US Healthcare Industry Quarterly HIPAA Survey Results:
Summer 2003

Executive Overview

Conducted in early July, just three months after the HIPAA Privacy compliance deadline and three months before the Transactions and Code Sets (TCS) deadline, the Summer 2003 Survey spotlights the healthcare industry's progress on Privacy and TCS, currently the most time-critical HIPAA compliance issues. This survey, our 15th quarterly healthcare industry HIPAA poll, attempted to explore "the real story" behind statistics - and behind the doors of healthcare Providers, Payers, Vendors and Clearinghouses. In the Privacy arena, we probed beyond reports of overall compliance into degrees of implementation of specific keystone requirements, such as Notices of Privacy Practices, Accounting of Disclosures, and Business Associate Agreements. TCS compliance was examined by focusing on readiness efforts of Payers and Vendors according to their size, specific electronic transactions most likely to be put to use as of the TCS deadline in October, 2003, and the impediments to compliance progress faced by each industry segment.

Key results of the Summer 2003 survey include:

• HIPAA Privacy
  
• While overall compliance has increased dramatically among Payers, Vendors and Clearinghouses, Provider compliance levels remain surprisingly unchanged since the Spring 2003 survey: 77% of Providers reported compliance in the Summer 2003 Survey, as compared to 78% in the Spring Survey. More to the point, 23% of Providers reportedly remained non-compliant with the Privacy Rule three months after its compliance deadline.
  
• Consistent with our Spring 2003 Survey results, up to 20% of the Providers and Payers that professed to be Privacy compliant have not, in fact, implemented key features of the Privacy regulations.
  
• HIPAA Transactions and Code Sets
  
  • Predictions of readiness to transmit all required HIPAA transactions have been scaled back by our respondents since the Spring 2003 Survey: for example, only 62% of Payers expect to be able to handle all HIPAA-mandated transactions by October 16 (as compared to 79% in the Spring 2003 Survey).
    
  • An average of 62% of all industry segments are currently engaged in TCS testing with trading partners - less than half of Payers and Providers have completed this required external testing.
    
  • "Not Enough Time" was ranked as the top roadblock to meeting the upcoming TCS compliance deadline on October 16, 2003.
    
  • Lack of cooperation and communication among healthcare industry segments, vital to industry-wide adoption of the HIPAA TCS standards, remains an ongoing impediment to meeting the October deadline.

• Security
  
  • Initiatives for Security Rule compliance are moving slowly - over 50% of Providers and Payers do not expect to be compliant for a year or more. The Security deadline for compliance is April, 2005.
    
  • Security initiatives mandated by the Privacy Rule are also a lagging effort: over 20% of Providers who claim to be compliant with the Rule have not yet met these requirements.

THE SURVEY

Phoenix Health Systems and HIMSS conducted the Summer 2003 US Healthcare Industry Quarterly HIPAA Compliance Survey during the first two weeks of July. Following email appeals to HIMSS 13,000+ members and to Phoenix' 20,000+ HIPAAlert newsletter subscribers, a total of 571 healthcare industry representatives responded. The online survey was completed anonymously via Phoenix' web site, HIPAAdvisory.com.

The Organizations

Respondents from Provider organizations accounted for 71% (407) of participants. The breakout of participants follows:

• Providers – 71%
  
  • Hospitals with 400+ beds: 16%
  • Hospitals with 100-400 beds: 19%
  • Hospitals with less than 100 beds: 12%
  • Medium-sized physician practices (11 to 29 physicians)/other providers: 10%
  • Small physicians practices (10 or fewer physicians)/other providers: 14%
    
• Clearinghouses – 3%
  
• Payers – 16%
  • Covering fewer than 150,000 Lives: 6%
  • Covering 150,000 - 500,000 Lives: 3%
  • Covering 501,000 - 1,500,000 Lives: 3%
  • Covering more than 1,500,000 Lives: 4%
    
    
• Vendors – 10%
  • Annual Income less than $50M: 6%
  • Annual Income of $50M-$100M: 2%
  • Annual Income greater than $100M: 2%

Organizational HIPAA Emphasis

Eighty-seven percent of survey respondents hold an "official" role within their organization for HIPAA compliance, with 29% working specifically in the compliance/security arena. The majority of respondents (52%) are CIOs, senior managers, and department managers.

