The deadline to complete the security requirement segment of the Health Insurance Portability and Accountability Act (HIPAA) passed today without much fanfare, and many SMBs affected by the new law failed to meet the deadline. However, the law is structured in such a way that it could be sometime before anyone knows who has complied with the government regulations.
"Considering everything that is involved with compliance, there are a lot of factors as to why some companies may not have completed it," Earl Crane, a senior consultant with Foundstone Professional Services, said. Foundstone, a subsidiary of McAfee is a leading HIPAA consultant and security software provider.
The legislation, passed in 1996 as a result of the Clinton administration and congressional efforts to reform health care, is designed to streamline industry inefficiencies, reduce paperwork and make it easier to detect and prosecute fraud and abuse.
The act consists of three rules; the first two rules pertain to administrative and physical safeguards. The third, a security rule, relates to technology and calls on health care organizations, insurers and payors that store patient data electronically to comply with the rule by April 21, 2005. It also involves training staff and enlisting more software to prevent the theft or patient information.
However, a study from Information Technology Solution Providers Alliance shows that only 30 percent of health plans and 18 percent of health care providers in the SMB market are in compliance with the regulations.
"They've got their own fires to put out," Crane said. "It doesn't happen out of laziness but rather a crunch for resources," he said.
There are numerous reasons why organizations of varying sizes may have trouble complying. Smaller businesses often lack any type of full-time IT department, while large facilities could suffer under the weight of having to devote so many resources to one project.
And the penalties can be steep.
Violating the security rules is $100 per violation up to a maximum of $25,000, said Crane. However, enforcement of the security regulations is complaint-driven, so until there is an incident, it isn't likely the Department of Health and Human Resources will discover how organizations responded to the legislation.
Adapted from Internetnews.com.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|