In response to the special report written by Karen Southwick, "":
I feel it is vital that your readers understand that not every doctor is required to comply with any part of HIPAA. The law states that only those health care providers who conduct a health care transaction, in an electronic form, that has been standardized by HIPAA must comply with all three HIPAA rules (Transactions and Code Sets, Privacy and Security). CMS is requiring health care providers to submit Medicare claims in an electronic fashion, however, but there are exceptions to be made. The exceptions are mainly based on the size of the provider (staff, etc.). Most small health care providers meet the exception requirements and therefore do not have to submit Medicare claims electronically.
I own a security consulting company and we've been focused on HIPAA security since 2000. Our primary market is small health care providers, and many of them do not do any electronic claim submissions, for the same reason mentioned by one of the doctors you interviewed. They tell us they get paid faster using paper claims, which is why they haven't gone electronic yet. That should improve with HIPAA standardization.
For those small providers who must comply, I agree that complying with the final security standard shouldn't be overly burdensome. Our experience has been that the creation and documentation of the required policies and procedures will be the most work. They do lack a clear understanding of what they need to do to comply, which is what we provide them.