Stitching Up Health Records: Privacy Compliance Lags

Twenty percent of health care companies are unable or unwilling to implement federal privacy requirements, because the rules are vague and the technology is spotty. Meanwhile, another compliance deadline looms.

The good news about privacy and the Health Insurance Portability and Accountability Act is that more than 80 percent of companies involved in health care have technology and processes in place to provide the level of patient-privacy protection required by the 1996 law.

The bad news? All were supposed to have done so by April 2003.

More bad news? The percentage hasnt changed since last summer, meaning about 20 percent of health care companies are "unable or unwilling to implement federal privacy requirements," according to a twice-yearly survey of health care payers and providers conducted by Phoenix Health Systems and Healthcare Information and Management Systems Society, or HIMSS.

And thats just regarding the rule designed to make sure patient information isnt sent to the wrong people or accessed by people without a right to know. Securing the data so hackers cant force their way in is another category of compliance entirely.

Meanwhile, as of April 21, another wave of companies will have the chance to be noncompliant, as the deadline passes for companies with less than $5 million in revenue to meet HIPAA Security standards.

Its not that health care companies find privacy and security technology hard to manage, said William "Buddy" Gillespie, vice president and CIO at WellSpan Health, which includes two hospitals; a home health care provider; a pharmacy; and about 40 physicians offices, managed care plans and other outpatient treatment facilities in Pennsylvania and Maryland.

The problem is that HIPAA rules are often vague and technology is developing so quickly that its often hard to decide whether flash drives, hot-site disaster recovery, and other specific storage and file management technologies are covered or satisfy the rules, Gillespie said.

"The regulations didnt have much precision," said Gillespie, in York, Pa. "They were very general in a lot of cases. Regulatory statements said something about the requirements but didnt come out and say what technology was involved. We went through the regulation sections for more than a year to interpret those regulations into technology solutions that seemed to work and meet the regulations too."

Just more than half (55 percent) of large health care providers and 72 percent of insurers and other payers are able to meet the requirements of the security part of the law, which went into effect last April, according to HIMSS.

Like the 1999 Gramm-Leach-Bliley Act, which was designed to protect the private data of customers in financial institutions, HIPAA was designed to create fundamental change in the way health care institutions treat the data they store about past transactions, the characteristics of their customers and the services they perform for those customers.

Both laws applied to electronic records the kind of rigorous legal control that had been applied to paper documents for decades. The challenge in controlling electronic records, however, is that its harder to lock them in a room and be sure theyre not being misused.

That discipline represents the confluence of database managers, storage technology and records management specialists who have been largely left out of records processes involving IT, but whose priorities and experience exactly match the need to control electronic records in the same way companies control their paper, according to analyses from ARMA, the Association of Records Managers and Administrators.

/zimages/3/28571.gifClick here to read about an earlier survey showing a shortfall in HIPAA compliance among health care providers.

It shouldnt be terribly surprising that the vast majority of companies can comply with the HIPAA rules, given that the technical requirements arent particularly onerous, Gillespie said.

HIPAA requires health care providers, insurance companies and others involved in health care transactions to provide security on any system containing private information, store and transmit that information according to standardized rules, and place an automatic audit on files to help keep track of who should have access to them and whether those access rules have been violated.

What is surprising is the number of companies that not only are noncompliant but also appear to have no intention of ever complying, according to Ross Armstrong, senior research analyst at IT research company Info-Tech Research Group, in London, Ontario.

"A lot of health care organizations have just decided not to implement HIPAA because they see no public relations downside with noncompliance, and there are no expected legal problems," Armstrong said.

Despite the decade-long, multistaged process by which HIPAA rules have tightened control on the circulation of data among physicians, hospitals, insurance companies and claims-processing clearinghouses, breaches of privacy remain common. Respondents to the Phoenix and HIMSS survey, which provides the most complete statistical picture of compliance within the health care community, reported that breaches of privacy at insurers and other payers went up from 45 percent last summer to 66 percent in January.

Most respondents experienced between one and five breaches, but 20 percent reported six or more.

"HIPAA is a law completely without teeth," Armstrong said. "It is just not enforced the same way Sarbanes-Oxley and other laws are by the SEC [Securities and Exchange Commission] or the U.S. government.

"These other laws come with yearly audits and compliance standards that have to be followed; there are strict process requirements, and executive management is held responsible if theyre not met," Armstrong said.

"HIPAA is a complaints-driven system. If you or I or any other citizen feels that our health privacy has been violated, it is up to us to initiate a complaint to Health and Human Services. When the onus is on the actual victim, it becomes much less enforceable. Who among us can afford to hire lawyers for an uncertain legal outcome?"

Its not that the Department of Health and Human Services is indifferent to HIPAA compliance or isnt willing to enforce it, according to Stanley Nachimson, senior technical adviser to the Office of E-Health Standards and Services at HHS, in Washington.

HIPAA compliance was set up purposely as a reactive, rather than a proactive, process, Nachimson said.

"It is a complaint-based process and therefore is more reactive," Nachimson said. "We prefer that when there are problems within an organization or between organizations that its settled between the organizations. If not, we have a process to look at those complaints and, if it is a possible violation, to go through the investigational process. If we discover there is a violation, we will work with the covered entity to resolve any issues."

/zimages/3/28571.gifHave the costs of HIPAA reduced health care IT spending? Read more here.

Complaints that arent resolved and violations that arent fixed quickly are subject to a fine of between $100 for an incident or a maximum of $25,000 per year for violation of a specific rule. Rule categories such as Privacy or Security might have dozens of individual rules, and violating any of them could carry a fine of $25,000 per year, Nachimson said.

That enforcement is more theory than practice: "[The U.S. government is] willing to fine companies millions for Sarbanes-Oxley violations, but the only conviction for HIPAA ended in a $9,000 fine and it was the perpetrator who was punished, not the health care organization he worked for," Armstrong said.

That case involved SeaTac, Wash., resident Richard Gibson, who was sentenced to pay $9,000 in restitution, spend 16 months in prison and three years on probation for stealing the identity of and disclosing private information about at least one patient at Seattle Cancer Care Alliance, where he worked at the time.

HHS has fielded approximately 20,000 complaints about privacy violations through its civil rights enforcement office, Nachimson said. It has forwarded about 300 of those to the Department of Justice, which decides whether to prosecute.

Next Page: HIPAA may make "business sense," but new tech challenges the rules.