Industry not ready for HIPAA security mandate

A report urges health care entities to act now to safeguard electronic data.

By Tyler Chin, AMNews staff. May 24/31, 2004.

Health care organizations are woefully unprepared to comply with the HIPAA security rule and must act immediately to meet the April 21, 2005, deadline, according to a report by URAC, a health care organization accrediting agency.

URAC warned the industry to start compliance efforts now because it will take six months to a year to implement a program to protect the confidentiality, integrity and availability of patient records stored in an electronic format or transmitted electronically. URAC based its assessment on contacts with 300 health care entities that have inquired about or gone through its Web site and HIPAA privacy and security accreditation programs,

Although URAC did not consult with small physician offices for its report, it believes -- as do other industry observers -- that doctors are equally unprepared for HIPAA security compliance.

Compliance will be challenging regardless of size, but "smaller practices obviously have less work to do in the sense that they have smaller [information] systems and smaller number of individuals with whom they need to be concerned," said Claire W. Barrett, a URAC accreditation reviewer who co-wrote the report.

"The other thing to keep in mind is the security rule is designed ... to be scalable so the compliance activity of physicians will be inherently less than a complex hospital's or health plan system's," said Garry Carneal, URAC's president.