20 Apr As HIPAA deadline passes even the unprepared are safe – for now
Unlike the Health Insurance Portability and Accountability Act privacy deadline two years ago, the security deadline that passed on Wednesday involves no up-front proof of compliance – and many companies may not yet be compliant.
This makes sense to many in the field; the HIPAA rule involves too many software protocols throughout the healthcare system to be enforced from the top down. Now, just admitting that it can’t comply with a guideline moves a company toward general security compliance.
“It involves a whole bunch of factors, not just what you’ve done and haven’t done” said Rebecca Hutton, the HIPAA privacy officer at the University of Wisconsin-Madison. “You have to make a judgment about whether something’s reasonable to do.”
Reasonable or not, many companies will not be prepared. According to a Healthcare Information and Management Systems Society (HIMSS) survey last winter, 18 percent of health-care companies said they were compliant at the time of the survey and 74 said they would be able to comply by this Wednesday.
Enforcement… later
The deadline affects health-care providers and employee-sponsored health-care firms. They are to have installed best security practices, an ideal that begs for definition.
Executives simultaneously discover and implement best security practices as they move through the guidelines of this security rule. They must decide about all security measures, both needed and in-place. They then figure out how to best direct software and staff to fulfill guidelines such as auditing files, and tracking and controlling access.
Ambiguity in this phase may be good news for some: Non-compliant companies are safe until someone files a report against them.
“This rule is complaint driven, not audit driven,” said John Barlament, an attorney at the law firm Michael Best & Friedrich who works with self-funded group health companies covered by the HIPAA security rule.
Where the rule came from
This rule is the third phase of HIPAA, a federally mandated electronic information act designed to help health-care companies identify, protect and channel the electronic information that flows within and between them. This rule has companies shaping up their systems, training their staff and enlisting more software to prevent information leaks.
“This is a technology requirement so you have firewalls and software to protect patient information and access,” said Joyce Sensmeier, director of professional services at HIMSS.
Because they hope companies will appreciate more security in the long run, the U.S. Department of Health and Human Services is prepared to help companies facing non-compliance after today. The department hopes to avoid fining agencies in the name of HIPAA, Barlament said, and prefers instead to educate and help them.
Challenges
Companies too small to house a large IT department must outsource skills to help them meet security expectations. In this case, officials wonder if they can maintain security after the deadline passes and the hired help leaves.
Mid-sized facilities face the fewest challenges since they have more resources and fewer clients. They have been able to continually evolve with changes in electronic information guidelines.
Larger facilities with 50 or more subsidiaries face the challenge of coordinating a tremendous amount of information among many facilities on a time limit. Some companies feel “HIPPA fatigue” after three years of working toward compliance deadlines, Sensmeir said.
The security rule forgives companies that may not experience enough traffic to warrant immediate compliance. Independent health-care firms offering less than $5 million in benefits, for example, do not have to comply at all with this security rule until one year from today, Barlament said.
The challenge, even for organizations with compliance methods already in place, remains in how and when to apply the various measures. Encrypting, for example, protects information en-route yet is not always necessary.
“Whether you need to encrypt should be considered but the guidelines aren’t clear,” said Barlament.