Surveys reveal non-compliance of new HITECH Act provisions

The survey of HITECH Act compliance by subsidiary HIMSS Analytics, and the 2nd annual HIMSS Security Survey released by The Healthcare Information and Management Systems Society (HIMSS) last month bring out the fact that health care organizations and business associates (BAs) are generally unprepared to comply with the new security breach rules, and much work remains to achieve compliance with the new HITECH Act provisions.

The HIMSS Analytics survey found the following:

* 2% of CEs and 12% of BAs were not aware of the new HITECH Act provisions.
* One-third of hospitals overall and 52% of large hospitals reported having a data breach in the last 12 months.
* 91% of hospitals conducted a risk assessment and took actions to address identified risks and gaps in the last 12 months.
* Large hospitals had a higher level of awareness of the new breach requirements than did small hospitals.
* Over 30% of business associates did not know they are now accountable for the HIPAA privacy and security requirements.
* Nearly half of hospitals would terminate a BA contract for violations.

Another study by the Crowe Horwath benchmark conducted for the Ponemon Institute collected data from 42 covered entities and 35 business associates. Larry Ponemon, chairman and founder of the Ponemon Institute, released the key findings of the benchmark study on Nov. 10 which included:

* 94% of respondents were not in “substantial compliance with HITECH.”
* Only 1% of organizations are ready to meet the deadlines for near-term effective dates.
* 90% of organizations experienced one or more data breaches in the past two years.
* 98% of CEs have formally implemented a HIPAA privacy compliance program; 43% of BAs have done the same.
* 86% of CEs have formally implemented a HIPAA security compliance program; 26% of BAs have done the same.
* 32% said their organizations do not provide adequate staff training for both privacy and security.
* 21% said their organizations have not formally implemented a risk-based assessment program.
* 30% said their organizations do not conduct a detailed security risk analysis.
* 22% have not formally assigned the role of security officer or CISO.

Both Ponemon and Gallagher blame the lack of resources as a major source of difficulty. Moreover, they feel that executives are not necessarily supportive of privacy and data security compliance initiatives and instead tend to focus on things that are revenue related. Compliance is also hindered because the “rank and file” employees handling medical records may not be the best to manage privacy, says Ponemon. Strict enforcement from the government is the only thing that will overturn complacency about privacy and security, says Ponemon.