HIPAA security regs roll into play

Sunday, May 8, 2005

WASHINGTON -- HIPAA's security regulations went into effect April 21 with little of the fanfare or provider panic that accompanied CMS's roll out of the law's privacy regs in April 2003.

That doesn't mean, however, that most providers have the computer systems and protocols in place to prevent the theft of protected healthcare information. In fact, the majority of providers probably are not in compliance, most likely because thus far the government has done little to enforce the Health Insurance Portability and Accountability Act (HIPAA), said Clay Stribling, a healthcare attorney with Brown & Fortunato in Amarillo, Texas.

"HIPAA has plenty of teeth, they just haven't shown them yet -- but they will," Stribling said.

Violating the security rules will cost you $100 fine per violation up to a maximum of $25,000. Fortunately, when it comes to HIPAA enforcement, CMS prefers to help companies comply than issue fines.

"They would rather fix the problem than punish people," said attorney Neil Caesar, president of the Health Law Center in Greenville, S.C. "Punishment is for repeat offenders or those who are indifferent."

Based on what he's seeing in the marketplace, Caesar described three levels of security compliance: 1. Providers who admit they are not up to speed, about 30%; 2. Providers who are up to speed with 90% accuracy, about 30%; 3. Providers who claim they are up to speed and know they are not or believe they are up to speed but aren't, about 40%.

Congress passed HIPAA in 1996 to streamline industry inefficiencies, reduce paperwork and make it easier to detect and prosecute fraud and abuse. In the health care and medical professions, HIPAA's compliance challenge is the assurance that all patient account handling, billing, and medical records are safeguarded.