In 2001, Ron Uno, manager of information management at Kuakini Health Systems, made the decision to move his hospital’s medical records system from paper to computers. The main motivation for the costly, multiyear project? The Health Insurance Portability and Accountability Act, or HIPAA, the then five-year-old federal law that sets standards for protecting the security and privacy of American medical records. If the hospital had an electronic medical records (EMR) system, Uno reasoned, it would be easier to monitor who was accessing sensitive patient information and to comply with the law’s privacy and security regulations.

Five years later, Uno is halfway through implementing an EMR system. He estimates that Kuakini, a nonprofit with $275 million in revenue that operates a 250-bed hospital and a 200-bed long-term care facility in Honolulu, has spent $10 million to $15 million on implementing the system and other technologies to help it comply with HIPAA. "Even though we’re a small hospital, we’re trying to comply as much as we can," says Uno, who is closing in on full HIPAA compliance, though he’s not there yet.

The Long, Hard Road to Compliance

A decade after HIPAA was signed into law, CIOs like Uno are still struggling to comply with its provisions. Some lack the resources to fully meet the requirements of this complex set of rules; others seem to feel little need to hurry since the federal government has not aggressively enforced the law. So it comes as no surprise to learn that HIPAA compliance rates appear to be slipping.

Fewer hospitals and healthcare facilities are fully complying with the law this year than in 2005, according to a recent survey by the American Health Information Management Association (AHIMA), a professional organization for health information executives. And more than one-quarter of U.S. security executives whose organizations need to be HIPAA-compliant admit that they are not, according to "The Global State of Information Security 2006," a study released last month by CIO and PricewaterhouseCoopers.

These findings stand in sharp contrast to the billions of dollars invested by healthcare CIOs in technologies to protect medical records, including EMRs, firewalls, remote monitoring systems, intrusion detection, auditing software and encryption programs. HIPAA compliance rates declined across institutions of all sizes, but specialists say the problem is most acute at small to midsize hospitals with their limited budgets. "Smaller hospitals with thinner margins and smaller IT budgets will have a more difficult time being compliant," says Gartner analyst Robert Booz.