Top Searches
January 8, 2009
| Bio-IT World > Progress Slow on HIPAA Security Rules

Add to Del.icio.us Add to furl Add to digg Add to Connotea
EMail Page
Printer Friendly
Book Mark
Reprint Rights
Progress Slow on HIPAA Security Rules


By Jaikumar Vijayan Computerworld

Almost five months after the data security rules mandated by the Health Insurance Portability and Accountability Act went into effect, many health care companies still aren't fully compliant with them, according to IT managers and analysts.

They said technology, process and budgetary issues continue to delay compliance efforts, along with what is seen as a weak enforcement component that has many health care organizations feeling that they can take a wait-and-see attitude toward the rules.

Tim Harrison, information security officer at Cincinnati-based Catholic Healthcare Partners, said the US$3.2 billion not-for-profit company doesn't expect to be fully compliant with the security mandates for another two years.

CHP, which operates 29 hospitals, has implemented many of the requirements but still needs to address the disaster recovery component, Harrison said. That part of the process has been put off because of a lack of IT staffers to dedicate to the task, he said, noting that CHP's security team has just two workers who are responsible for securing more than 2,000 servers across two data centers.

In addition, HIPAA requires that people with access to protected health information be uniquely identified to an IT system each time they use it, Harrison said. But, he added, that capability can be "next to impossible" to implement efficiently, especially in busy areas such as hospital emergency rooms.

"I'm not sure that any health care organization is ever going to be fully compliant," said William Gillespie, CIO at WellSpan Health, a York, Pa.-based not-for-profit provider that serves over 650,000 people in central Pennsylvania and northern Maryland.

Unlike Y2k compliance, "this takes continuing investments," Gillespie said. WellSpan is about 90 percent compliant with the security requirements, according to Gillespie. But like CHP, it has yet to address the disaster recovery rules. In addition, WellSpan is still trying to get all 76 of its business partners to sign HIPAA-mandated agreements for protecting confidential health information.

A June survey of 353 health care companies by the Healthcare Information and Management Systems Society (HIMSS) showed that many companies are in the same situation as CHP and WellSpan. Only 74 percent of the insurers and 43 percent of the health care providers that responded to the survey said they were fully compliant with the security rules, which took effect April 20.

Although those figures were an improvement compared with the results of a similar survey done in January, they're still "very surprising," said Joyce Sensmeier, director of informatics at the Chicago-based HIMSS, which represents more than 15,000 individual members and 220 companies.

Several organizations that responded to the June survey said they had chosen not to implement all of the security requirements because they didn't anticipate that it would result in any image problems or legal issues, Sensmeier said.

HIPAA's security rules are being administered by the federal Centers for Medicare & Medicaid Services (CMS). They require companies handling electronic health data to implement fully auditable steps for controlling access to confidential information and protecting the data against compromise and misuse.

HIPAA provides for civil penalties of up to US$25,000 and criminal penalties of up to $250,000 per year for noncompliance. But the CMS initiates an enforcement process only if a complaint is filed against a company.

As a result, many businesses are unwilling to invest the money and resources needed to comply, said James Bragg, a former HIPAA security officer at a Tulsa, Okla.-based hospital. Bragg said he was laid off earlier this year after he had implemented "very basic levels of access and audit controls" for the hospital.

Stanley Nachimson, a senior technical adviser in the CMS's Office of Electronic Health Standards and Services, said that the agency has received 26 complaints that are being investigated. But it's "not even close to thinking about assessing any penalties as yet," he added. Instead, the emphasis is on working with companies and giving them a chance to develop corrective action plans, Nachimson said.

Click here to login and leave a comment.  

0 Comments

Add Comment

Text Only 2000 character limit

Page 1 of 1
White Papers & Special Reports

HP white paper image
Extreme Storage Knowledge Center
Sponsored by HP

Visit HP’s Extreme Storage Knowledge Center to find informative, complimentary white papers, case studies, videos, product information and more.  Brief overview of topics:

  • The challenges of unstructured storage and how to manage both cost-effectively and efficiently
  • Company case studies of data storage challenges that translate across pharmaceutical and biotech companies today
  • Systems that manage vast amounts of data with simple deployment, unified management, and extreme scalability at an exceptionally low price per terabyte
  • Life sciences data management; viable solutions for small and large companies to manage growing storage demands
  • Take our virtual product tour and see our storage unit from inside out
Visit the Knowledge Center


Coupa white paper 92
10 Secrets to Recession-Proof Your Business
Sponsored by Coupa


Read this white paper to discover 10 strategies smart companies deploy to recession-proof their business.
Leaders generally face hard choices on how to mange a company during an economic downturn and
behave in one of three ways:
1) “The ostrich” - Preserve the status quo/hope for the best
2) “The bull in the china shop” - Blindly cut expenses across the board
3) “The fox” - Use the downturn to make your business more effective and position it for future growth

Learn how to behave “like a fox” and use a recession as a means to pounce on emerging trends.

Download This Complimentary Paper.


SGI BriefingON image
High-Performance Computing in Life Science & Education
Sponsored by SGI and Intel
The varied collection of Bio-IT World articles and insights assembled in this BriefingON examine key trends in HPC infrastructure and how researchers are putting their best computational resources to use. Provided here are stories and lessons around the effective use of high performance computing in life science. Download the BriefingON.
Download the BriefingON
More White Papers & Special Reports
Life Science Webcasts & Podcasts

Medidata Solutions

Rising Clinical Trial Delays and Costs - Addressing the Cause, Not the Symptoms 

medidata podcastProtocol complexity is taking a toll on clinical study speed and efficiency: increasingly complicated and ambitious protocols are not only burdening sites and study volunteers but are also prolonging trials and increasing expenses. In response, sponsors have turned to global study placement, restructured site relationships and new site management practices, but the problem remains.

This podcast will discuss:

  • Why these responses address only the symptoms, not the underlying cause, of rising clinical trial delays and costs.
  • Results of a recent joint Tufts University / Medidata Solutions study.
  • New metrics benchmarking protocol design trends.
  • Systematic protocol design improvements and why they are essential to clinical trial performance excellence.

Speakers: Ken Getz, Senior Research Fellow at the Tufts Center for the Study of Drug Development, and Ed Seguine, General Manager, Trial Planning Solutions at Medidata.

Download Now 

More Podcasts

Job Openings

Manager, Scientific Computing & Programming
Lead SAIC-Frederick, Inc.’s Bioinformatics & Analysis Group in developing & maintaining informatics pipelines for generation/analysis of dense genotyping & next-generation sequencing data. Required:  MS or equiv.  5 yrs related experience.  Knowledge of programming/software development, high performance computing, bioinformatics, project management. Visit www.saic-frederick.com - #130019.

Related Resources & Products

ADVANCED HIPAA: Myths and Current Best Practices in Clinical Research

HIPAA and Human Subjects Research: A Question & Answer Reference Guide (March 2003)
HIPAA #1: Team Training

For reprints and/or copyright permission, please contact The YGS Group, 1808 Colonial Village Lane, Lancaster, PA;

(717) 399-1900 ext. 125, or via email to Ashley.Zander@theYGSgroup.com.

Cambridge Healthtech Institute

Footer Image
  • 250 First Avenue, Suite 300
  • Needham MA 02494
  • phone: 781-972-5400
  • fax: 781-972-5425
  • chi@healthtech.com