The latest deadline for the security compliance part of the Health Insurance Portability and Accountability Act (HIPAA) passed April 21 with scant notice. HIPAA mandated that by the spring deadline, small health plans (under $5 million in revenue) must meet the U.S. Department of Health and Human Services standard for the administrative, technical and physician security of electronic health records (EHRs).
While a majority of healthcare providers have been diligent about implementing the federal privacy requirements, vague rules and weak enforcement have slowed compliance. Mississippi, dotted with small rural hospitals and clinics hindered by a lack of manpower and funds, is not alone. Only four in five healthcare-related companies nationwide have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.
What’s more, that percentage hasn’t changed since last summer, leaving 20% of America’s healthcare providers “unable or unwilling to implement federal privacy requirements,” reported Healthcare Information and Management Systems Society (HIMSS). Their study, conducted last summer, reflects two contributing factors: “HIPAA implementation can often resemble a moving target.” And the two most frequently reported roadblocks to HIPAA compliance were “no public relations or brand problems associated with non-compliance” and “no anticipated legal consequences for non-compliance.”
HIMSS also pointed out that slightly more than half (55%) of large healthcare providers and 72% of insurers and other payers have met the requirements for the security part of the law, which went into effect last April for companies with annual revenues of $5 million-plus.
“The many small hospitals and clinics still not in compliance don’t have the time or money to do it,” said Gerry Printz of Amsador, Ltd., a Brandon-based knowledge management-consulting firm. “Some are doing their best with limited resources, chipping away at it a little at a time. They show concern by putting policy into place, trying to get systems to conform where they don’t, and are documenting that action. They’re trying to get vendors to conform. The big problem with rural healthcare is that you can’t throw out systems you’ve had for a long time and put patient health at risk.”
Besides, technology is developing so rapidly that it’s often difficult to determine whether flash drives, hot-site disaster recovery and other specific file management and storage technologies are covered or meet the requirements.
“Many companies have always stressed privacy, so the rules weren’t much of a change,” said Printz. “But with security, there’s been a big change involving a lot of information. For example, when HIPAA says electronic information, what about an x-ray machine? When that shot comes out of a machine, is it electronic? When you’re not securing your x-rays, what does that mean? Does electronic security mean something coming off a fax machine?”
In small town Mississippi, neighbors already know what’s going on with a patient. “It’s going to be hard to prove that a leak came from the hospital and not gossip on the street,” noted Printz.
Glen Davis, president of Data Systems Management in Clinton, said the federal government “promotes new policies and pushes them out with harsh penalties and deadlines, knowing that not everybody can comply right away.” “It gets everybody busy, which promotes some good,” he said, “but at the same time, it creates an environment of uncertainty that leaves many providers asking: what are we really supposed to do?”
If a patient files a complaint about a security issue with the Centers for Medicare and Medicaid Services (CMS), the healthcare company is, of course, open to investigation. But CMS has already made known that “enforcement will be complaint-driven.”
“If you’re not doing security and no one complains, it doesn’t seem to matter,” said Printz. “And if a company takes appropriate action when apprised of a violation, then usually nothing will happen.”
Contact MBJ contributing writer Lynne W. Jeter at Lynne.Jeter@gmail.com.