Government

Medical records security: HIPAA's 3rd deadline not a charm

Many physicians won't be ready by April 20, and some are still working to comply with the earlier privacy and transaction regulations.

By Joel B. Finkelstein — Posted April 18, 2005

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

Washington -- The approach of the compliance deadline for medical records security standards is causing a case of "HIPAA fatigue" among many doctors who are tired of dealing with new federal regulations.

So far, physicians' compliance efforts have lagged behind those of payers. About 35% of practices will not be ready for the security standards, part of the Health Insurance Portability and Accountability Act, by the April 20 deadline, according to an American Medical Association survey.

In comparison, 20% of payers don't expect to be prepared in time, says a survey by the Health Information and Management Systems Society.

"There have just been so many rules," said Joyce Sensmeier, director of informatics at HIMSS.

HIPAA set forth a series of three rules -- medical records privacy, electronic health care transactions and now security -- all going into effect within a two-year period. While dire warnings harbingered the privacy rule deadline and tempered anxiety preceded the transaction rule cutoff, the security rule has generated less commotion.

"The privacy regulations were such a 'big deal,' it overshadowed everything else," said Stephen Imbeau, MD, an allergist in Florence, S.C.

He expects his five-physician practice to be ready in time, assuming its software vendor provides updates on schedule. But the security rules seem to have escaped many colleagues.

"Smaller groups aren't really aware of the deadline," he said.

Other factors could be interfering with physicians' ability to implement the standards, Sensmeier said.

Compliance with the security regulation is proving to be a tax on physician resources when their attention is being pulled in many directions, including a national drive to implement electronic medical records, she said.

But some of the ambivalence may be coming from the top down.

Compared with the privacy rule, Dr. Imbeau said, government outreach efforts for the security regulation have been modest.

That is not an isolated view. Respondents to the HIMSS survey complained of little Centers for Medicare & Medicaid Services guidance.

But the level of agency outreach might not be to blame.

The security rule is short on details compared with previous HIPAA regulations. It does not offer the clear path to compliance physicians might seek, said Bill Braithwaite, MD, PhD, a health information policy consultant and one of the original HIPAA authors.

Developing the literally thousands of guidelines necessary to address the wide variety of situations that practices, hospitals and payers face would have been an impossible task for CMS, he said. Instead, physicians need to think in terms of implementing security protocols, whether that includes passwords protecting computers or moving files into locked rooms, that fit their practice setting, he said.

That could prove difficult for physicians, who understand the concept of security in general but are not accustomed to doing the type of risk analysis called for in the rule, Dr. Braithwaite said.

But, to put it simply, doctors must: "Figure out what is wrong, do something about it and keep up the effort over time," he said.

CMS is delivering a similar message in ongoing national conference calls. "We continue to get a lot of questions on security, and the questions are getting more and more detailed," said Stanley Nachimson, senior technical adviser in CMS' Office of HIPAA Standards. "We anticipate that people are paying a lot more attention than they were a year or so ago."

Ultimately, physicians could find that the regulation is helpful, some experts said.

"Although the rule may not give specifics, it makes you think about security," said Lesley Berkeyheiser, principal and founder of the Clayton Group, a Philadelphia-based consulting firm that assists clients with implementation of HIPAA.

Even if the security standards were not federal law, they would offer practices a level of protection against faulty office procedures that can lead to civil lawsuits over privacy breaches, experts said. Good security is good business, they added.

Compliance will evolve

Government officials said physicians will have the opportunity to think through their security measures even after this month's deadline.

CMS recently announced that enforcement will be modeled on the approach used for the privacy and electronic transaction rules. That means it will be complaint-driven and emphasize working with physicians, rather than imposing penalties.

"If there are complaints filed, our first attempt is to try and move ... them into compliance," Nachimson said.

That strategy has worked well both for the agency and the medical community in the past, Berkeyheiser said. But the downside is that it could take some of the impetus out of speedy compliance.

In fact, the HIMSS survey found that more than a fifth of physicians and hospitals still were not fully meeting the privacy standards nearly two years after their implementation. While nearly three-quarters said they were ready to transmit compliant electronic transactions, only half were actually doing so because of holdups with their business partners.

Despite those findings, experts remain optimistic.

"Compliance will evolve over time," Dr. Braithwaite said.

Once physicians approach the standards, they might not find them so difficult to tackle, Sensmeier said.

After completing the risk analysis, Dr. Imbeau said, there was not much for the doctors in his practice to do to meet the rules. Most of their files are already in locked rooms, and identification badges like hospitals use to prevent people from entering restricted areas seemed like overkill in a five-physician practice, he noted.

Said Sensmeier: "This isn't rocket science. It's basic security that should be a standard of practice. It's not unobtainable."

Back to top


External links

AMA's HIPAA security resources (link)

"U.S. Healthcare Industry HIPAA Compliance Survey Results: Winter 2005," Healthcare Information and Management Systems Society, in pdf (link)

Back to top


ADVERTISEMENT

ADVERTISE HERE


Featured
Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story


Read story

Goodbye

American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story


Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story


Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story


Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story


Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story


Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story


Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn