HIPAAdvisory > HIPAAction > HIPAA Survey

HIMSS / Phoenix Health Systems

US Healthcare Industry Quarterly HIPAA Survey Results:
Spring 2003

Executive Overview

Two significant HIPAA deadlines have come and gone in Spring 2003. The April 14 deadline for healthcare industry compliance with the controversial Privacy Rule arrived with nationwide press announcements and commentary. Less commented on by the press, but ultimately perhaps more critical to the long term functioning of the nation's healthcare business operations, the deadline to begin testing HIPAA Transactions and Code Sets (TCS) occurred April 16. Have covered healthcare providers, payers and clearinghouses surmounted obstacles like tight budgets, complex regulatory verbiage and bumpy communications between business partners to achieve on-time compliance? The Spring 2003 survey, our 14th quarterly healthcare industry HIPAA progress poll, included pointed new questions about covered entities' Privacy and Transactions and Code Sets compliance efforts. Key results of the Spring 2003 survey include:

Seventy-eight percent of Providers, 68% of Payers and 47% of Clearinghouses stated they were compliant with the HIPAA Privacy Rule by the April 14 deadline.
Nearly 100% of Providers who reported being Privacy-compliant have implemented the most publicly-visible requirements of the Privacy Rule -- such as Notices of Privacy Practices and Patient Authorizations. However, significantly fewer have implemented requirements such as enabling patients to receive an accounting of health information disclosures, limiting staff access to protected health information on a "minimum necessary" basis, and completing agreements with Business Associates to ensure the latter are protecting patient privacy.
Among healthcare computer systems Vendors (business associates whose cooperation with HIPAA is critical to healthcare operations), only 39% have completed Privacy remediation efforts.
Forty-nine percent of Providers, 62% of Payers, 55% of Vendors and 80% of Clearinghouses stated they were conducting internal Transactions testing as of the TCS April 16 testing deadline. Thirty-nine percent of Providers, 37% of Payers, 39% of Vendors and 53% of Clearinghouses were conducting external testing with their business partners, as of the testing deadline.
Cooperation among healthcare industry segments was reportedly less than satisfactory, and was again ranked one of the top roadblocks to HIPAA compliance, along with "not enough time" and difficulty in interpreting the HIPAA regulations.
Management support for HIPAA compliance has significantly increased over measurements recorded in past surveys.

THE SURVEY

Phoenix Health Systems and HIMSS conducted the Spring 2003 U.S. Healthcare Industry Quarterly HIPAA Compliance Survey during the first two weeks of April. Following e-mail appeals to HIMSS 13,000+ members and to Phoenix' 20,000+ HIPAAlert newsletter subscribers, a total of 697 healthcare industry representatives responded. The online survey was completed anonymously via Phoenix' website HIPAAdvisory.com.

The Organizations

Respondents from Provider organizations accounted for 70% (490) of participants. The breakout of participants follows:

Providers - 70%
- Hospitals with 400+ beds: 12%
- Hospitals with100-400 beds: 16%
- Hospitals with less than 100 beds: 13%
- Medium-sized physician practices (11 to 29 physicians)/other providers: 8%
- Small physicians practices (10 or fewer physicians)/other providers: 20%
Payers - 19%
Clearinghouses - 2%
Vendors - 9%

Organizational HIPAA Emphasis

Eighty-six percent of survey respondents hold an "official" role within their organization for HIPAA compliance, with 24% working specifically in the compliance/security arena. The majority of respondents hold management or executive level positions, including 19% at Senior Management level.

As illustrated in the table below, executive support for HIPAA compliance efforts has suddenly "spiked" in the category of High Support. Thirty-eight percent of respondents (up from 19% last quarter) reported that their senior management is now strongly supporting HIPAA initiatives; similarly, a total of 72% of respondents (up from 62% last quarter) reported that their senior management is providing a range of moderately strong to strong support.

