As the new HIPAA security rule takes effect, many providers still are grappling with how best to protect resident informationSoffy Vilson has been unusually busy for the past few months. As director of nursing at Trinitas Extended Care in Elizabethtown, NJ, she has helped prepare staff for new federal medical-records security rules that took effect April 21.

These latest requirements are designed to streamline data exchanges while improving the way resident information is kept secure. They come under provisions of the Health Insurance Portability and Accountability Act.
With operators increasingly moving toward electronic record keeping, the potential for the disclosure of confidential information — such as residents’ medical records — increases as well. Under the latest HIPAA requirements, Vilson and other providers are required to make sure that doesn’t happen by employing a variety of techniques for their information technology systems.
These range from sophisticated encryption codes to unique user IDs. Specifically, the new security regulations require healthcare providers to protect the confidence, integrity and availability of electronic patient information against improper access, disclosure and alteration via a series of administrative, technical and physical measures. These include conducting risk assessments, updating policies and procedures, training staff and reviewing agreements with business partners to ensure they meet the government’s new standards.
The importance of this effort became apparent in mid-April, when a California-based medical practice revealed that two of its computers had been stolen. The machines contained the names, addresses, Social Security numbers, and insurance billing codes for nearly 200,000 current and former patients.
But if the need for more security is apparent, how best to prepare is less obvious.
“There’s not been a lot of forward momentum with HIPAA’s security piece, which we find quite disconcerting,” said Joyce Sensmeier, director of informatics at the Healthcare Information and Management Systems Society, Chicago.
While most organizations are continuing toward compliance, there are many that are still struggling, said Devin Jopp, chief administrative officer at URAC, a nonprofit accreditation agency for the healthcare industry.
“It is difficult to know where providers stand in terms of meeting privacy and security administrative guidelines, but it seems the larger chains have spent more time preparing to meet these needs than perhaps the smaller chains or individually-owned facilities,” said Mary Beth Meilstrup, a spokeswoman for American HealthTech.
“One of the biggest problems we see is that facilities often do not know how to approach the ominous task of authoring their HIPAA security policies and procedures,” said Kathryn A. Alden, president/CEO of Creative Solutions Unlimited Inc.
Alden noted that while many operators have read the related rules, others remain unsure of how to actually convert the new requirements into policies and procedures. 
Many providers also are struggling with technical aspects of the rule, she added.

Giving away too much control?
Other observers note that many operators are delegating too much responsibility onto IT firms.
“We see that many people do not understand exactly what HIPAA compliance entails on the part of the provider,” said Doc DeVore, director of research & development for MDI Technologies. “Many seem to believe — especially with regard to the security regulations — that a vendor can take care of it for them,” DeVore said.
But shirking HIPAA compliance requirements could prove costly. Operators found to be non-compliant face fines of up to $25,000, and possible jail time.
There is a bright side, however. The U.S. Department of Health and Human Services, which is charged with promulgating HIPAA, created some wiggle room, making some rules “required” and others “addressable.” In other words, the agency realized that one size doesn’t fit all. As a result, the security component is scalable and flexible. This will give smaller providers more flexibility in their compliance efforts, noted Kurt R. Knipper, a spokesman for VCPI.

Going to the source
Many vendors, such as Keane, have spent years analyzing the HIPAA requirements and tracking regulations. Most initially focused on providing information s