Federal clock ticks down on deadline for implementing HIPAA

The race to implement patient privacy requirements mandated by Congress has only just begun, yet time is already running out. Healthcare institutions have less than two years to get their programs running, but many have barely begun the complex and expensive process, said an industry executive speaking at the annual meeting of the Society for Computer Applications in Radiology in Salt Lake City.

Institutions have been stuck in administrative fibrillation due largely to the change in political administrations, according to Mark Hunter, general manager of WamNet. The implementation of regulations developed under the Clinton administration to protect patient privacy came into question when the pro-business Bush administration failed to embrace them immediately. Pundits wondered whether the privacy regulations associated with the Health Insurance Portability and Accountability Act would ever take effect. That uncertainty vanished, however, when the Bush administration set April 14, 2003, as the effective date for HIPAA requirements.

Of the four areas covered by HIPAA, patient data security has been the most controversial. Some providers have argued that these regulations, if fully incorporated, will impair patient care by hindering routine but critical data transactions. Similarly threatening has been the cost associated with their implementation. Estimates range from a low of $3.8 billion, as determined by the Department of Health and Human Services, which enforces the act, to as much as $40 billion by some in the private sector, Hunter said.

“This is Y2K plus, plus, plus,” he said. “The impact of HIPAA is much broader because it affects how people act in an analog

environment.”

Protecting against the illegitimate use of patient data may require fundamental changes not only in common practices but in everyday attitudes. Privacy and security provisions, for example, might require that people viewing electronic medical records refrain from doing so in a setting where an unauthorized person might gain access by looking over the viewer’s shoulder.

The root of any plan to incorporate HIPAA privacy provisions will be education, Hunter said. This must be followed immediately by detailed assessments, implementation stages, and an audit to make sure the integrated process works.

The good news is that as many as 75% of healthcare providers may at least be aware of the law, if not of the detailed requirements, according to a survey quoted by Hunter. This survey also showed that 80% of hospitals plan to assess their HIPAA needs within the next six months. The bad news is that not all institutions are ready to bear the costs. Smaller institutions are particularly vulnerable.

The survey quoted by Hunter noted that 55% of hospitals with 400 or fewer beds had budgeted $100,000 or less for HIPAA compliance. Larger hospitals showed a stronger commitment, but not much. Some 28% had budgeted $100,000 or less, according to Hunter.

“One hundred thousand dollars won’t get you off the ground,” he said.

An effective implementation plan will require resources, support at the top, a clear plan, and time.

“Eighteen to 24 months is a good solid schedule, but in many cases it will take a lot longer,” he said.

With just 23 months left, the healthcare industry would appear to be running out of its most precious resource-time.