The HIPAA Security Rule…Revisited

In the September 2011 blog post, The Challenges of Meaningful Use in Small, Independent Practices, I reported on a talk given to a group of primary care practitioners and how their questions indicated they were having difficulties understanding MU requirements.   Perhaps the most surprising finding was that many attendees from practices that were already using EHRs did not know about HIPAA’s security requirements and had no idea what a risk analysis was.    Based on the results of recent audits conducted by KPMG for the Office for Civil Rights (OCR), ignorance of HIPAA’s security provisions persists—and not just among small practices.

Audits of 115 organizations were conducted through December of 2012 in order to determine the level of adherence to HIPAA requirements.    Audited entities were categorized according to the criteria listed in the table below.

Entity Level Description
Level 1
  • Large Provider/Health Plan
  • Extensive use of HIT — complicated HIT enabled clinical/business work  streams
  • Revenues and/or assets greater than $1 billion
Level 2
  • Large regional hospital system(3?10 hospitals/region)/ Regional Insurance Company
  • Paper and HIT enabled work flows
  • Revenues and/or assets $300 million to $1 billion
Level 3
  • Community hospitals, outpatient  surgery, regional pharmacy / All Self-Insured entities that don’t adjudicate their claims
  • Some but not extensive use of HIT – mostly paper based workflows
  • Revenues $50 Million to $300 million
Level  4
  • Small Providers (10 to 50 Provider Practices, Community or rural pharmacy)
  • Little to no use of HIT – almost exclusively paper-based workflows
  • Revenues less than $50 million


Here is a tally of the entities that were in each group.

Providers Health Plans Clearinghouses
Level 1 11 13 2
Level 2 16 12 3
Level 3 10 11 1
Level 4 24 11 1


Key findings of the report:

60% of the issues found were related to security
58/59 providers had at least 1 security finding
No complete & accurate risk assessment in two thirds of entities: 47 of 59 providers, 20 out of 35 health plans, and 2 out of 7 clearinghouses

Access management, contingency planning and backups, audit controls and monitoring were also problematic across all entity types.

When deficiencies were noted, auditors attempted to identify a specific cause for each one.   Their major findings appear below:

Most common across all entities: entity unaware of the requirement.

  •  in 30% (289 of 980 findings and observations
  • 39% (115 of 293) of Privacy
  • 27% (163 of 593) of Security
  • 12% (11) of Breach Notification

Most of these related to elements of the Rules that explicitly state what a covered entity must do to comply.

Other causes noted included but not limited to:

    • Lack of application of sufficient resources
    • Incomplete implementation
    • Complete disregard

HIPAA security regulations went into effect on April 1, 2003 with compliance delayed for some entities until April 2006.   The regulations were also explicitly included in the HITECH Act of 2009, so why such poor compliance 10 years later?  I think much of the problem lies in the fact that the  HIPAA Security Rule, as compared to the privacy rule, is harder to understand and more difficult to implement.

It takes a team consisting of — at a minimum — HIM, IT, legal, administrative, and clinical representatives to properly implement everything required by the Security Rule.    Divvying up the sections for which each job role is responsible also takes some work.   Requirements have technical and administrative aspects, which in turn have legal and clinical implications such as those that occur with e-discovery or setting parameters for who may see a given chart.

A proper risk assessment requires detailed knowledge of the Security Rule as well as the ability to apply it to real-world situations  in terms of threats and vulnerabilities.    While going from theory to practice is usually bumpy, doing so with something as complex as the Security Rule is almost certain to result in missteps–which is exactly what these findings seem to indicate.

There is another somewhat more positive way to interpret these results.  For much of the time HIPAA regulations have existed, there has been very little enforcement.  Consequently, there was little incentive for organizations to spend time and resources on compliance.   Clearly, the OCR intends to take a different approach from now on.  Glass half-full, I think organizations will rise to the occasion and make the changes required to comply.  Otherwise, things could get ugly fast…


Leave a Reply

Your email address will not be published. Required fields are marked *