Officials shaky on HIPAA compliance
- By Dibya Sarkar
- Nov 18, 2001
HIPAA home page
A majority of state and local government agency officials are unsure whether
their jurisdiction would meet sweeping new federal guidelines designed to
enhance health care-related information systems within the next 18 months,
according to a recent Gartner Inc. survey.
Wes Rishel, a health care research director with Gartner, presented
the survey results during a conference Nov. 16 on the Health Insurance Portability
and Accountability Act. Federal Sources Inc. and Potomac Forum Ltd. sponsored
the one-day event in Washington, D.C.
HIPAA, signed by President Clinton in 1996, was enacted to provide a
comprehensive federal law that would protect the privacy of people's health
information and improve the efficiency of health care delivery by standardizing
electronic data interchange. It would supersede each state's laws, which
vary widely in privacy, security and transactions standards.
The federal law covers all health care providers who electronically
transmit health information as well as health plans and health care clearinghouses.
So far, this "administrative simplification" provision has yielded two sets
of published rules, covering transactions and privacy. Security guidelines
have yet to be published.
Providers and payers must comply with the Transactions Rule -- which
set national standards for codes that identify patients and describe diseases,
injuries and other health problems -- by Oct. 16, 2002. They must also comply
by April 14, 2003, with the Privacy Rule, which governs accessibility to
identifiable patient information and gives patients new rights to access
their medical records.
According to Gartner, only 6 percent of chief information officers surveyed
expected to meet the Transactions Rule deadline, while 63 percent don't
know whether they will be able to comply. Seventeen percent said they were
very likely to comply, 9 percent said somewhat likely, 3 percent highly
unlikely, and 2 percent said not at all. The responses were similar when
CIOs were asked about the privacy deadline.
Rishel said that because CIOs are early in their assessment process,
they may be too optimistic about compliance.
In regard to a separate survey, Rishel said many health care organizations
overall will not be ready for the October 2002 transaction compliance deadline.
Many are just learning about HIPAA and its requirements, and fewer have
done an assessment of their own systems. "That's not encouraging news,"
he said.
By not complying, health care organizations and government agencies
could receive stiff civil and criminal penalties.
Federal extensions for compliance may be likely, but Rishel said that
many providers and payers are not taking HIPAA seriously. He also said vendors
are not establishing leadership in helping providers move toward compliance.
"For the providers, they're relying on the vendors, and the vendors are
not doing a great job," he said.
High cost is a major factor among all providers and payers. Gartner
estimated that each payer and provider expected to spend $3 million to $14
million overall to comply with HIPAA.