RealTime IT News

HIPAA Deadline Passes

The deadline to complete the security requirement segment of the Health Insurance Portability and Accountability Act (HIPAA) passed today without much fanfare, but it could be sometime before it is known who has complied with the government regulations.

"Considering everything that is involved with compliance, there are a lot of factors as to why some companies may not have completed it," Earl Crane, a senior consultant with Foundstone Professional Services, said. Foundstone, a subsidiary of McAfee , is a leading HIPAA consultant and security software provider.

The act, passed in 1996 as a result of the Clinton administration and congressional efforts to reform health care, is legislation designed to streamline industry inefficiencies, reduce paperwork and make it easier to detect and prosecute fraud and abuse.

The security rule is a technology requirement that calls on health care organizations, insurers and payors that store patient data electronically to comply with the rule by today. It also involves training staff and enlisting more software to prevent the theft or patient information. The first two rules were administrative and physical safeguards.

However, a study from Information Technology Solution Providers Alliance shows that only 30 percent of health plans and 18 percent of health care providers in the SMB market are in compliance with the regulations.

"They've got their own fires to put out," Crane said. "It doesn't happen out of laziness but rather a crunch for resources," he said.

There are numerous reasons why organizations of varying sizes may find trouble in complying. Smaller businesses often lack any type of full-time IT department, while large facilities could suffer under the weight of having to devote so many resources to one project.

And the penalties can be steep.

Violating the security rules is $100 per violation up to a maximum of $25,000, said Crane. However, enforcement of the security regulations is complaint-driven, so until there is an incident, it isn't likely the Department of Health and Human Resources will discover how organizations responded to the legislation.