April 2004

An Assessment of HIPAA Security Preparedness: Most Health Care Organizations Remain Noncompliant

Until recently, patients and their physicians stored paper medical records under lock and key in their medical offices. In today's innovative health care environment, ensuring the security of personal health information (PHI) is much more challenging. For example, PHI is regularly inserted into claims and supporting reports that are sent electronically across state lines and/or international boundaries to various stakeholders to coordinate treatment plans and pay for coverage. Although the move to more electronic data interchange (EDI) holds great promise for increasing the efficiency, efficacy, and safety of health care, the electronic transfer of PHI raises security and privacy concerns for individual patients and their treating providers. As a result, the passage of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and the promulgation of implementing privacy and security regulations from the Department of Health and Human Services (HHS) signify the federal governments intent to ensure PHI confidentiality in today's complex business environment.