Surveys find fewer than 20% ready for April 20 HIPAA deadline

Fewer than one-fifth of healthcare organizations will meet the April 20 Health Insurance Portability and Accountability Act data security rules compliance deadline, according to two industry association surveys.

The Healthcare Information and Management Systems Society reported April 7 that just 18% of 400 providers, as well as 30% of insurers, will be compliant by the deadline.

The number of organizations that expect to be fully compliant by April 20 has actually declined over the past six months, according to HIMSS. Only 74% of providers and 80% of payers indicated that they will be compliant on or before the deadline. This compares with 87% and 91%, respectively, in a June 2004 survey.

The second survey, released by the American Health Information Management Association (AHIMA) April 11, found that only 18% of 1140 privacy, security, and compliance officers surveyed were fully compliant with the HIPAA security rules. The AHIMA survey also showed that 43% of survey respondents were 85% to 95% compliant, 25% were halfway compliant, and 12% of respondents said they were less than halfway compliant.

"I'm concerned that compliance numbers aren't higher, as the security rule is basically a technical issue, and the bar wasn't set that high," said Joyce Sensmeier, HIMSS director of informatics.

Sensmeier says we're seeing HIPAA fatigue.

"This is the third in a series [of deadlines], and many personnel and financial resources have had to go into the compliance effort," she said.

Another issue is lack of adequate guidance.

"The Centers for Medicare and Medicaid Services has issued some FAQs and guidance documents recently, but it may have been too little too late," she said.

Another concern is enforcement and how CMS will monitor compliance.

"Penalties for noncompliance can cost up to $25,000 per violation, but the fine will be enforced only if a complaint is filed against a healthcare organization, which has generated a lackadaisical attitude among some companies," Sensmeier said.

Under HIPAA scurity rules, any healthcare entity that handles electronic health data must implement fully auditable steps for monitoring access to private information and protect it from abuse.