Final Report: Providers

7. IT Security and HIPAA

Confidence in the security of patient medical information is on the rise. Fewer respondents are concerned about security breaches, and technology appears to be less of a barrier to security. Two-thirds of organizations have assessed HIPAA compliance, and awareness of HIPAA compliance measures has increased.

For the second year in a row, compliance with HIPAA security regulations was reported to be the primary concern regarding the security of patient medical information, at 53 percent. Although it is still the top concern, this issue carries less weight than it did in 2001, when 73 percent identified it as the top concern. Forty-six percent identified an internal breach of security as a concern, compared to 58 percent in 2001. Inadequate security systems in place were cited by 28 percent of 2002 respondents, down from last year's 35 percent. Additionally, executives reported being less concerned about the limits existing technology has on the security of patient information. Last year, 40 percent of respondents identified technology limits as a concern; this year, only 27 percent identified it as such. Lack of patient confidence was also seen as less of a concern this year, identified by only 19 percent of respondents. In 2001, 29 percent identified lack of patient confidence as a concern.

Knowledge about HIPAA's security requirements is rising. This year, 36 percent of respondents indicated they were very knowledgeable about HIPAA, compared with 29 percent last year. The number of respondents who claimed to be not at all knowledge about HIPAA remained low and relatively unchanged at roughly 3.5 percent.

Despite the fact that fewer respondents indicated that HIPAA was a concern regarding patient medical information, their organizations in greater numbers are taking steps to ensure that HIPAA compliance. Seventy percent indicated that their organizations have assessed HIPAA compliance, an 18 percent increase over last year. Additionally, 58 percent indicated that their facilities have documented security policies and procedures, an increase of 13 percent over last year. Rounding out the top three, 54 percent of respondents indicated that their organizations have installed security technologies such as firewalls. This is up 3 percent from last year's 51 percent.

Additionally, almost half of the respondents indicated their facilities were reworking contracts with existing vendors to prepare for HIPAA compliance. Increases were also seen in the number of respondents who indicated that their facilities have hired a consultant or vendor to assess readiness (29 percent vs. 18 percent), implemented security policies and procedures (34 percent vs. 29 percent), and hired a security officer (35 percent vs. 34 percent). The number of respondents who indicated that their facilities have not yet begun to comply with HIPAA security requirements dropped from 14 percent to 6 percent.

The most frequently reported security tool in use at respondents' facilities is a firewall, identified by 94 percent. Other commonly used security tools include user access controls based on role/location (86 percent), multi-level passcodes (76 percent), and off-site storage (68 percent). Audit logs for each access to patient health records and disaster recovery were each identified by 58 percent of respondents. Asked to identify the security tools that their facilities were most likely to use in the next two years, 59 percent identified data encryption. In addition, 58 percent indicated they anticipate the use of audit logs for each access to patient health records in the next two years, followed by electronic signature (56 percent), single sign-on (54 percent), and disaster recovery (52 percent). Public key infrastructure (PKI) was cited by the least number of respondents at 40 percent.

Figures:

Figure 12. Top Concerns-Security of Computerized Medical Information
Figure 13. Knowledge of HIPAA Security Requirements
Figure 14. Steps Taken to Comply with HIPAA
Figure 15. Security Tools (Today vs. Next Two Years)

Next: Technology Adoption