|
|
|
 Almost five months after the data security rules mandated by the Health Insurance Portability and Accountability Act went into effect, many health care companies still aren't fully compliant with them, according to IT managers and analysts.
They said technology, process and budgetary issues continue to delay compliance efforts, along with what is seen as a weak enforcement component that has many health care organizations feeling that they can take a wait-and-see attitude toward the rules.
Tim Harrison, information security officer at Cincinnati-based Catholic Healthcare Partners, said the US$3.2 billion not-for-profit company doesn't expect to be fully compliant with the security mandates for another two years.
CHP, which operates 29 hospitals, has implemented many of the requirements but still needs to address the disaster recovery component, Harrison said. That part of the process has been put off because of a lack of IT staffers to dedicate to the task, he said, noting that CHP's security team has just two workers who are responsible for securing more than 2,000 servers across two data centers.
In addition, HIPAA requires that people with access to protected health information be uniquely identified to an IT system each time they use it, Harrison said. But, he added, that capability can be "next to impossible" to implement efficiently, especially in busy areas such as hospital emergency rooms.
"I'm not sure that any health care organization is ever going to be fully compliant," said William Gillespie, CIO at WellSpan Health, a York, Pa.-based not-for-profit provider that serves over 650,000 people in central Pennsylvania and northern Maryland.
Unlike Y2k compliance, "this takes continuing investments," Gillespie said. WellSpan is about 90 percent compliant with the security requirements, according to Gillespie. But like CHP, it has yet to address the disaster recovery rules. In addition, WellSpan is still trying to get all 76 of its business partners to sign HIPAA-mandated agreements for protecting confidential health information.
A June survey of 353 health care companies by the Healthcare Information and Management Systems Society (HIMSS) showed that many companies are in the same situation as CHP and WellSpan. Only 74 percent of the insurers and 43 percent of the health care providers that responded to the survey said they were fully compliant with the security rules, which took effect April 20.
Although those figures were an improvement compared with the results of a similar survey done in January, they're still "very surprising," said Joyce Sensmeier, director of informatics at the Chicago-based HIMSS, which represents more than 15,000 individual members and 220 companies.
Several organizations that responded to the June survey said they had chosen not to implement all of the security requirements because they didn't anticipate that it would result in any image problems or legal issues, Sensmeier said.
HIPAA's security rules are being administered by the federal Centers for Medicare & Medicaid Services (CMS). They require companies handling electronic health data to implement fully auditable steps for controlling access to confidential information and protecting the data against compromise and misuse.
HIPAA provides for civil penalties of up to US$25,000 and criminal penalties of up to $250,000 per year for noncompliance. But the CMS initiates an enforcement process only if a complaint is filed against a company.
As a result, many businesses are unwilling to invest the money and resources needed to comply, said James Bragg, a former HIPAA security officer at a Tulsa, Okla.-based hospital. Bragg said he was laid off earlier this year after he had implemented "very basic levels of access and audit controls" for the hospital.
Stanley Nachimson, a senior technical adviser in the CMS's Office of Electronic Health Standards and Services, said that the agency has received 26 complaints that are being investigated. But it's "not even close to thinking about assessing any penalties as yet," he added. Instead, the emphasis is on working with companies and giving them a chance to develop corrective action plans, Nachimson said.
eClinical Visions - Clinical Trial Management: Enabling Operational Efficiency Read how contributors from Genzyme, Duke Clinical Research Institute, Accenture, Oracle Health Sciences and others address some of the most pertinent challenges facing the biopharmaceutical industry including... Globalization of clinical trials driven by the need to reduce costs and recruit participants; greater outsourcing; escalating regulatory demands; increased trial complexity; and post-marketing studies. Download this paper to gain new insight into: - Recent progress made in addressing these challenges
- Expert opinion on clinical trial management systems (CTMS) for improving trial efficiencies
- How to cut trial costs and enhance the productivity of trial participants
Remote Data Capture – Acquisition and Analysis Today nearly half of all clinical trials are conducted electronically, and rising! Electronic Data Capture (EDC) technology provides industry-wide opportunities, along with challenges, that are being addressed. In this informative report industry experts and users from Pfizer, PPD, C3i and Oracle Health Sciences discuss the impact of EDC and its newest zero footprint; online iteration. It can be used anywhere, world-wide, where the Internet is available while placing greater onus on global trial support. The critical focus of this new technology is that it must support the work of the person at the heart of the clinical trial system– the investigator. Download this report to learn more about: - Trends and Issues in an Electronic Clinical Data Management World
- The New Remote Data Capture Paradigm
- Improving and Monitoring Clinical Data Management in the eClinical Age
- Optimizing and Supporting Remote Data Capture
Technology Video Report: A Day in the Life with Remote Data Capture (Next-Gen EDC) See why Oracle Remote Data Capture (RDC) Onsite is the next generation in electronic data capture with its user-friendly method to collect, clean, review, and verify clinical trial data. Providing unprecedented performance with real-time data capture, Oracle RDC Onsite simplifies source data verification. With a clear, consistent view of study data across all sites, the benefits include reduced monitoring time, decreased queries and discrepancies, and less time to database lock.
Predict or Perish! Shaping the Practices of Clinical Trials
 Sponsored by: DecisionView
Predictive Analytics are a key differentiator in running your clinical trials successfully through 2010 and beyond. They will help you to optimize your patient enrollment, reduce your clinical operations costs and minimize your financial liability in the clinical supply chain. In this session, you will:
• Learn what predictive analytics are and what they are not
• Understand why you need predictive analytics to run your clinical trials, and
• Explore how predictive analytics will shape the future of clinical trials
Download Now.
More Podcasts
The University of Washington Department of Genome Sciences is seeking a LINUX SYSTEMS ENGINEERING MANAGER to lead a team in a diverse scientific computing environment that includes multiple HPC systems, petascale storage, and custom application servers. Apply online at UW Hires for req number 61505. http://www.washington.edu/admin/hr/jobs/
|
|
|