DEADLINE HEADLINES…

Privacy Compliance

Many enterprises hire staff who will "work well under pressure", and our Spring survey results suggest that healthcare organizations employ their share, considering the remarkable progress they have reported in Privacy compliance since the Winter 2003 survey, conducted in January. Seventy-eight percent of healthcare Providers claimed they were compliant with the HIPAA Privacy regulations by the April 14 deadline, as compared to only 9% of Providers in the Winter 2003 Survey. Payer progress was also significant, increasing from 5% reporting compliance in the Winter Survey to 68% in the Spring Survey. Forty-seven percent of clearinghouses (compared with 14% in the Winter 2003 Survey) are now Privacy-compliant. Vendor responses were worrisome at best: 23% were unsure of their HIPAA Privacy compliance status, and only 39% of healthcare software vendors reported they are Privacy-compliant (compared with 19% in the Winter 2003 Survey).

How thorough is the reported "compliance"? Despite the above claims, a deeper probe into the specifics within Provider organizations indicates that all Privacy requirements have not yet been met. While approximately 98% of reportedly compliant Providers have implemented the most publicly visible requirements such as the Notice of Privacy Practices, obtaining patient acknowledgement of receipt of the Notice, and obtaining Patient Authorizations for use and disclosure of protected health information (PHI), only 88% have put into place other requirements such as a process for providing an accounting of disclosures to patients, or setting "minimum necessary" PHI access restrictions on healthcare workers. Forty percent of "compliant" Providers indicated that they had not yet finalized required Business Associate agreements that will ensure that business partners with access to PHI are protecting patient privacy. Twenty-nine percent have not implemented a working process for monitoring Privacy compliance, and 18% do not yet have the Privacy Rule's required data security protections in place. See table below for more details:

Detailed Spot Check of "Privacy-Compliant" Providers
98%	Post and distribute Notice of Privacy Practices
97%	Obtain acknowledgement of receipt of Notice of Privacy Practices
97%	Obtain Patient Authorizations for use and disclosure of PHI
96%	Enable mandated patients' rights (review, amend, restrict records)
91%	Document Privacy policies and practices
89%	Maintain Accounting of Disclosures
88%	Use "Minimum Necessary" Restrictions
82%	Implement security protections as required under the Privacy Rule
71%	Monitor organizational compliance with Privacy regulations
60%	Have obtained all required Business Associate Agreements

The table below illustrates the Privacy compliance status of participating Providers, broken down by size and type of organization:

The following table illustrates the Privacy compliance progress and expectations of Payers, Clearinghouses and Vendors:

Transactions and Code Sets Compliance

The strong progress of Privacy compliance since January suggests that on-time implementation of the highly visible Privacy regulations may have dominated the focus of healthcare HIPAA compliance efforts in recent months. The emphasis on implementation of Privacy regulations along with the technical complexities inherent in nationwide adoption of HIPAA standardized Transactions may have delayed Transactions and Code Sets (TCS) compliance efforts in many healthcare enterprises, especially Provider organizations. In any event, readying the HIPAA Transactions and Code Sets for testing and final implementation remains a struggle for many organizations across the healthcare industry.

As of the Spring Survey polling period, only one-half of all survey participants reported completion of TCS implementation activities, and just 53% began internal testing by the HHS-stipulated April 16 testing deadline. On a more positive note, the majority of organizations had completed TCS HIPAA Awareness/Education (78%), Assessment (73%), and Implementation Project Planning (67%). Further, almost 40% of respondents had already begun external testing with business partners. [Note: larger hospitals (over 400 beds) showed the greatest progress in TCS compliance - 68% are testing internally and 45% are testing with business partners.]

Forty-nine percent of all Providers, 62% of Payers, 55% of Vendors and 80% of Clearinghouses stated they were conducting internal Transactions testing as of the TCS April 16 testing deadline. Only 39% of Providers, 37% of Payers, 39% of Vendors and 53% of Clearinghouses were conducting external testing with their trading partners, as of the testing deadline.

