Following far behind insurance companies and health care providers, only about 40 percent of self-insured organizations have started work on HIPAA security at their organizations, according to META Group, Inc.

"Many of these companies, particularly those with less than $1 billion in annual revenues, have only recently become aware that the HIPAA requirements apply to them, and less than half of them have begun the first or second phase of compliance efforts, including risk assessment and gap analysis," said Paul Proctor, CISSP, CISM, vice president, Security & Risk Strategies, at META Group. "The majority of them will have a very difficult time meeting the April 21, 2005, deadline for compliance, and we're clearly recognizing the trend we identified with the HIPAA privacy rule -- that most companies will wait until the last minute to address this important issue."

Common misconceptions
Most self-insured U.S. companies are in danger of failing to meet the HIPAA security requirements, and for many, the problem is that they think it applies only to insurance companies and health care providers. In fact, any organization that handles any individually identifiable health information for insurance purposes for 50 or more individuals is responsible for meeting the HIPAA requirements, including the security rule. There are substantial penalties each time an organization fails to meet the 18 standards and 36 implementation specifications, META Group reported.

Proctor told ADVANCE in an e-mail that there are several reasons self-insured organizations haven't started working on security. The reasons, he said, are unrelated to resource or money issues. "Many organizations are suffering from what I would call 'HIPAA Fatigue,'" Proctor said. "They have worked so hard on the aspects of the privacy and code sets that they believe it is now over. Many of the legal departments that lead the privacy initiatives in self-insured organizations unfortunately don't understand the security rule, so they are failing to act on it. Some assume that existing security measures are good enough. Many people view security as an IT problem where the security rule requires mostly process and procedures."

Proctor said that the security departments at many organizations are not involved with the "compliance people" (who in many cases are the in-house legal counsel). "Information security is a legal compliance issue requiring expertise outside the experience of most compliance team members," he said. "Organizations need to take a serious look at creating a multi-disciplinary team with technology and regulatory experience to appropriately address the issue."

META Group advises organizations that self-insure to consider outsourcing the administration of their insurance to move all electronic protected health information (ePHI) out of their organizations. However, organizations need to investigate the outsourcer to ensure that it will be able to deliver compliance with the HIPAA security rule.

META Group said that HIPAA compliance continues to be a critical, but underestimated, business imperative. While the IT department often leads the way to security compliance, META Group's analysts and consultants strongly suggest pragmatic, actionable solutions that include advising the entire organization about the security requirements needed to meet the HIPAA challenge.

Asked whether he was surprised by the findings that show only about 40 percent of self-insured organizations have completed their security compliance work, Proctor said there was a similar response to the HIPAA privacy rule. "The security rule is more technical and comprehensive and will likely take more resources than privacy, so organizations may not be as successful with last-minute efforts," he noted.

"All HIPAA-exposed entities, including insurance companies, providers and self-insured organizations, need to address security concerns as a core competency across the enterprise," Robert Booz, vice president, Insurance Information Strategies, at META Group, said in a statement. "The elements of the final HIPAA security rules include administrative procedures, as well as physical and technical safeguards, so every business within the organization needs to be involved."

HIPAA mandates
These observations are based on META Group's work helping insurance organizations and employers manage change. In addition to providing research, analysis and consulting for companies facing HIPAA mandates, META Group is conducting an online survey to amass additional quantitative analysis to enable organizations to identify the standard of due care currently being implemented.

Proctor added that many companies have not segmented their ePHI from other data in the enterprise. "Many self-insured organizations are completely unaware of how far PHI penetrates the organization; they don't know who has access; they have not done the requisite risk assessments to scope the problem; they don't understand how to correctly size their HIPAA compliance efforts with reasonable and appropriate measures against reasonably anticipated risks," he said.

Proctor encourages organizations to do the following: "Start with an inventory of ePHI and the people and processes that handle it. Also, do a risk assessment to determine reasonably anticipated risks followed by a gap analysis to define reasonable and appropriate controls with defensible justifications. Then close the gaps. Compliance is also ongoing, requiring accountability, transparency and measurability," he noted.

Mr. Mitchell is managing editor of ADVANCE for Health Information Executives.