In the September 2011 blog post, The Challenges of Meaningful Use in Small, Independent Practices, I reported on a talk given to a group of primary care practitioners and how their questions indicated they were having difficulties understanding MU requirements. Perhaps the most surprising finding was that many attendees from practices that were already using EHRs did not know about HIPAA’s security requirements and had no idea what a risk analysis was. Based on the results of recent audits conducted by KPMG for the Office for Civil Rights (OCR), ignorance of HIPAA’s security provisions persists—and not just among small practices.
Audits of 115 organizations were conducted through December of 2012 in order to determine the level of adherence to HIPAA requirements. Audited entities were categorized according to the criteria listed in the table below.
Here is a tally of the entities that were in each group.
Key findings of the report:
60% of the issues found were related to security
58/59 providers had at least 1 security finding
No complete & accurate risk assessment in two thirds of entities: 47 of 59 providers, 20 out of 35 health plans, and 2 out of 7 clearinghouses
Access management, contingency planning and backups, audit controls and monitoring were also problematic across all entity types.
When deficiencies were noted, auditors attempted to identify a specific cause for each one. Their major findings appear below:
Most common across all entities: entity unaware of the requirement.
- in 30% (289 of 980 findings and observations
- 39% (115 of 293) of Privacy
- 27% (163 of 593) of Security
- 12% (11) of Breach Notification
Most of these related to elements of the Rules that explicitly state what a covered entity must do to comply.
Other causes noted included but not limited to:
- Lack of application of sufficient resources
- Incomplete implementation
- Complete disregard
HIPAA security regulations went into effect on April 1, 2003 with compliance delayed for some entities until April 2006. The regulations were also explicitly included in the HITECH Act of 2009, so why such poor compliance 10 years later? I think much of the problem lies in the fact that the HIPAA Security Rule, as compared to the privacy rule, is harder to understand and more difficult to implement.
It takes a team consisting of — at a minimum — HIM, IT, legal, administrative, and clinical representatives to properly implement everything required by the Security Rule. Divvying up the sections for which each job role is responsible also takes some work. Requirements have technical and administrative aspects, which in turn have legal and clinical implications such as those that occur with e-discovery or setting parameters for who may see a given chart.
A proper risk assessment requires detailed knowledge of the Security Rule as well as the ability to apply it to real-world situations in terms of threats and vulnerabilities. While going from theory to practice is usually bumpy, doing so with something as complex as the Security Rule is almost certain to result in missteps–which is exactly what these findings seem to indicate.
There is another somewhat more positive way to interpret these results. For much of the time HIPAA regulations have existed, there has been very little enforcement. Consequently, there was little incentive for organizations to spend time and resources on compliance. Clearly, the OCR intends to take a different approach from now on. Glass half-full, I think organizations will rise to the occasion and make the changes required to comply. Otherwise, things could get ugly fast…