Andrew E. Blustein, Esq., responded quickly when asked what he came away with after talking to providers at last week's 17th annual HIPAA Summit at the Wardman Park Hotel in Washington, DC.
"People are shell-shocked," says Blustein, partner and co-chair of Garfunkel Wild & Travis, PC's Health Information and Technology Group in Great Neck, NY, and Hackensack, NJ.
Blustein and David A Mebane, Esq., senior vice president for legal affairs at Saint Barnabas Health Care System in West Orange, NJ, teamed to present on breach notification at the event.
HHS released its interim final rule on breach notification August 24 calling for greater—and more swift—notification requirements when there is a breach of unsecure PHI.
It's one requirement among many in the HITECH Act that has providers worrying about compliance. The HITECH Act, signed into law February 17, 2009, calls for increased HIPAA enforcement, stiffer monetary penalties for privacy and security violations, and more patient rights on their medical records.
"I think that people are just a little overwhelmed," Blustein says.
Providers have a tough enough time complying with HIPAA's Administrative Simplification Act, Blustein says.
"They're very complicated," he says. "They're like a puzzle."
Times have changed at the HIPAA Summit. In the days shortly after the HIPAA law passed in 1996, providers buzzed at the conference and showed some spark about compliance.
"People were excited," Blustein says. "They were getting amped up about things like 'minimum necessary.'"
Today, Blustein says they feel like Roberto Duran in his 1980 WBC welterweight title against Sugar Ray Leonard. Duran quit in the middle of Round 8, reportedly saying, "no mas," Spanish for "no more."
"People are saying there are so many hospital regulations flying at us, and they're saying, ‘no mas,'" Blustein says. "How much more can we get? And more's coming."
Kate Borten, CISSP, CISM, president, The Marblehead Group, in Marblehead, MA, also feels from her time at the HIPAA Summit that providers are just not ready.
Fellow speaker J. David Kirby, president of Kirby Information Management Consulting, LLC, made the great point that "most healthcare still takes place in small practices," Borten says.
"From my work and personal experience and anecdote, the small providers are woefully out of compliance (not sure it's willful though)," Borten wrote in an e-mail to HealthLeaders Media. "And I bet few of them are even aware of these new regulations. … When [covered entities] and [business associates] still believe in 2009 that a patient name alone, without a dx code, is not PHI, it's pretty scary."