HIPAA causes data security problems for small businesses

Most healthcare organizations have one more month to meet the security requirements of the Health Insurance Portability and Accountability Act (HIPAA). Will they make it? SearchSecurity.com interviewed IT, security and compliance professionals across the United States over a two-month period. What we found is the massive patient privacy law is a bitter pill for some to swallow and the best prescription for others to follow.

Don't ask your local doctor what he's done to meet HIPAA's security rules. Chances are he hasn't started thinking about it yet.

"The local guy isn't getting any of this," said Drew Williams, co-founder of the Center for Policy and Compliance, vice president of corporate development for Colorado-based Configuresoft and principal consultant for Utah-based SummitWatch Consulting Services. "He's about helping people be healthy. So he hands his administrator an edict and that person is so far removed from the concept of IT control and security."

Drew Williams

@9440 "With most large entities, I'm seeing management buy-in because they know that if something goes wrong they'll be wearing the orange jumpsuits," he said. "The smaller shops know the federal government will be watching the larger providers; that they're not the big targets."

In the end, it's hard to know for sure what the average doctor is thinking. Those contacted for this series either declined interview requests or ignored them.

While small doctor's offices may see themselves in an uphill climb, one HIPAA specialist noted it's a much smaller climb than what hospitals and insurance companies must make.

"It depends on how you define 'uphill,'" said Kate Borten, president of the Marblehead Group, a consulting firm specializing in HIPAA. "It's almost certainly true they have no in-house security expertise. In fact, they usually have no in-house IT expertise. It's all outsourced, so they're starting from zero." On the other hand, she said, "The hill they have to climb is just a little hill. Hospitals have in-house IT staff and some [information security] knowledge base, but they also have far bigger security risks and a real mountain to climb."

Because the risk is much more limited in a small doctor's office, Borten said their security program can be much more canned and still be acceptable. "That's just not true once you get to a more complex environment such as a hospital," she said.

Beaver said some doctors are so caught up in the privacy part of HIPAA they're just not thinking about security. And many simply don't understand what security is about.

"Smaller practices have a computer person. They've installed the firewall and antivirus. They install patches once a month. People think that's all they need," Beaver said.

"They're doing poorly in general," Borten said of the small offices. "I've talked to some doctors who said they haven't done a thing on security. They're not even trying to gloss over it. They thought that by dealing with the privacy side they had finished the job."

Lisa Gallagher, a consultant with Maryland-based Javelin Technology Group, takes that assessment a step further: "I can't even say the doctors' offices are ready on the privacy side," she said. "If they don't understand what they're supposed to do on privacy, you can't say they're ready on security."

Gallagher noted that she isn't working much with the smaller offices these days because many simply can't afford a consultant. She has also found that some offices haven't touched security because the federal government hasn't come checking on the privacy work.

"One doctor told me she can barely afford to stay in business and that if security becomes an issue she's going to retire," she said. "They're dealing with rising, crushing healthcare costs. They're just trying to stay above water, and HIPAA is lower on their priority list."

What will it take for the smaller offices to take notice?

"The spoilers -- the ambulance chasers -- they're the ones that will force the issue," Williams said.

In the end, Williams said, the little guys can help themselves by looking at security as more than a set of rules that must be complied with.

"The worst thing someone can do is buy a piece of technology to meet compliance," he said. "You need to invest in solutions that address the unique needs of your process. You can't have a third-word approach to your infrastructure."

All agreed that while compliance is stressful and disconcerting, it's only a short-term inconvenience. As Williams put it, "In the long run, this isn't going to hurt productivity and due care is good for your credibility."