A model for HIPAA security compliance

Kathleen M Bravo, Pace University


The healthcare industry is currently faced with the challenge of implementing the Health Insurance Portability and Accountability Act (HIPAA) security requirements. The HIPAA security regulations went into effect on April 21, 2003, and set forth a 24-month period for organizations to become compliant. The mandatory compliance date was April 21, 2005, for most covered entities (April 21, 2006 for small health plans). Although the April 21, 2005, deadline has passed and the April 21, 2006 deadline is drawing near, covered entities are struggling with preparedness. HIPAA security differs from current security measures that organizations have in place in that organizations cannot pick and choose which measures to implement but, instead, must adhere to set guidelines in order to achieve compliancy. Secondly, the HIPAA security rule is a mandate that all healthcare providers must follow; there is no participation waiver. HIPAA security differs from other federal security regulations in a number of significant ways. First, unlike other federal information technology security regulations which affects only a few, the HIPAA security rule is far-reaching and affects almost every individual residing in the United States. All hospitals, health care providers, insurance companies, financial billing companies, and anyone seeing or under a physician's care are subjected to adhere to or be protected by the set of safeguards that have been mandated by the HIPAA security rule. Secondly, the HIPAA security rule differs from other federal security regulations in that it outlines specific safeguards that must be implemented. Other federal regulations either make vague references to necessary safeguards for compliance, require organizations to adopt a recognized framework, or offer organizations implementation flexibility based on internal risk assessments. This research looked at all state contracted mental healthcare providers in New Jersey. The study had a number of major findings, namely, how the survey results compared to the requirements of the HIPAA security rule, the factors affecting compliance, whether common compliance practices exist, security auditing/evaluation for compliance, and the use of the diamond model in validating findings, assessing the alignment of IT and organizational needs and in constructing a proposed compliance model. The researcher sent a survey questionnaire to key IT professionals at the covered entities. Analysis of the survey resulted in descriptive statistics. These statistics and related graphs were developed for the entire group and were broken down by culture. When the results of the data analysis were compared to the HIPAA security rule and the diamond model, it was found that the majority of the covered entities surveyed were not ready for HIPAA security compliance. The research resulted in a proposed model for HIPAA security implementation and a number of recommendations.

Subject Area

Computer science|Health care

Recommended Citation

Bravo, Kathleen M, "A model for HIPAA security compliance" (2005). ETD Collection for Pace University. AAI3172359.



Remote User: Click Here to Login (must have Pace University remote login ID and password. Once logged in, click on the View More link above)