Executive support for HIPAA Privacy compliance efforts remains very high across all industry segments, with a total of 81% of all respondents reporting moderately strong to very strong support. Support is not quite as strong for enterprise TCS compliance efforts, however, 65% of respondents reported moderate to strong support. Security compliance initiatives received the lowest level of management support, with less than 25% of respondents reporting that management support within their organization was high.

PRIVACY COMPLIANCE

With the notable exception of Providers, Privacy compliance has improved dramatically since the Spring 2003 Survey: 88% of clearinghouse respondents reported compliance (up from 47% in the Spring 2003 Survey), along with 81% of Vendors (up from 39% in the Spring 2003 Survey) and 85% of Payers (up from 68% in the Spring 2003 Survey). Significantly, Providers who historically have led the way in addressing Privacy now represent the least Privacy-compliant segment of the healthcare community: only 77% of Provider respondents reported that their organizations are compliant. Unlike the other industry groups polled, Providers have made no progress in Privacy compliance since the Spring 2003 Survey was conducted in April (when 78% reported compliance). Compliance across Provider groups is relatively consistent, with compliance levels ranging from 73% of hospitals of 100 to 400 beds, to 82% of small physician practices.

The Privacy focus of the Summer 2003 Survey emphasized "drilling down" into the day-to-day realities of HIPAA Privacy, in order to clarify whether gaps remained between "compliant" organizations' actual privacy practices and the letter of the law. We asked the 77% of Providers and 85% of Payer organizations that stated they were compliant with the Privacy Rule to identify key remaining areas of non-compliance, if any. Consistent with their reports in the Spring 2003 Survey, approximately 95% of reportedly compliant Providers and Payers have implemented the most publicly visible HIPAA Privacy requirements, such the Notice of Privacy Practices, obtaining Patient Authorization, providing workforce training, and enabling patients' rights to review, amend and restrict access to medical records.

However, the more difficult and farther reaching requirements have not been implemented as fully. Establishing required Business Associate Agreements topped this list: only 74% of "compliant" Payers and 61% of "compliant" Providers have completed this work, suggesting that many business partners with access to protected health information (PHI) may not yet be protecting patient privacy as necessary. Similarly, only about two-thirds to three-fourths of "compliant" Provider and Payer participants (see table below) have put privacy compliance monitoring systems into place. A special area of concern is the security protections of PHI that are required by the Privacy regulations: only 79% of "compliant" Providers have implemented such measures.

TRANSACTIONS AND CODE SETS COMPLIANCE

TCS compliance efforts may have taken a back seat prior to the Privacy compliance deadline, but no longer. TCS compliance appears to be front and center on most organizational agendas, and for many, the source of great concern. However, in spite of strong management support and looming deadlines, progress toward TCS compliance remains very slow. Organizations continue to struggle with poor communications among business partners, technical obstacles, and time constraints that hamper TCS implementation efforts.

The Department of Health and Human Services' (HHS) deadline for the healthcare industry's final conversion to HIPAA standard Transactions remains October 16, 2003, despite numerous public appeals for postponement or relief. When asked when they would be ready to accept and transmit the standard Transactions on behalf of Provider organizations, 82% of Payers, 67% of Vendors and 88% of Clearinghouses predicted they would be ready to accept/transmit one or more transactions by the deadline. But their projected time frames for accepting/transmitting all HIPAA standard Transactions were notably less optimistic than this, and - of even greater concern - less optimistic than the projections reported in our Spring 2003 Survey. Sixty-two percent of Payers (down from 79% in the Spring Survey), 46% of Vendors (down from 68%), and 63% of Clearinghouses (down from 86%) expect to be able to accept and transmit all Transactions by the October compliance deadline. This likely is a realistic reflection of actual progress made in the past three months.

