the health care organization even detect when patient data has been compromised and how do they deal with that compromise?

"Many health care organizations still have a long way to go to implement a health information security program that meets baseline regulatory and business requirements," says Garry Carneal, URAC president and CEO. "The report highlights key challenges confronting covered entities and other organizations as they upgrade their security programs in anticipation of next year's security deadline, and offers recommendations on what health care organizations can do to address these challenges."
HIPAA compliance should not be seen as a costly regulatory burden, but as a way to appropriately manage ongoing security risks in a way that reduces overall business risk, reduce costs, and improves quality, according to URAC. Health care organizations need to start preparing now, one year ahead of the security rule deadline, to achieve full compliance.