Stitching Up Health Records: Privacy Compliance Lags

The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.

The bad news? All were supposed to have done so by April 2003.

More bad news? The percentage hasn’t changed since last summer, meaning about 20 percent of health care companies are “unable or unwilling to implement federal privacy requirements,” according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS.

And that’s just regarding the rule designed to make sure patient information isn’t sent to the wrong people or accessed by people without a right to know. Securing the data so hackers can’t force their way in is another category of compliance entirely.

Meanwhile, as of April 21, another wave of companies will have the chance to be noncompliant, as the deadline passes for companies with less than $5 million in revenue to meet HIPAA Security standards.

It’s not that health care companies find privacy and security technology hard to manage, said William “Buddy” Gillespie, vice president and CIO at WellSpan Health, which includes two hospitals; a home health care provider; a pharmacy; and about 40 physicians’ offices, managed care plans and other outpatient treatment facilities in Pennsylvania and Maryland.

The problem is that HIPAA rules are often vague and technology is developing so quickly that it’s often hard to decide whether flash drives, hot-site disaster recovery, and other specific storage and file management technologies are covered or satisfy the rules, Gillespie said.

“The regulations didn’t have much precision,” said Gillespie, in York, Pa. “They were very general in a lot of cases. Regulatory statements said something about the requirements but didn’t come out and say what technology was involved. We went through the regulation sections for more than a year to interpret those regulations into technology solutions that seemed to work and meet the regulations too.”

Just more than half (55 percent) of large health care providers and 72 percent of insurers and other payers are able to meet the requirements of the security part of the law, which went into effect last April, according to HIMSS.

Like the 1999 Gramm-Leach-Bliley Act, which was designed to protect the private data of customers in financial institutions, HIPAA was designed to create fundamental change in the way health care institutions treat the data they store about past transactions, the characteristics of their customers and the services they perform for those customers.

Both laws applied to electronic records the kind of rigorous legal control that had been applied to paper documents for decades. The challenge in controlling electronic records, however, is that it’s harder to lock them in a room and be sure they’re not being misused.

That discipline represents the confluence of database managers, storage technology and records management specialists who have been largely left out of records processes involving IT, but whose priorities and experience exactly match the need to control electronic records in the same way companies control their paper, according to analyses from ARMA, the Association of Records Managers and Administrators.

Click here to read about an earlier survey showing a shortfall in HIPAA compliance among health care providers.

It shouldn’t be terribly surprising that the vast majority of companies can comply with the HIPAA rules, given that the technical requirements aren’t particularly onerous, Gillespie said.

HIPAA requires health care providers, insurance companies and others involved in health care transactions to provide security on any system containing private information, store and transmit that information according to standardized rules, and place an automatic audit on files to help keep track of who should have access to them and whether those access rules have been violated.

What is surprising is the number of companies that not only are noncompliant but also appear to have no intention of ever complying, according to Ross Armstrong, senior research analyst at IT research company Info-Tech Research Group, in London, Ontario.

“A lot of health care organizations have just decided not to implement HIPAA because they see no public relations downside with noncompliance, and there are no expected legal problems,” Armstrong said.

Read the full story on eWEEK.com: Stitching Up Health Records: Privacy Compliance Lags