Medium-sized and small physician practices report increases in compliance with the security standard, 33% to 54% and 40% to 68%, respectively, according to the US Healthcare Industry HIPAA Summer 2006 Survey, sponsored by Healthcare Information Management and Systems Society and Phoenix Health Systems.
Explore this issue:January 2007
However, three years after the implementation of the HIPAA privacy rule, only 85% of AHIMA survey respondents indicate that they are more than 85% compliant, compared with 91% of respondents in 2005.
In both surveys, key reasons for less than full compliance with the privacy rule include such factors as a lack of resources, administrative support, and interoperability between systems, as well as budget constraints to train new staff.
Ironically, this lag in privacy compliance comes at a time when consumers are becoming more aware of the privacy rule and their rights to understand and control how their health information is used and disclosed.
According to a spokesperson from the OCR, most complaints regarding privacy are against physician practices and involve:
- Impermissible use or disclosure of IIHI;
- Lack of adequate safeguards to protect IIHI;
- Refusal or failure to provide individual with access to or a copy of personal records;
- Disclosure of more information than is minimally necessary to satisfy the request; and
- Failure to have the individual’s valid authorization for a disclosure that requires one.
Some of the most frequent security problems involving small physician practices relate to a lack of adequate safeguards, such as exposure to computer screens. To avoid misuse or improper access, practices must address security concerns involving firewalls, password protection, encryption, and related considerations.
Other security vulnerabilities involve practices engaging in the improper disposal of patient information. Simple deletion of an electronic file from a storage medium generally does not permanently erase it in a way that precludes it from being restored in an unauthorized manner.
The OCR spokesperson acknowledges that while most physician offices are subject to general security safeguards under the privacy rule, those engaged in electronic transmission and storage need to look closely to the HIPAA security rule to make certain that their systems are in compliance with the more detailed standards that exist for security of electronic PHI-especially since 70% of people surveyed in a 2005 Harris Poll about EMRs were concerned that sensitive personal information may be leaked because of weak security.
Experienced otolaryngology practice administrators of groups using EMRs are heeding this advice, knowing that privacy must be securely protected in order to calm patient concerns.