HIPAA Deadline Passes

The deadline to complete the security requirement segment of the Health
Insurance Portability and Accountability Act (HIPAA) passed today without
much fanfare, but it could be sometime before it is known who has complied
with the government regulations.

“Considering everything that is involved with compliance, there are a lot
of factors as to why some companies may not have completed it,” Earl Crane,
a senior consultant with Foundstone Professional Services, said. Foundstone, a
subsidiary of McAfee , is a leading HIPAA consultant and
security software provider.

The act, passed in 1996 as a result of the Clinton administration and
congressional efforts to reform health care, is legislation designed to
streamline industry inefficiencies, reduce paperwork and make it easier to
detect and prosecute fraud and abuse.

The security rule is a technology requirement that calls on health care
organizations, insurers and payors that store patient data electronically to
comply with the rule by today. It also involves training staff and
enlisting more software to prevent the theft or patient information. The
first two rules were administrative and physical safeguards.

However, a study from Information Technology Solution Providers Alliance
shows that only 30 percent of health plans and 18 percent of health care
providers in the SMB market are in compliance with the regulations.

“They’ve got their own fires to put out,” Crane said. “It doesn’t happen
out of laziness but rather a crunch for resources,” he said.

There are numerous reasons why organizations of varying sizes may find
trouble in complying. Smaller businesses often lack any type of full-time IT
department, while large facilities could suffer under the weight of having
to devote so many resources to one project.

And the penalties can be steep.

Violating the security rules is $100 per violation up to a maximum of
$25,000, said Crane.
However, enforcement of the security regulations is complaint-driven, so
until there is an incident, it isn’t likely the Department of Health and Human Resources
will discover how organizations responded to the legislation.

News Around the Web