The Health Insurance Portability and Accountability Act (HIPAA) sent many healthcare company IT departments into a frenzy at the turn of the millennium. The federal law, which was signed in 1996 by President Clinton, was designed to ratchet up the care and handling of personal healthcare data. Facing up to $250,000 in fines, and even jail time, healthcare providers put a lot of time, effort and money into making sure that their IT systems were HIPAA compliant.
More than four years have passed since the Oct. 16, 2003 HIPAA compliance deadline, and not one company has been fined or jailed for non-compliance. Consequently, many are now raising the question: Is the law a deterrent to careless handling of patient data, or can it simply be ignored?
The answer to that question depends on whom one talks to. Because HIPAA chartered new territory, there was a wide range of perceptions about what would happen once the law went into effect. Some felt that the punishments would make the law draconian and force companies into compliance.
Those perceptions have proven to be false. "We prefer to try and work with healthcare providers and have them enforce the rules rather than take punitive actions," noted Susan McAndrew, deputy director at the U.S. Department of Health and Human Services' Office for Civil Rights, which is responsible for enforcing HIPAA compliance. Yet because of that stance, there is a growing feeling that the government has acted like the Wizard of Oz, basically blustering about forcing compliance but having no real power to enact change.
It's also difficult to enforce a law that has a number of potential loopholes, one of which involves unrealistic expectations in the way violations are reported. "Patients would have to be right there watching their personal information be compromised when violations took place; in many cases, they will not even be aware that a breach has occurred," said Barry Runyon, research director at Stamford, Conn.-based Gartner Inc.
The government counters that it has tried to make it possible for anyone who witnesses a violation to report it. Noted McAndrew, "the statute was written to encourage employees to report violations whenever they think that their company is not complying with HIPAA regulations."
The guidelines themselves present another challenge. Because security is such a complex area, there are different steps that a healthcare company can take to secure information. "The government has outlined broad guidelines," Runyon said, "so it becomes a bit subjective about whether or not an organization is complying with them."
Since the law went into effect, 31,000 violations have been reported, according to the U.S. Department of Health and Human Services. Two out of every three cases are rejected because they do not fall under HIPAA guidelines, according to the federal government agency. Approximately 8,000 cases have been closed with no significant penalties.
Some see progress in the numbers. "HIPAA did a good job in raising the awareness among healthcare companies that they had not done a good job protecting patient data," stated Gartner's Runyon. The law also forced healthcare companies to invest more money in security products and services.
But the federal statue has not been a privacy panacea. "From antidotal evidence, I would estimate that about 60% of healthcare companies now do a good job of protecting patient data," concluded Runyon. "That number is not where the industry would like to be, but it is much higher than it was before HIPAA was enacted."
About the author:
Paul Korzeniowski is a freelance writer who specializes in security issues. He is based in Sudbury, Mass. and can be reached at firstname.lastname@example.org.