Many technical, administrative and legal hurdles remain for covered entities and business associates working to meet compliance standards by next month under the HIPAA omnibus final rule, according to a viewpoint published this week in the Journal of the American Medical Association.
Authors C. Jason Wang, M.D., of Stanford University and Delphine Huang of the School of Medicine at the University of California, San Francisco, say that the U.S. Department of Health & Human Services may have "significantly" underestimated the costs associated with compliance. Mobile technology companies, in particular they say, are hurt by the low estimates as the health IT industry continues to expand.
"Although there is much interest in potential partnerships between innovative companies and healthcare organizations to leverage new mobile technologies, the final rule may impose an unfunded mandate for organizations, which ironically may impede adoption of innovation in mobile health," Wang and Huang say.
Wang and Huang outline several other hurdles to HIPAA compliance, including:
- Vague guidance: This leads to organizations, in many instances, to implement several security controls, not all of which may be necessary, rather than focusing on only the most relevant measures.
- User behavior: Because many providers and patients use their own, unsecured personal devices to access data such as electronic patient records, tailoring security efforts often depends on their actions.
- "Insufficient" tools: While the National Institute of Standards and Technology created a HIPAA Security Toolkit to guide organizations in their assessment of operational security, most organizations can't use it, Wang and Huang say. To that end, the use of expensive consultants for such assessments has become the norm.
- Accountability chains: Because all organizations also are held responsible for the actions of their partners, covered entities often will approach contract negotiations with potential business associates with "stringent technical and liability requirements" that BAs simply refuse to accept. "Impassable requirements from the various stakeholders can lead to outright failure of any deal," the authors say.
HHS, the authors conclude, may need to "reevaluate and adapt its regulations" to keep pace with new technology innovations.
Though most healthcare organizations understand the risks of a breach, including violating the HIPAA, many aren't taking the proper steps to prevent one, according to a Ponemon Institute report published in April.
To learn more:
- read the JAMA viewpoint