Study: Providers Come Up Short on HIPAA Privacy Compliance

By M.L. Baker  |  Posted 04-14-2005
Most health care providers are mostly compliant with the privacy rule of the Health Insurance Portability and Accountability Act, but fewer than half of them are fully compliant, according to a survey released Monday by the American Health Information Management Association. The deadline for compliance passed about two years ago.

At a public teleconference Wednesday, CMS (Centers for Medicare & Medicaid Services) officials said enforcement would be "complaint-driven" and that they generally expected to work with entities covered by HIPAA to obtain compliance when complaints were filed.

On the other hand, the 40 percent of fully compliant institutions is almost twice the 23 percent that reported being compliant a year ago.

For the upcoming HIPAA security deadline, three-fifths of institutions rated themselves as 85 percent or more compliant, and 12 percent said they were less than 50 percent compliant.

However, the AHIMA survey (PDF file) was conducted in January, and commentary accompanying the survey said these figures were "not surprising."

Mervat Abdelhak, president of the American Health Information Management Association, said the level of compliance was encouraging, but stressed that "privacy and security are ongoing issues that require continued commitment and fine-tuning and can't be forgotten beyond initial compliance."

A smaller survey, conducted in January by HIMSS (Healthcare Information Management and Systems Society) and Phoenix Health Systems came to more alarming conclusions: "This development raises a flag of concern–how can patient privacy be preserved and the use of electronic transactions proliferate without adequate hardware and software security protections?"

The HIMSS survey of 318 professionals at health care providers and 82 payers found that security compliance had improved since June 2004, but that the number of organizations that expect to be compliant by the deadline had declined since then. In June, 87 percent of providers and 91 percent of payers thought they would be compliant. By January, those figures had fallen to 74 percent and 80 percent, respectively.

But Don Rode, AHIMA's vice president of policy and government relations, was much less worried. "Any organization that's doing a decent job on its privacy side is probably doing OK because security is a subset of privacy."

Part of the calm is that the government has made known that it will not actively seek out noncomplying institutions unless someone files a complaint. Even then, Rode said the government would be inclined to consider the context if a breach had occurred.

"They'd be looking to see how you handled the situation and what you're doing to fix it. It's not an adversary situation, it's a good-faith attempt to get things working right." He said the government would rather prosecute deliberate and flagrant violations.

But the HIMSS study (PDF file) found that just over a quarter of payers and providers had had at least one formal complaint of privacy violation filed against them. Well over half of the respondents said their institution had had a privacy breach in the past six months.

Rode said he thinks HIPAA compliance is more often an organizational issue than an IT issue, particularly because so many hospitals still operate in a paper world. The HIPAA privacy rule, for example, requires institutions to track whenever patient information is handed over to another source, even if supplying that information is both routine and required. For example, he said, gunshot wounds are reported to police but are rarely done so electronically.

Click here for more on the HIPAA security compliance deadline.

However, Rode worried that IT departments struggling to implement clinical information systems would find themselves squeezed by HIPAA, saying that in most of the cases where a hospital had appointed an IT officer, it had appointed someone from IT.

HIPAA compliance must be a hospitalwide effort, not the sole responsibility of the IT staff, he said, adding that without input from everyone, apparently ideal solutions may not work. "You can build really great access systems, but if physicians find ways around it, it doesn't do any good."

When asked about complaints that the government has been unclear about the stipulations of the HIPAA security goal, Rode said it was written to require certain results rather than particular procedures, with the notion of giving institutions more flexibility. But, he said, "some folks felt that it left too much up to them to decide."

Check out eWEEK.com's for the latest news, views and analysis of technology's impact on health care.