Information Technology Reference
In-Depth Information
Response Rate
compliances. Healthcare organizations, reported
that 46.9%
always
, 17.7%
often
, and 26%
occa-
sionally
apply appropriate sanctions required by
HIPAA security rule against workforce members
who failed to comply with the security policies
and procedures. A total of about 64.6% were
compliant with this requirement. Data revealed
that 62.5% of the respondents did implement the
requirement; however, about half of them did
not comply until after the mandated date. Only
4.2% of participants reported to be compliant in
2007. Progress in meeting this requirement is also
slowing down. About 67.7% of the healthcare
institutions participated in this research identi-
fied a security officer during the last five years.
During the year 2005, however, 51.1% of the
participants reported they were in compliance
with this requirement. To protect ePHI the HIPAA
security rule required that health care organiza-
tions implement procedures for the authorization
and/or supervision of workforce members who
work with electronic protected health information
or in locations where it might be accessed. Data
revealed that 76% were in compliance with this
requirement. Most of the respondents (35.5%)
reported that their compliance with this require-
ment was achieved between April and December
2005, which clearly indicates that the behavior to
be compliant was more likely to be associated with
the HIPAA security rule and its time of mandate.
Data collected revealed the positive impact of
the HIPAA security rule; 70.9% of healthcare
institutions implemented guidelines for accessing
protected health information before 2006; 37.5%
of them implemented this requirement between
April and December. Terminating access to ePHI
when the employment of a workforce member ends
is a protective action taken by most of healthcare
organization of this sample (64.6%, before April
2005) before the mandated deadline of the HIPAA
security rule. This researcher believes that ease of
implementation and the high risk of sensitive data
to be easily accessed wrongly by angry former
employees may be a major factor in implementing
A total of 2543 contacts of key IT managers and
professionals (Management Information Systems
(MIS) managers, MIS Directors, IT security of-
ficers, as well as the CTO, CIO, CFO, and/or CSO
from covered entities in Washington state were
asked to participate in this survey. Five hundreds
survey letters containing the paper version of
the instrument and the cover letter were sent to
potential candidates. The rest (2043) candidates
were contacted using the digital version of the
instrument and cover letter. While the first stage
of the distribution process landed 73 responses,
the follow-up stage landed only 23 responses all
of which were online. In total 96 responses were
collected and used (89 online and 7 paper based
responses).
Administrative, Physical, and
Technical/Communication
Safeguards Data Analysis
The instrument used in this research includes
questions about administrative, physical, and
technical/communications safeguards.
Administrative Safeguards'
Data Analysis
Looking at the data collected from questions
concerning administrative safeguards, health care
organizations reported a weak response to the
security risk analysis requirement, considering
that 26.1%
never
conducted a thorough security
risk analysis, and 31.3%
only once
in the last five
years. However, data shows that the HIPAA secu-
rity rule has impacted health care organizations;
73.9% reported that they reached a reasonable
and appropriate level of security; 33.3% of them
believed they were in compliance with this re-
quirement between April and December 2005. The
progress after the mandatory date of April 2005
however, suggested a slow down in the number of
Search WWH ::
Custom Search