Medical records security: HIPAA's 3rd deadline not a charm

Many physicians won't be ready by April 20, and some are still working to comply with the earlier privacy and transaction regulations.

By Joel B. Finkelstein, AMNews staff. April 18, 2005.

Washington -- The approach of the compliance deadline for medical records security standards is causing a case of "HIPAA fatigue" among many doctors who are tired of dealing with new federal regulations.

So far, physicians' compliance efforts have lagged behind those of payers. About 35% of practices will not be ready for the security standards, part of the Health Insurance Portability and Accountability Act, by the April 20 deadline, according to an American Medical Association survey.

In comparison, 20% of payers don't expect to be prepared in time, says a survey by the Health Information and Management Systems Society.

"There have just been so many rules," said Joyce Sensmeier, director of informatics at HIMSS.

HIPAA set forth a series of three rules -- medical records privacy, electronic health care transactions and now security -- all going into effect within a two-year period. While dire warnings harbingered the privacy rule deadline and tempered anxiety preceded the transaction rule cutoff, the security rule has generated less commotion.

"The privacy regulations were such a 'big deal,' it overshadowed everything else," said Stephen Imbeau, MD, an allergist in Florence, S.C.

He expects his five-physician practice to be ready in time, assuming its software vendor provides updates on schedule. But the security rules seem to have escaped many colleagues.

"Smaller groups aren't really aware of the deadline," he said.