The impact of the HIPAA regulation on information technology security in the healthcare industry

Statement of the problem. Personally identifiable healthcare information automated by the healthcare industry must be given acceptable safeguards to ensure the privacy and protection of this information. Without governmental intervention, it seems unlikely that the healthcare industry will voluntarily implement such safeguards. For this reason, the HIPAA regulation was passed by Congress; however, it will not be fully implemented until the final security rule mandatory compliance date of April 21, 2005.; Description of the methodology. A survey was conducted by both e-mail via the Internet, and U.S. Mail questionnaire of 979 active participants of the reported 5,000 HIPAAlive.com enrollees, with a total of 292 participants responding. The results by question were compiled to respond to the following two research questions: (1) Which (if any) of the security requirements listed in the Notification of Proposed Rule Making (NPRM) Administrative Simplification section of the HIPAA regulation have been met specifically due to the regulation being enacted? (2) Has the healthcare industry increased the protection of personally identifiable healthcare information protected by the HIPAA regulation explicitly due to the impending enactment of the HIPAA regulation? The final security rule requirements were not used, as the final security requirements had not been known by industry sufficiently long to allow for change based on them.; Findings. The data collected suggest it is doubtful many organizations will be in full compliance with the final security rule requirements by the mandatory compliance date. These findings also indicate the HIPAA regulation has not yet had the desired impact on information security safeguards implemented in the healthcare industry at large. While all but four of the twenty-six survey questions were answered in the negative by more than half of the survey respondents, a negative response to any question does not indicate the HIPAA security requirement has not been met. It merely indicates the respondent's organization did not accomplish the actions required by the HIPAA security rule strictly because of the HIPAA regulation. Further study should be accomplished after all of the regulation has been enforced to completely understand the final impact of HIPAA on protecting personal health information.