See the following graph indicating internal and external TCS testing activity, by industry segment:

The HHS deadline for the healthcare industry's final conversion to HIPAA standard Transactions is October 16, 2003. As key players in achieving this objective, Payers, Vendors and Clearinghouses were asked when their organizations expected to be ready to accept and transmit all HIPAA-compliant Transactions on behalf of Provider organizations. Seventy-nine percent of Payers, 68% of Vendors and 86% of Clearinghouses expect to be able to do so by the October compliance deadline. See the following Table for more details.

When asked how the recent approval of the Transactions and Code Sets Addenda had affected organizational HIPAA compliance efforts, 36% of respondents saw no immediate impact, while 42% are beginning to use the addenda to implement their standard Transactions. Twenty-four percent of Providers and 42% of Payers indicated that their organizations plan to use third party certification of their transactions capabilities. Seventeen percent of Providers and 35% of Payers will recommend that business partners certify with a third party prior to sending transactions. Only eighteen percent of Provider organizations indicated that they plan to perform their own testing with business partners without using a third party certification service. Very few Payers or Providers plan to "require" business partners to certify through a third party.

Contingency Plans

For those respondents who indicated that they were unlikely to be compliant with the HIPAA Transactions and Code Sets regulations by the October deadline, we asked for written comments regarding any contingency plans, either planned or already in place. It is startling that of the 105 organizations that provided comments, only 38 (35%) have any contingency plans for alternate transactions processing.

Most Providers who have set up contingency plans indicated they will use Direct Data Entry (DDE) where possible, perform manual transactions, use a clearinghouse, or change software vendors or their clearinghouse. Payers who have established contingency plans indicated they will either accept paper transactions, continue to use non-compliant transactions, change software vendors, or rely on a clearinghouse. Vendor contingency plans include continuing to process proprietary (non-compliant) transactions, or ensuring they can process the most important HIPAA Transactions on-time and implement the remaining standards later.

Security Compliance

Respondents were asked how publication of the final Security Regulations had affected overall HIPAA compliance efforts within their organizations. One third of total respondents say they are already on course toward Security compliance, and 7% have already implemented Security compliance efforts, so they experienced no real impact. Only 15% (surprisingly, down from 59% in the Winter Survey) indicated that their focus on Security had increased, with 28% continuing to focus mainly on Privacy compliance, and another 14% on both Privacy and TCS compliance efforts.

"Not Enough Time" Ranked the #1 Roadblock to HIPAA Compliance

We have been tracking the factors experienced by the healthcare industry as "major roadblocks" to HIPAA compliance, over several quarters. For the first time "not enough time" has been identified as the top roadblock to HIPAA compliance (although it has ranked among the top three in most prior surveys). A close second (down from #1 in the Winter 2003 Survey) was "interpretation of the HIPAA regulations." The third in ranking was "resolving issues with third parties" - a fair indication of ongoing communication/tracking problems among business partners.

COMMUNICATION BREAKDOWN

Throughout the last several quarters, communications among business partners has remained a major concern for many survey respondents. Most participants feel that their own organizations have been proactive and forthcoming in communicating their compliance plans and timelines with business partners, but that their business partners are not as cooperative as necessary.

In our Spring 2003 Survey, only 20% of Providers stated that their vendors have been "very forthcoming" in communicating their compliance plans, progress and timelines - another 33% stated they were "moderately forthcoming". Worse, only 9% of Providers reported that Payers have been "very forthcoming" and 30% of Providers felt Payers were "moderately forthcoming". Clearinghouses (87%), Vendors (78%), and Payers (71%) say they have communicated "all" or "much" information to their clients regarding HIPAA compliance plans, progress, and timelines. But, in support of Provider concerns are reports from Payers that 48% of them are working alone and only 44% are coordinating compliance efforts with their Provider partners. Unfortunately, this apparent disconnect has only served to create a cycle of blame and denial of responsibility that may be impeding the overall compliance process.

The lack of confidence expressed by survey respondents concerning the readiness of business partners is a great concern. Providers and Payers complained that only 50% to 60% of Clearinghouses and Vendors are likely to be ready to accept/transmit HIPAA-compliant transactions by the October 2003 deadline. Providers estimated that less than 50% of Payers will be ready to accept/transmit HIPAA-compliant transactions by the October 2003 deadline.

