The April 20 compliance deadline for the final rules on security under the Health Insurance Portability and Accountability Act has come and gone.
Officially, the rules are called the Security Standards for the Protection of Electronic Protected Health Information -- the third of four main rule sets to be implemented under the administrative simplification provisions contained in the 1996 HIPAA law.
Compliance with the privacy rule started in April 2003, with the rule covering transactions and code sets in October 2002. The final rule requiring use of a national identifier for employers, providers and health plans becomes effective May 23, but compliance is not required until at least 2007.
Unlike the privacy rule, which created quite a stir around its deadline, the security rule has caused little consternation in the healthcare IT community, even though many hospitals and medical groups were not expected to be in complete compliance by the deadline, according to several recent surveys.
One reason for the relative equanimity is the realization, based on experience with the two previous rules, that the government won't be taking a jackboot approach to enforcement, even though unintentional breaches could generate fines of $100 per violation, up to a maximum of $25,000 per year.
"As with all the other HIPAA provisions, we handle compliance on a complaint basis, so no, we don't send in security auditors," says Karen Trudel, deputy director of HHS' Office of HIPAA Compliance.
"I view security as being a continuum," Trudel says. "Some of the organizations that have not put every possible provision in place may have most of them there just by simple, good business practice."
Another calming effect has been time, says Thomas Smith, chief information officer at Evanston (Ill.) Northwestern Healthcare, a three-hospital, not-for-profit system.
"We began working on HIPAA well before the privacy rule went into effect," Smith says. "It's been about four years. We've had a lot of time to address various changes. Many of those are software changes. We've been able to do all of those and had our vendors supply us with HIPAA-compliant releases.
"We think we're compliant and we think we'll do well when anyone comes in for an audit," including the Joint Commission on Accreditation of Healthcare Organizations, which is generally incorporating the security provisions in their review process, Smith says.
"That's a good thing," he adds. "We won't have to comply with two sets of rules."
The security rule applies to healthcare providers that transmit healthcare information in electronic form and includes hospitals, physicians, health plans, claims clearinghouses and Medicare Part D prescription drug plan sponsors.
While all of the HIPAA standards interconnect, the privacy and security rules are the most closely aligned, so much so that in developing the security rule, HHS "chose to closely reflect the requirement of the final privacy rule," according to the Web-published CMS guideline, Security 101 for Covered Entities. In fact, providers and other covered entities that have implemented privacy protections "may already address some security requirements," the CMS says.
One key difference between the privacy and security rules is scope. Privacy rules apply to all forms of protected health information, whether kept on paper or in a computer system, and whether transmitted electronically or orally. The security rule only covers information that is transmitted electronically.
The final rule is composed of a number of what the CMS calls implementation specifications, detailed instructions on how specific security standards can be met. There are 20 required implementation specifications and 22 deemed "addressable," that is, specifications that need not be met if a covered entity finds them to be "not reasonable and appropriate" or if another measure can be implemented to accomplish the same purpose.
With the addressable items, "you have a number of options," says Rob Tennant, a senior policy adviser in government affairs for the Medical Group Management Association. "It means, according to the CMS, you can do something different than what it suggests, as long as you said why."
Further, Tennant says, "You can not do it, as long as you can document that you didn't have to do it, that it didn't apply for the following reasons."
For example, Tennant says, encryption of e-mail is addressable, but if you don't send e-mail, obviously, you don't have to encrypt it.
Finally, he says, the rule provides some flexibility. "You can do something slightly different, as long as it has the same effect. We appreciate that because we want groups to design a security compliance plan that meets their needs."
Ready . . . or not
Three national healthcare organizations have released surveys within the past month indicating a general lack of preparedness with regard to the security standards.
An American Health Information Management Association survey of its members conducted in January showed 17.5% of respondents indicated their operations were completely compliant, 43.8% were about 85% to 95% compliant, another 26.4% were about 50% compliant and 12.3% were less than 50% compliant.
Keeping track of who had access to protected data was listed by many respondents as the No. 1 problem they identified and corrected in meeting the security rule, according to AHIMA, a trade group for medical records professionals.
Meanwhile, the American Medical News reported on an American Medical Association survey indicating 35% of medical practices would not be ready for the security standards.
According to results of a survey of providers and payers conducted on behalf of the Healthcare Information and Management Systems Society, only 30% of payers and just 18% of hospital-based providers said they thought they'd be compliant by the deadline.
"I think part of it is HIPAA fatigue," says Joyce Sensmeier, HIMSS' director of informatics, regarding the low compliance expectations.
Another reason for calm within the industry is the nature of the challenge, Sensmeier says.
"On the privacy side, there were so many procedures to put in place," she says, and those required the involvement and training of nearly all front-line providers.
"But with security, most of it is technical," she says, much of which can be handled by a much smaller cast of characters. Security compliance is more a question of adherence to procedures a well-run IT department should be doing anyway, such as keeping an audit trail to know who is looking at the data and monitoring an IT system for spikes in activity, Sensmeier says.
"In the HIPAA security rule, it is not rocket science. It is merely best practice," she says.
Sensmeier and several others criticize the CMS for providing "not a lot of guidance," early on but note that the federal agency's recently posted 11-page booklet, Security 101, is helpful.
Trudel says the publication is just the first of what will become a suite of online HIPAA compliance tools.
Todd Park, a co-founder of athenahealth, a revenue-cycle management company that uses Web-based connectivity in an application service provider model, says his firm has invested millions of dollars to comply with HIPAA.
Technically, it was not hard, Park says, adding, "a lot of it is common-sense stuff. But it's a regulation and you've got to do it. We're a little upset with a lot of people not taking it seriously. It's like the one kid in school who does his homework."
John Quinn, chief technology officer for Capgemini's provider practice, says most of his consulting firm's clients are large hospitals and health systems, so with them "you don't see that lack of compliance or intent not to comply."
Quinn predicts the security deadline "is going to come and go and we're probably not going to see that anything earth-shattering is going to happen." Given the CMS' complaint-based enforcement methodology, the privacy regulations are "a set of rules you're not likely to run afoul of unless you get caught.
"A lot of it gets fairly mundane -- locks on doors and backups of computer systems," he says.
But, Quinn says, "events are going to occur and somebody is going to have to say we lost all this data and an investigation will occur and, say, you didn't do backups, someone will learn a HIPAA security rule was involved."