Ten years ago, on April 20, 2005, most healthcare organizations were required to be in full compliance with the HIPAA Security Rule. This rule contains a set of required controls that are intended to protect electronic Protected Health Information (ePHI). Perhaps the anniversary makes this a good time to look back on how well the industry is doing in complying with these requirements and, as the rule is intended to, protect ePHI.
To say that adoption of the requirements of the HIPAA Security Rule was slow would be an understatement. While most practices rushed to comply with the HIPAA Privacy Rule by the required date in 2003, the 2005 HIMSS Annual Survey indicated that only 18 percent of responding healthcare providers were in compliance with the HIPAA Security Rule by the required date. In 2005 many healthcare providers, especially smaller ones, did not have an EMR system, so perhaps they can be forgiven for not taking too much notice of the new requirements for protecting electronic medical records.
So how has the landscape changed over the past 10 years?
In 2005 it would have been tempting to look 7 to 10 years into the future and predict that many, if not all, organizations would have come into compliance by 2015. However, according to the 2013 HIMSS Annual Survey (the most recent survey available), in 2012 only 65 percent of physician practices had conducted a security risk analysis as required by the HIPAA Security Rule. That number did rise to 78 percent in 2013. This increase may be attributed largely to the Meaningful Use requirement to conduct a security risk analysis.
Why the poor rates of adoption? This may be due to limited enforcement of the HIPAA Security Rule. However, since its inception in 2005, the HITECH Act of 2009 and the HIPAA Omnibus Ruling in 2013 have provided some teeth to HIPAA enforcement and legally requires covered entities to report breaches to the Department of Health and Human Services (HHS), affected individuals, and the public. Significant fines and corrective action plans have followed and this is garnering attention. Furthermore, the Office for Civil Rights (OCR) is planning another round of audits to begin later this year and enforcement actions may follow.
This enforcement comes none too soon. With some already labelling 2015 "the year of the breach" due to breaches occurring that are affecting millions of patients, the public may be losing confidence in the industry's ability to protect its health information. While compliance with the HIPAA Security Rule will not guarantee that breaches won't happen, it is at least a baseline and provides evidence that organizations are seriously working to identify and address risks to the ePHI to which they are entrusted.
So now that the HIPAA Security Rule is 10 years old, perhaps now is the time that ALL organizations will start to pay attention and come into compliance with the HIPAA Security Rule.
Visit www.healthit.gov for more information about complying with the HIPAA Security Rule and protecting your patient information or contact PA REACH Privacy & Security Specialist .