Lack of readiness to adopt HITECH requirements shouldn’t be a show-stopper

There are lots of new and improved privacy and security requirements scheduled to come into effect over the next few months, including enhancements of existing HIPAA security and privacy provisions that were added in the HITECH Act that passed in February as part of the American Recovery and Reinvestment Act. As the time draws near when both HIPAA covered entities and some non-covered entities will need to comply with the new regulations, many indications point to a general lack of readiness by these organizations to be able to meet HITECH’s requirements. The results of a survey conducted by the Ponemon Institute and published this week by the survey’s sponsor Crowe Horwath found that the vast majority of healthcare organizations surveyed do not think they are ready to comply with the new security and privacy requirements in the HITECH Act. While it should be noted that Crowe Horwath has a business interest in this research as a provider of risk management and compliance consulting services, the near consensus of survey respondents and the troubling lack of available resources in order to try to achieve compliance raise significant questions about the realistic expectations for compliance and enforcement of the new requirements. On a similar theme, the effective date for Massachusetts’ sweeping personal information security regulations in 201 CMR 17 has been pushed back twice — first from January 1, 2009 to May 1, and then to January 1, 2010 — in order to give affected organizations more time to understand what was needed to comply and to put appropriate measures in place.

What is less often cited when focusing on efforts to comply with new rules is the extent to which organizations are (or are not) already complying with existing regulations and requirements such as those in the HIPAA privacy rule and security rule. The ability for organizations to reach and maintain compliance has varied greatly with organization size — small organizations tend to have less ability to dedicate staff or financial resources to compliance efforts, or to have personnel with explicit responsibility for information and security privacy. The recent survey indicated that a large majority of organizations do not currently comply with all mandated practices, such as the 79 percent of respondents that do not conduct regular audits or independent assessments of their compliance or of the adequacy of their security and privacy programs.

One way to approach this situation is of course to delay implementation dates. However, it may make more sense to stick to the schedule prescribed in the HITECH Act for when requirements take effect, and adopt an approach to organizational monitoring and compliance enforcement that takes into account the time, resources, and level of effort required to meet the regulations. Current health IT initiatives almost always include phased or incremental rollout strategies, so a similar approach could be followed for security and privacy compliance. One potential benefit from keeping to the original implementation schedule is that as the subset of covered organizations that are ready for HITECH formalize their programs, there should be an opportunity to leverage their example to facilitate less prepared organizations getting to the place they need to be to comply with the law.