Officials shaky on HIPAA compliance

HIPAA home page

A majority of state and local government agency officials are unsure whether their jurisdiction would meet sweeping new federal guidelines designed to enhance health care-related information systems within the next 18 months, according to a recent Gartner Inc. survey.

Wes Rishel, a health care research director with Gartner, presented the survey results during a conference Nov. 16 on the Health Insurance Portability and Accountability Act. Federal Sources Inc. and Potomac Forum Ltd. sponsored the one-day event in Washington, D.C.

HIPAA, signed by President Clinton in 1996, was enacted to provide a comprehensive federal law that would protect the privacy of people's health information and improve the efficiency of health care delivery by standardizing electronic data interchange. It would supersede each state's laws, which vary widely in privacy, security and transactions standards.

The federal law covers all health care providers who electronically transmit health information as well as health plans and health care clearinghouses. So far, this "administrative simplification" provision has yielded two sets of published rules, covering transactions and privacy. Security guidelines have yet to be published.

Providers and payers must comply with the Transactions Rule -- which set national standards for codes that identify patients and describe diseases, injuries and other health problems -- by Oct. 16, 2002. They must also comply by April 14, 2003, with the Privacy Rule, which governs accessibility to identifiable patient information and gives patients new rights to access their medical records.

According to Gartner, only 6 percent of chief information officers surveyed expected to meet the Transactions Rule deadline, while 63 percent don't know whether they will be able to comply. Seventeen percent said they were very likely to comply, 9 percent said somewhat likely, 3 percent highly unlikely, and 2 percent said not at all. The responses were similar when CIOs were asked about the privacy deadline.

Rishel said that because CIOs are early in their assessment process, they may be too optimistic about compliance.

In regard to a separate survey, Rishel said many health care organizations overall will not be ready for the October 2002 transaction compliance deadline. Many are just learning about HIPAA and its requirements, and fewer have done an assessment of their own systems. "That's not encouraging news," he said.

By not complying, health care organizations and government agencies could receive stiff civil and criminal penalties.

Federal extensions for compliance may be likely, but Rishel said that many providers and payers are not taking HIPAA seriously. He also said vendors are not establishing leadership in helping providers move toward compliance. "For the providers, they're relying on the vendors, and the vendors are not doing a great job," he said.

High cost is a major factor among all providers and payers. Gartner estimated that each payer and provider expected to spend $3 million to $14 million overall to comply with HIPAA.