Information Technology Reference
In-Depth Information
RECOMMENDATIONS
Although it is not wise to dismiss the impact
of the other factors, this researcher is confident to
point out that the main factors that represent a major
obstacle to the HIPAA security rule implementa-
tion are respectively: High Cost, Complexity of
the Rule's Implementation, Lack of Expertise in
Security, Lack of Expertise in the HIPAA Security
Rule, and Lack of Guidance.
Many areas identified from the literature need
more attention and improvement. The ranking of
the HIPAA security requirements according to
their level of compliance revealed that the least
complied with requirements were:
implementation of a mechanism to encrypt and
decrypt electronic protected health information
whenever deemed appropriate; creating retriev-
able, exact copy of electronic protected health
information, when needed, before movement of
equipment; performing periodic evaluation in
response to environmental or operational changes
affecting the security of electronic protected health
information; assessing the relative criticality of
specific applications and data in support of other
contingency plan components; implementation
of electronic mechanisms to corroborate that
electronic protected health information has not
been altered or destroyed in an unauthorized
manner; implementation of procedures for peri-
odic testing and revision of contingency plans;
and implementation of policies and procedures
that document repairs and modifications to the
physical components of a facility are related to
security. Healthcare organizations in this sample
performed poorly in this underlying HIPAA secu-
rity rule requirements. The areas related to these
requirements need more attention by covered
entities before it is too late.
With the recent American Recovery Rein-
vestment Act (ARRA) -The Economic Stimulus
Bill- tens of billions will be invested in health
information technology. However, the level of
enforcement will also be increased such as audits
by Centers for Medicare and Medicaid Services
(CMS) and Office of Civil Rights (OCR). Covered
entities should be prepared for such investigations.
As this study revealed, the HIPAA security rule
is being far from achieved. However, the HIPAA
privacy and security rule environment is changing.
Covered entities have to be prepared to what is
coming. Many recommendations emerged from
this study:
1.
Thorough risk assessment:
Covered enti-
ties have to follow rigorous risk assessment/
analysis models to identify risks and areas
that need attention. Implementation of sound
risk management strategies help in precious
resources management and use.
2.
IT strategy should adhere to the HIPPA
security rule:
IT strategy and Business
strategy alignment is crucial. However, for
covered entities, IT investments have to be
inline with HIPAA security rules and regula-
tions. Information access management and
access control are the source of the majority
of the complaints and violations handled by
CMS (Wild K.R., 2009). They should be
dealt with effectively.
3.
Documentation:
Written policies and
procedures for your highest risk areas are
a critical step towards HIPAA security rule
compliance.
4.
Staff Training/Disciplinary Policies:
Security awareness in general is a major
area that needs to be addressed. However,
training and awareness without enforcement
will be ineffective; therefore, a sufficient
disciplinary policy has to be in place.
FUTURE RESEARCH
With the financial crisis hovering over many
industries, healthcare institutions may cut spend-
ing and investment when it comes to IT security
including the HIPAA security rule implementation.
Revisiting the HIPAA security rule compliance
status and determining the impact of the American
Search WWH ::
Custom Search