Report Outlines HIPAA Security Work

(April 28, 2004) The deadline for meeting the HIPAA security rule is a year away and that's about how much time many health care organizations will need to get ready, according to a new report from URAC, a Washington, D.C.-based accreditation firm.
URAC consulted with more than 300 providers, payers, vendors and other organizations--most of which applied for its HIPAA and Web site accreditation programs. The firm then formally evaluated 60 organizations to assess their information security practices. The resulting report, which contends most covered entities are not yet compliant with the security rule, identifies four major barriers to compliance:

  • Incomplete or inappropriately scoped risk analysis efforts.
  • Inconsistent and poorly executed risk management strategies.
  • Limited or faulty information system activity review.
  • Ineffective security incident reporting and response.

The report lays out a timetable of tasks covered entities should perform between now and the security rule deadline of April 21, 2005. It walks organizations through these steps, points out "dos" and "don'ts" and specific challenges, and offers a series of recommendations.

William Braithwaite, M.D., an independent consultant who serves on some URAC accreditation committees, calls the report a "must read" for health care professionals. Braithwaite formerly served as senior advisor on health information policy at the Department of Health and Human Services.

Full text of the 28-page report, "An Assessment of HIPAA Security Preparedness: Most Health Care Organizations Remain Noncompliant," is available at

Posted to HIPAAcomply 4/29/03