At a public teleconference Wednesday, CMS (Centers for Medicare & Medicaid Services) officials said enforcement would be "complaint-driven" and that they generally expected to work with entities covered by HIPAA to obtain compliance when complaints were filed.
On the other hand, the 40 percent of fully compliant institutions is almost twice the 23 percent that reported being compliant a year ago.
For the upcoming HIPAA security deadline, three-fifths of institutions rated themselves as 85 percent or more compliant, and 12 percent said they were less than 50 percent compliant.
However, the AHIMA survey (PDF file) was conducted in January, and commentary accompanying the survey said these figures were "not surprising."
Mervat Abdelhak, president of the American Health Information Management Association, said the level of compliance was encouraging, but stressed that "privacy and security are ongoing issues that require continued commitment and fine-tuning and cant be forgotten beyond initial compliance."
A smaller survey, conducted in January by HIMSS (Healthcare Information Management and Systems Society) and Phoenix Health Systems came to more alarming conclusions: "This development raises a flag of concern–how can patient privacy be preserved and the use of electronic transactions proliferate without adequate hardware and software security protections?"
The HIMSS survey of 318 professionals at health care providers and 82 payers found that security compliance had improved since June 2004, but that the number of organizations that expect to be compliant by the deadline had declined since then. In June, 87 percent of providers and 91 percent of payers thought they would be compliant. By January, those figures had fallen to 74 percent and 80 percent, respectively.
But Don Rode, AHIMAs vice president of policy and government relations, was much less worried. "Any organization thats doing a decent job on its privacy side is probably doing OK because security is a subset of privacy."
Part of the calm is that the government has made known that it will not actively seek out noncomplying institutions unless someone files a complaint. Even then, Rode said the government would be inclined to consider the context if a breach had occurred.
"Theyd be looking to see how you handled the situation and what youre doing to fix it. Its not an adversary situation, its a good-faith attempt to get things working right." He said the government would rather prosecute deliberate and flagrant violations.