The Centers for Medicare and Medicaid Services (CMS) has issued a new guidance on its Web site to help physicians and health care organizations comply with the final security rule of the Health Insurance Portability and Accountability Act (HIPAA).
The deadline for compliance with the security rule was April 20.
The security rule, which governs protected electronic health information, applies to “covered entities” that conduct certain financial and administrative functions electronically. These entities include health care providers, health plans, hospitals, insurers, health care information clearinghouses, and Medicare prescription drug sponsors.
Two CMS papers to help physicians gain compliance are “Security 101 for Covered Entities,” posted at<www.cms.hhs.gov/hipaa/hipaa2/education/Security%20101_Cleared.pdf>, and “Security Standards—Physical Safeguards,” posted at<www.cms.hhs.gov/hipaa/hipaa2/education/Physical%20Safeguards%20final.pdf>.
For immediate assistance with HIPAA-rule compliance, physicians can call CMS from 8:30 a.m. to 5 p.m., Eastern Time, Monday through Friday, at (866) 282-0659.
In addition, the APA-endorsed Psychiatrists' Professional Liability Insurance Program (The Psychiatrists' Program) has several resources that are being made available to the public on its Web site<www.psychprogram.com>. These include a flow chart describing necessary actions for physicians who are, and are not, covered by the new rule and two articles: “Myths and Misconceptions: HIPAA's Final Security Rule at a Glance” and“ Important Things to Keep in Mind About HIPAA's Security Rule.”
One survey by the Health Information and Management Systems Society (HIMSS)/Phoenix Health Systems indicates that physicians and organizations who are not yet compliant with the security rule are not alone.
According to the Winter 2005 U.S. Healthcare Industry HIPAA Compliance Survey, just 18 percent of providers indicated they were compliant with HIPAA security requirements as of the start of the year. Providers surveyed included hospitals and medium-sized physician practices (11 to 29 physicians or other practitioners) and small physician practices (10 or fewer physicians or other practitioners).
Moreover, the number of organizations indicating they expected to be in compliance by the deadline actually decreased. Only 74 percent of providers (down from 87 percent) and 80 percent of payers (down from 90 percent) indicated they would be in compliance by the deadline.
Ninety-three percent of providers have designated an individual as the organizational security officer. Forty percent of providers and 26 percent of payers said their organizations had experienced at least one security breach in the previous six months, according to the survey.
Phoenix Healthcare Systems and HIMSS conducted the survey from January 4 to January 20. A total of 400 providers and payers responded to e-mail invitations to participate in the survey, which was sent to more than 13,000 HIMSS members and more than 19,000 “Phoenix HIPAAlert Newsletter” subscribers. Provider organizations accounted for 80 percent (318) of the respondents, and payers accounted for 20 percent (82).
More information about HIPAA, including answers to frequently asked questions; educational materials; and information on the law, regulations, and enforcement, are posted online at<www.cms.hhs.gov/hipaa/hipaa2>. The Winter 2005 U.S. Healthcare Industry HIPAA Compliance Survey is posted at<www.himss.org/content/files/wintersurvey2005.pdf>▪