URAC: Health plans still not compliant with HIPAA

Report identified barriers to compliance 

With less than a year left before the HIPAA Security Rule goes into effect, a study by URAC has shown that the majority of health plans are not prepared.

"Many health care organizations have a long way to go to implement a health information security program that meets baseline regulatory and business requirements," says Gary Carneal, URAC president and chief executive officer.

He recommends that organizations immediately start the process, because most security risk management programs can take up to a year to implement fully.

Health organizations must develop a health information security program to comply with the HIPAA Security Rule by April 21, 2005. The rule requires that health care organizations develop a specific plan for protecting the integrity, confidentiality, and availability of electronic protected health information.

URAC, an independent, nonprofit health care quality organization, spent 18 months consulting hundreds of health care organizations through telephone interviews or through the URAC accreditation process.

The organization concluded that only a small percentage of these companies have implemented a comprehensive security management program that meets the HIPAA requirements.

URAC’s report, "An Assessment of HIPAA Security Preparedness: Most Health Care Organizations Remain Noncompliant," lists four barriers to compliance and how to remedy them:

Incomplete or inappropriately scoped risk analysis efforts. Health plans should conduct a thorough analysis to determine whether electronic patient data are at risk of compromise. The analysis should include a detailed identification of likely threats, vulnerability, and impacts to an organization’s electronic patient data and the types of controls necessary to thwart them.

Inconsistent or poorly executed risk management strategies. All of the organizations surveyed by URAC had serious issues with policy and procedure documentation, management, and implementation. The organizations should actively address the technical issues and employee practices that affect the security of electronic data.

Limited or faulty information system activity review. The HIPAA regulations require an organization to provide an accurate history of system activity in the event of a security breach. Organizations should collect data on how their systems and employees are performing. They must establish policies and procedures relating to the frequency with which the data will be analyzed.

Ineffective security incident reporting and response. Health care organizations must be able to detect when patient data have been compromised and have procedures in place to deal with the compromise.

URAC recommends that HIPAA efforts should be managed in the broader context of overall business risk. The goal is to create a security "due diligence" package that presents a single vision of business risk.

URAC offers HIPAA Privacy and Security Accreditation Programs, Security Audit services, publications, educational conferences, and workshops. For more information or to read the entire report, go to www.urac.org.