Officials shaky on HIPAA compliance

HIPAA home page

Related Links

A majority of state and local government agency officials are unsure whether their jurisdiction would meet sweeping new federal guidelines designed to enhance health care-related information systems within the next 18 months, according to a recent Gartner Inc. survey.

Wes Rishel, a health care research director with Gartner, presented the survey results during a conference Nov. 16 on the Health Insurance Portability and Accountability Act. Federal Sources Inc. and Potomac Forum Ltd. sponsored the one-day event in Washington, D.C.

HIPAA, signed by President Clinton in 1996, was enacted to provide a comprehensive federal law that would protect the privacy of people's health information and improve the efficiency of health care delivery by standardizing electronic data interchange. It would supersede each state's laws, which vary widely in privacy, security and transactions standards.

The federal law covers all health care providers who electronically transmit health information as well as health plans and health care clearinghouses. So far, this "administrative simplification" provision has yielded two sets of published rules, covering transactions and privacy. Security guidelines have yet to be published.

Providers and payers must comply with the Transactions Rule -- which set national standards for codes that identify patients and describe diseases, injuries and other health problems -- by Oct. 16, 2002. They must also comply by April 14, 2003, with the Privacy Rule, which governs accessibility to identifiable patient information and gives patients new rights to access their medical records.

According to Gartner, only 6 percent of chief information officers surveyed expected to meet the Transactions Rule deadline, while 63 percent don't know whether they will be able to comply. Seventeen percent said they were very likely to comply, 9 percent said somewhat likely, 3 percent highly unlikely, and 2 percent said not at all. The responses were similar when CIOs were asked about the privacy deadline.

Rishel said that because CIOs are early in their assessment process, they may be too optimistic about compliance.

In regard to a separate survey, Rishel said many health care organizations overall will not be ready for the October 2002 transaction compliance deadline. Many are just learning about HIPAA and its requirements, and fewer have done an assessment of their own systems. "That's not encouraging news," he said.

By not complying, health care organizations and government agencies could receive stiff civil and criminal penalties.

Federal extensions for compliance may be likely, but Rishel said that many providers and payers are not taking HIPAA seriously. He also said vendors are not establishing leadership in helping providers move toward compliance. "For the providers, they're relying on the vendors, and the vendors are not doing a great job," he said.

High cost is a major factor among all providers and payers. Gartner estimated that each payer and provider expected to spend $3 million to $14 million overall to comply with HIPAA.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.