News Feature | September 23, 2013

HIPAA Hurdles For Providers

Source: Health IT Outcomes
Katie Wike

By Katie Wike, contributing writer

Compliance with the modified HIPAA Omnibus Rule is still proving a horrendous task for providers

Health IT Outcomes reported on a notice released in the Federal Register by HHS’ Office for Civil Rights breaking down how long providers will spend complying with HIPAA security and privacy rules, writing, “It is estimated that the amount of time needed for the U.S. healthcare industry to comply with HIPAA privacy and security rules is 32.8 million hours.” Those 32.8 million are the equivalent of almost 3,800 years.

HHS Secretary Kathleen Sebelius said in January, "Much has changed in healthcare since HIPAA was enacted over 15 years ago. The new rule will help protect patient privacy and safeguard patients' health information in an ever expanding digital age."

Todd Richardson, vice president and CIO of Aspirus, Inc., told Fierce Health IT that providers already have enough trouble trying to comply with HIPAA while at the same time meet HITECH requirements. “On one hand we have 'protect, protect, protect' and on the other hand we have 'share, share, share.’ While the balance is 'protect and share,' the devil is always in the details. The reality is that all of the information is not under the tight control of the covered entity.

"I find a little bit of irony in the reality of today's new paradigm, where we have so many people posting so much personal information on Facebook and tweeting about their every move and their latest lab result, yet the government is pushing privacy requirements further," Richardson said.

The Federal Register’s report breaks down the estimated times as follows:

  • Documentation of security procedures in place: 350,000 hours
  • Business associate need to establish or modify BA agreements with subcontractors: 125,000 hours
  • Revising the language in privacy notices (health plans): 167 hours
  • Dissemination of notices by paper mail (health plans): 416,667 hours
  • Dissemination of notices by electronic mail (health plans): 278,333 hours
  • New burdens: 619,000 hours

Much of this work will have to be repeated annually.