Publication of the long-awaited HIPAA FINAL Security Rule in February didn’t exactly create the frenzy of a new Harry Potter novel hitting the bookshelves. Health-care CIOs were, after all, busy worrying about complying with the April 14, 2003, deadline for the Privacy Rule—and then there is the October 2003 deadline for HIPAA Transaction and Code Standards to contend with. It would be easy for companies to put the Security Rule lower on the priority list since the government’s compliance deadline is still two years away. Yet while it’s tempting to ration the number of brain cells devoted to HIPAA (the Health Insurance Portability and Accountability Act of 1996), health-care CIOs can’t afford to put security on the back burner for long—if at all.

"It’s true that from the perspective of the Department of Health and Human Services, the Security Rule is not enforceable until April 21, 2005. But HHS could impose penalties for security breaches based on the Privacy Rule, so by any other measure, you should’ve done it yesterday," says Kate Borten, president of health-care security and privacy consultancy The Marblehead Group and author of HIPAA Security Made Simple. "Don’t get lulled into thinking you have a couple of years."

While HIPAA fines won’t likely be levied for any security breaches that occur before 2005, should your organization suffer a breach tomorrow you can expect to find yourself on the front page of The New York Times or the target of a class-action lawsuit on behalf of patients whose data was exposed. And either of those things could make HIPAA penalties seem as harmless as drawing the "Go to jail" card in a Monopoly game.

Yet so far, less than 10 percent of health-care organizations recently polled by Gartner Research have implemented the security policies and procedures required by HIPAA. And only 78 percent of health-care providers met the April deadline for Privacy Rule compliance, according to the Health Information and Management Systems Society. Many organizations are waiting to see what will happen to noncompliers. "They figure the fines are cheaper than going into HIPAA compliance," says Wes Rishel, vice president and research area director at Gartner. "That’s a dangerous attitude."

While enforcement may not be stringent at first, he predicts that the government, along with the Joint Commission on Accreditation of Healthcare Organizations, or JCAHO, will eventually crack down on those organizations that have "fallen to the back of the pack" in compliance. "You don’t need to be the first, but you don’t want to be the last," Rishel warned at a recent Gartner symposium.