A representative sampling of comments:

Providers

"As we speak with other providers and payers, we find that we are usually ahead of the crowd in our efforts to meet the HIPAA transaction code set standards by 10-16-03. The late approval of the Addenda changes has had a significant impact on our software vendors."
"[We are] extremely concerned regarding payer readiness to test… Not one of our payers can produce an 835. [It is] very difficult to confirm communications protocols. Many have only created mailboxes to drop a claim file."
"The biggest issue we are facing with the TCS is our system vendors not being ready."
"Physicians, TPAs and Payers are unfairly burdened by the Clearinghouses and software Vendors…who force a per claim cost due to their lack of software compliance that is not required by the legislation."
"Vendors are holding us hostage by forcing us to use their corporate clearinghouses rather than upgraded applications…. This will cost us hundreds of thousands of dollars each year."

Payers

"The primary problem seems to be testing the transactions… many of the provider sites don't have the means to do this. They rely on their practice management vendors to make their systems compliant. For some vendors the use of a clearinghouse is the only alternative. Consequentially, transactions we previously received for free we will now have to pay for."
"Our key concern as a payer is that the vendors of our existing EDI submitters won't be ready to test until August-September, creating a last minute hectic frenzy of migration testing."

Clearinghouse

"Our biggest hurdles for TCS compliance is for 1) our providers to be able to pass us the new HIPAA data elements and to produce specs/test files; and 2) most of the payers (to whom we directly transmit data) haven't developed their companion guides; 3) ("IF" they have), custom programming is required to transmit to each payer, even though using the 837 "standard" transaction set."

Vendor

"Payer companion guides are almost non-existent, holding up implementation work. Without pressure on the payers from providers, and vendors responding with heroic efforts, the 837 claims effort will be implemented with great stress, if at all, by October."

USE OF OUTSIDE CONSULTANTS

Spring 2003 survey results showed that 44% of respondents across the industry are currently using outside consultants to support HIPAA initiatives. As in the past, the biggest users of consultants are larger hospitals (46%) and Payers (66%). Approximately 30% of respondents have engaged consultants for assessment and implementation planning services, 22% for implementation support, and about 45% for HIPAA awareness and training support.

HIPAA Help

When asked for comments describing which resources have been most helpful in understanding and achieving HIPAA compliance, most healthcare organizations named online sources such as e-mail list serves (HIPAAlive, WEDI/SNIP) and web sites (most-mentioned: CMS, HHS, OCR, WEDI/SNIP, State SNIPs, State-sponsored sites, Phoenix Health Systems' HIPAAdvisory, Brickler and Eckler, Washington Publishing Co, and AHIMA). Providers also applauded the efforts of state medical associations and hospital associations. Many respondents have also taken advantage of various HIPAA seminars.

2003 HIPAA BUDGET HIGHLIGHTS

Hospital budgets for HIPAA compliance in 2003 are generally higher than 2002 HIPAA budgets.

Hospitals with less than 100 Beds: 35% will spend less than $30K in 2003, and another 31% (up from 20% last quarter) will spend between $30K and $50K, which equates to almost two-thirds spending less than $50K this year on HIPAA. Only 19% will spend between $50K and $100K, and 12% between $100K and $250K.

Hospitals with 100 to 400 Beds: 28% will spend less than $50K, 32% between $50K and $100K, 24% between $100K and $250K, 9% between $250K and $500K, and 5% over $500K.

Hospitals with 400 or More Beds: Only 5% have budgeted less than $50K, and 16% between $50K and $100K, while over one-third have budgeted between $100K and $500K. A major jump since the Winter 2003 Survey was an increase from 11% last quarter to 22% this quarter of organizations that will spend between $1 million and $2 million.

Payer budgets for 2003 are significantly higher than in 2002, especially for larger payer organizations. A graphical comparison of Hospital, Payer and Vendor HIPAA budgets, by year, is offered below.