Government
Medical records security: HIPAA's 3rd deadline not a charm
■ Many physicians won't be ready by April 20, and some are still working to comply with the earlier privacy and transaction regulations.
By Joel B. Finkelstein — Posted April 18, 2005
- WITH THIS STORY:
- » External links
- » Related content
Washington -- The approach of the compliance deadline for medical records security standards is causing a case of "HIPAA fatigue" among many doctors who are tired of dealing with new federal regulations.
So far, physicians' compliance efforts have lagged behind those of payers. About 35% of practices will not be ready for the security standards, part of the Health Insurance Portability and Accountability Act, by the April 20 deadline, according to an American Medical Association survey.
In comparison, 20% of payers don't expect to be prepared in time, says a survey by the Health Information and Management Systems Society.
"There have just been so many rules," said Joyce Sensmeier, director of informatics at HIMSS.
HIPAA set forth a series of three rules -- medical records privacy, electronic health care transactions and now security -- all going into effect within a two-year period. While dire warnings harbingered the privacy rule deadline and tempered anxiety preceded the transaction rule cutoff, the security rule has generated less commotion.
"The privacy regulations were such a 'big deal,' it overshadowed everything else," said Stephen Imbeau, MD, an allergist in Florence, S.C.
He expects his five-physician practice to be ready in time, assuming its software vendor provides updates on schedule. But the security rules seem to have escaped many colleagues.
"Smaller groups aren't really aware of the deadline," he said.
Other factors could be interfering with physicians' ability to implement the standards, Sensmeier said.
Compliance with the security regulation is proving to be a tax on physician resources when their attention is being pulled in many directions, including a national drive to implement electronic medical records, she said.
But some of the ambivalence may be coming from the top down.
Compared with the privacy rule, Dr. Imbeau said, government outreach efforts for the security regulation have been modest.
That is not an isolated view. Respondents to the HIMSS survey complained of little Centers for Medicare & Medicaid Services guidance.
But the level of agency outreach might not be to blame.
The security rule is short on details compared with previous HIPAA regulations. It does not offer the clear path to compliance physicians might seek, said Bill Braithwaite, MD, PhD, a health information policy consultant and one of the original HIPAA authors.
Developing the literally thousands of guidelines necessary to address the wide variety of situations that practices, hospitals and payers face would have been an impossible task for CMS, he said. Instead, physicians need to think in terms of implementing security protocols, whether that includes passwords protecting computers or moving files into locked rooms, that fit their practice setting, he said.
That could prove difficult for physicians, who understand the concept of security in general but are not accustomed to doing the type of risk analysis called for in the rule, Dr. Braithwaite said.
But, to put it simply, doctors must: "Figure out what is wrong, do something about it and keep up the effort over time," he said.
CMS is delivering a similar message in ongoing national conference calls. "We continue to get a lot of questions on security, and the questions are getting more and more detailed," said Stanley Nachimson, senior technical adviser in CMS' Office of HIPAA Standards. "We anticipate that people are paying a lot more attention than they were a year or so ago."
Ultimately, physicians could find that the regulation is helpful, some experts said.
"Although the rule may not give specifics, it makes you think about security," said Lesley Berkeyheiser, principal and founder of the Clayton Group, a Philadelphia-based consulting firm that assists clients with implementation of HIPAA.
Even if the security standards were not federal law, they would offer practices a level of protection against faulty office procedures that can lead to civil lawsuits over privacy breaches, experts said. Good security is good business, they added.
Compliance will evolve
Government officials said physicians will have the opportunity to think through their security measures even after this month's deadline.
CMS recently announced that enforcement will be modeled on the approach used for the privacy and electronic transaction rules. That means it will be complaint-driven and emphasize working with physicians, rather than imposing penalties.
"If there are complaints filed, our first attempt is to try and move ... them into compliance," Nachimson said.
That strategy has worked well both for the agency and the medical community in the past, Berkeyheiser said. But the downside is that it could take some of the impetus out of speedy compliance.
In fact, the HIMSS survey found that more than a fifth of physicians and hospitals still were not fully meeting the privacy standards nearly two years after their implementation. While nearly three-quarters said they were ready to transmit compliant electronic transactions, only half were actually doing so because of holdups with their business partners.
Despite those findings, experts remain optimistic.
"Compliance will evolve over time," Dr. Braithwaite said.
Once physicians approach the standards, they might not find them so difficult to tackle, Sensmeier said.
After completing the risk analysis, Dr. Imbeau said, there was not much for the doctors in his practice to do to meet the rules. Most of their files are already in locked rooms, and identification badges like hospitals use to prevent people from entering restricted areas seemed like overkill in a five-physician practice, he noted.
Said Sensmeier: "This isn't rocket science. It's basic security that should be a standard of practice. It's not unobtainable."