Three years after the deadline for compliance with the Health Insurance Portability and Accountability Act to protect patients’ health information, over a fifth of health care providers and over a tenth of payers say they are not meeting the standards.
Overall, compliance with HIPAA requirements is lackluster, with the number of health care providers saying they are fully compliant with transaction rules actually falling, according to the latest biannual survey from Phoenix Health Systems, a consulting firm, and the Healthcare Information and Management Systems Society.
In terms of the security rule, the least compliant provider groups were hospitals with more than 400 beds and hospitals with between 100 and 400 beds. Neither group has improved since the last HIPAA compliance survey in January. The security rule requires systems to be in place for authenticating health workers’ identity and for disposing and reusing information-storage media, as well as audit controls and other checks against unauthorized access to information.
In this survey conducted in July and August, only 56 percent of providers and 80 percent of payers said the were compliant with provisions of the security rule. In January, those numbers were 55 percent and 72 percent, respectively.
Even practices that reported themselves as compliant, more than half surveyed said there had been at least one privacy breach in the past month. More than a fifth reported six or more. However, compliant organizations reported only slightly fewer privacy breaches than noncompliant ones, and the report concluded that some organizations that consider themselves compliant actually are not.
Privacy compliance remained largely unchanged since summer 2005. The report indirectly blamed lax enforcement of the rule. “It is reasonable to conclude that a core group of approximately 20% of Providers and 13% of Payers have had insufficient incentive to implement required Privacy practices within their organizations,” according to the report. Privacy compliance generally means obtaining a patient’s consent before sharing health information and sharing only the minimal information required.
Read the full story on eWEEK.com: HIPAA Compliance: So-So and Stalling.
