Health Care Companies Not Ready for HITECH Act

More than 90 percent of health care companies are not ready to comply with the privacy and security provision of the Health Information Technology for Economic and Clinical Health Act, according to a survey conducted by the Ponemon Institute and sponsored by Crowe Horwath.

A part of the Recovery Act passed earlier this year by Congress, the HITECH Act extends the HIPPA's (Health Insurance Portability & Accountability Act) rules for security and privacy safeguards, including increased enforcement, penalties and audits. The new law takes effect in February.

The survey of 77 U.S. health care organizations shows many current HIPAA compliance programs have deficiencies in the areas of privacy and security, including inadequate program testing and failure to update the programs. Yet only 47 percent of the respondents feel they have the necessary funding and resources to fully comply with the new regulations.

The study also found that 79 percent of organizations do not regularly have the required independent assessment or audit of their program to determine adequacy. Fifty-seven percent say they have known deficiencies concerning privacy or security, or both. Only 29 percent of respondents report no deficiencies.

"We believe that most organizations are not ready for HITECH as a result of compliance issues within their existing HIPAA programs," Raj Chaudhary, a principal in Crowe Horwath's risk consulting group, said in a statement. "Even though most organizations acknowledge that their HIPAA compliance programs are deficient, our survey found that implementing necessary controls or securing third-party assistance to help ensure compliance may be limited due to budgetary restraints."

According to the survey, responsibility for ensuring HITECH compliance varies considerably among organizations. Security leaders and chief compliance officers are the roles identified as most likely to be responsible for achieving HITECH compliance, according to respondents. Organizations with more than 5,000 employees were much more likely to see the security leader as having primary responsibility than smaller companies.

"It is disappointing, though not surprising, to learn that a majority of companies do not believe they are prepared for the latest in health care information security regulations," said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. "Our research consistently finds that a lack of budgetary and moral support from the executive suite is a common barrier to proper data security and management programs, even with the specter of regulatory enforcement looming."