Related Items
Keeping Up With HIPAA Compliance
December 2006
A recent survey of health care providers and payers found comprehensive compliance with the HIPAA privacy and security rules remains low in some cases and stalled in other areas.
The biannual survey from consulting firm Phoenix Health Systems of Montgomery Village, Md., and the Chicago-based Healthcare Information and Management Systems Society, shows 80% of insurer respondents and 56% of providers believe they have implemented the security rule's provisions. But many of these respondents could not confirm they had implemented all major provisions required under the rule. Further, 22% of surveyed providers and 13% of payers remain noncompliant with the privacy rule.
However, more than one-and-a-half years after the HIPAA security rule's compliance date, and three-and-a-half years after the privacy rule's deadline, some health care organizations continue to work toward maintaining-and augmenting-compliance.
These organizations are filling gaps that still exist in their data protection infrastructure or are reviewing existing protections to see where they can be improved.
This past summer, for instance, John C. Lincoln Health Network in Phoenix put in software to automatically erase the hard drive of any laptop computer that may be missing.
The quick decision to use the Computrace software from Vancouver, British Columbia-based Absolute Software Corp. was made after a Veterans Administration laptop containing data on millions of patients was stolen. "We said, 'This is a huge gap, we read about it all the time, let's just fix it,'" says Robert Israel, CIO at the two-hospital delivery system.
A laptop with the Computrace software automatically dials a server at the delivery system when it makes an Internet connection and sends data indicating where it is. If the laptop is missing, the I.T. staff can send a signal to "wipe clean the hard drive," Israel explains. Use of the software and other security steps being taken long after HIPAA deadlines are part HIPAA follow-up and part "just best security practices," he adds.
For many health care organizations, maintaining a strong focus on data security also is being done to protect business continuity, says Steven Kelly, senior vice president at The Newberry Group Inc., a St. Charles, Mo.-based risk management consulting firm.
For instance, security issues are becoming part of the exit interview when an employee leaves a health care organization, he notes. "Organizations now are asking where the data the employee worked with is, on hard drives and elsewhere."
The federal government is not aggressively enforcing HIPAA privacy and security compliance, nor has Congress appropriated funds for adequate enforcement. Tens of thousands of complaints of alleged violations have resulted in only two convictions, according to Department of Health and Human Services officials. In cases where violations are not malicious in intent, federal regulators find it preferable to work with offending organizations to help them comply with the rules.
But the HIPAA rules have been successful in creating a cultural change in how organizations protect patient information, Kelly contends.
And the reason is simple, he adds. "We are rapidly approaching the point where security and confidentiality is not an option. Patients now know what HIPAA is."
As technology changes, so must change an organization's security approach. And with a growing number of employees and visitors walking around with mobile computing hardware-such as iPods, key fobs, PDAs/smart phones, modems and digital cameras-new threats to health information networks have emerged.
I.T. Spotlights
- About Us
- Advertising/Media Kit
- Reprints
- Editorial Calendar
- Contact Us
- Customer Service
- Privacy Statement
©2008 HealthDataManagement and SourceMedia, Inc. All rights reserved.
SourceMedia is an Investcorp company.
Use, duplication, or sale of this service, or data contained herein, is strictly prohibited.
