Survey says . . . HIPAA compliance not where it ought to be

HIMSS and Phoenix Health Systems recently released results of their latest semi-annual HIPAA compliance survey. 

Though the deadline for compliance with the HIPAA Security Rule passed over a year ago, 80% of payers and only 56% of providers who responded to the US Healthcare Industry HIPAA Summer 2006 Survey have implemented the Security standards. 

On the privacy front:

• A substantial percentage of Providers (22%) and Payers (13%) remain non-compliant with the Privacy regulations. These results are consistent with findings in all preceding Surveys since 2004, suggesting that a core group of covered entities either cannot or will not implement the Privacy standards.
• Even among “compliant” organizations, significant implementation gaps remain in certain areas, including establishing Business Associate Agreements, monitoring internal Privacy compliance, and maintaining ”minimum necessary” information disclosure restrictions.
• The percentage of reportedly compliant Provider organizations that has experienced privacy breaches decreased from January 2006, from 60% to 52%. Reportedly non-compliant Providers experienced more privacy breaches (64%) than compliant Providers, consistent with January 2006 Survey findings.

See the press release or the full report for more details.

Payors and providers got a free pass for a while on HIPAA compliance; the new enforcement rule effective in March was supposed to change all that.  Law.com published an article with compliance pointers in August, but a number of commentators have observed a paucity of enforcement efforts.

For example, Rebecca Herold, at The IT Compliance Conversation blog notes:

Instead of clarifying compliance enforcement issues for covered entities (CEs), the Enforcement Rule has seemed to confuse and mislead many CEs into believing that they really don’t need to do much with regard to HIPAA compliance unless the Department of Health and Human Services (HHS), the Office for Civil Rights (OCR) or the Centers for Medicare and Medicaid Services (CMS) come knocking at their door and tell them they specifically need to do something.

(That post includes a link to a podcast on this topic as well.)

Payors and providers should move to come into full HIPAA compliance before the government decides to allow for a private right of action — i.e., lawsuits filed by individuals alleging harm caused by a HIPAA violation and claiming damages.