In an effort to identify where the greatest impediments to TCS compliance lie, the Summer 2003 Survey for the first time isolated responses by Payers and Vendors on the basis of their relative size. Overall, the larger the Payer organization, the closer it is to full TCS capability: 85% of Payers covering more than 1.5 million lives, 65% of Payers covering between 501,000 and 1.5 million lives, and about 53% of Payers covering fewer than 501,000 lives expect to be able to handle all HIPAA transactions by the October 16 deadline. A similar trend did not emerge from responses of Vendors, whose software products are pivotal in enabling transactions processing between Providers and Payers: 39% of Vendors with revenues of $100M+, 60% of Vendors with revenues between $50M and $100M, and 45% of Vendors with revenues less than $50M predicted readiness to handle all standard transactions by the October deadline.

HHS required all covered entities to begin HIPAA Transactions testing in April 2003. Although many have a long way to go, the percentage of organizations conducting both internal and external TCS testing has increased significantly over Spring 2003 Survey reports. Refer to the following graph indicating internal and external TCS testing activity by industry segment for both Spring and Summer.

Despite the gloomy reports above, most covered healthcare organizations appear to be working hard on the TCS implementation process. Ninety-one percent of payers, 81% of providers, and 94% of clearinghouses have either completed or expect to have completed their TCS gap analysis before October. Seventy-five percent of Payers, 74% of Providers, and 64% of Vendors state they will have implemented all TCS changes by October, including putting into place all necessary systems, policies and procedures changes.

Transaction Types

In light of the "administrative simplification" objectives of the Transactions and Code Sets Standards, we asked providers and payers to indicate which types of transactions their organizations were actually planning to send and receive, at least as of the October 16 deadline. Not surprisingly, payer projections are greater than those of providers, considering the requirements upon them to handle all HIPAA standardized transactions. The majority of Providers, as illustrated below, anticipate conducting 837 Claims and 835 Payments and Remittance Advice transactions immediately. However, a majority of Providers do not plan to conduct the remaining standard electronic transactions, at least as of October 2003.

"Not Enough Time" Ranked the #1 Roadblock to HIPAA Compliance

We have tracked the "major roadblocks" to overall HIPAA compliance experienced by the healthcare industry, over several quarters. For the second quarter in a row, "not enough time" has been identified as the top roadblock to HIPAA compliance. A close second this quarter was "resolving issues with third parties" - a fair indication of ongoing communication/tracking problems among business partners. "Interpretation of the HIPAA regulations" ranked third.

To pinpoint more specific TCS-related issues, the current survey included new questions focused on "obstacles" to TCS compliance in particular. Provider participants indicated that the primary obstacle they face is that "Payers are not ready for testing" (48%), with "Payers not ready to accept/transmit transactions" as a close second (37%). Twenty-nine percent noted that their Vendors have not yet provided compliant software, and 27% reported that difficulties in "capturing required data" remains an internal impediment. One other major concern voiced by Providers was that they "cannot get needed information from Payers, Vendors, and Clearinghouses"(38%). On the flip side, Payers accused Providers of "not being ready for testing" (57%) and "not capturing data" (44%). Vendors reiterated the same complaints against both Providers and Payers, and raised concerns regarding "ambiguities in the Implementation Guides." Clearinghouse respondents cited similar problems with trading partners, especially Payers, and also "ambiguities in the Implementation Guides."

Contingency Plans

The Summer 2003 Survey asked participants what contingency plans they have, if any, should they be unable to transmit necessary standard electronic transactions by the October deadline. Approximately seventy percent of all participants have such contingency plans. Most Providers who have set up contingency plans indicated they will use a compliant Clearinghouse, rely on manual (paper) transactions, or use Direct Data Entry (DDE) where possible. Payers who have established contingency plans indicated they will rely on manual transactions, continue to accept proprietary (non-compliant) transactions, or rely on a Clearinghouse. Vendor contingency plans include continuing to process proprietary transactions, or using a compliant Clearinghouse.

SECURITY COMPLIANCE

Security Rule remediation efforts clearly remain on a back burner, as covered entities grapple with TCS initiatives. The Security Rule's final compliance deadline is in April, 2005. The following table illustrates current levels of Security compliance by covered entity group, and projected completion timelines.

COMMUNICATION BREAKDOWN

Throughout the last several quarters, communications among business partners has remained a major concern for many survey respondents. Most participants feel that their own organizations have been proactive and forthcoming in communicating their compliance plans and timelines with business partners, but that their business partners are not as cooperative as necessary.

Clearinghouses (98%), Vendors (70%), and Payers (68%) say they have communicated "all" or "much" information to their clients regarding HIPAA compliance plans, progress, and timelines. However, only 60% to 65%of the Providers and Payers agree. Moreover, 25% of Providers indicated that their Payers have communicated nothing to them regarding their HIPAA compliance activities.

With regard to the perceived readiness of trading partners to accept and transmit HIPAA-compliant transactions by the October deadline, Clearinghouses received the highest vote of confidence, followed closely by Vendors. Providers (80%) and Payers (81%) are relatively certain that their Clearinghouses will be ready for the TCS deadline. About 75% of both Providers and Payers have similar confidence in their Vendors. Unfortunately, Providers indicated little confidence in the ability of their Payers to meet the deadline: only 53% believe that the Payers will be ready for the TCS deadline. Over a third of Providers reiterated that Payers have offered insufficient information to indicate readiness one way or the other.

USE OF OUTSIDE CONSULTANTS

Summer 2003 survey results showed that 45% of respondents across the industry are currently using outside consultants to support HIPAA initiatives. As in the past, the biggest users of consultants are larger hospitals (58%) and Payers (62%). Of those using consultants, more than 50% of respondents have contracted for assessment and implementation planning services, with Privacy compliance first, followed closely by both TCS and Security compliance. Another 48% have engaged consultants for implementation support in the area of TCS compliance.

2003 HIPAA BUDGET HIGHLIGHTS

Hospital budgets for HIPAA compliance in 2003 are generally higher than 2002 HIPAA budgets. However, spending seems to be leveling off. Budget figures for this quarter are actually lower in most cases than those published in the Spring survey report, especially among small to medium-sized hospitals.

Payer budgets for 2003 are showing a different distribution - some higher, and some lower than figures provided for 2002. Payer organizations covering less than 150,000 lives plan to spend less overall in 2003 than in 2002. While 19% of these Payers planned to spend more than $500,000 in 2002, only 3% have budgeted over $500,000 for 2003. Payers covering between 150,000 and 500,000 lives have much higher budgets for 2003. While only 26% of these Payers budgeted over $1 million in 2002, 55% budgeted over $1 million for 2003. In 2002, 22% of Payers covering 500,000 to 1.5 million lives planned to spend less than $500,000, while 100% of these Payers now plan to spend over $500,000. On the other hand, the number who plan to spend over $2 million has come down from 48% in 2002 to 29% in 2003. In 2002, 81% of larger Payer organizations covering more than 1.5 million lives budgets exceeded $2 Million, compared with 62% for this quarter of 2003.

By sub-categorizing our Vendors by income level, we have created a much clearer picture of current spending. Data for 2002 suggested that 63% of all Vendors were spending less than $200,000 on HIPAA compliance. This figure remains accurate for smaller Vendors, however, 36% of larger Vendor organizations are spending over $1 Million this year alone.

A graphical comparison of hospital, payer, and vendor HIPAA budgets, by year, is offered below. In reviewing the information below, note that we have expanded the Vendor category, and have changed the spending categories in certain cases.

Hospital Budgets: 2002 vs. 2003

Payer Budgets: 2002 vs. 2003

Vendor Budgets: 2002 vs. 2003

View results from past surveys.

Go to TOP