HIPAAdvisory > HIPAAction > HIPAA Survey

HIMSS / Phoenix Health Systems

US Healthcare Industry Quarterly HIPAA Survey Results:
Winter 2003

Executive Overview

The “eleventh hour” has arrived, and our Winter Survey found that many healthcare organizations are feeling the heat. With both the HIPAA Privacy compliance deadline and the Transactions and Code Sets (TCS) testing deadline less than three months away, many covered entities are straining to meet the target dates, and to incorporate Security requirements as well. Respondents reported that compliance efforts are moving forward, but progress is slow, and cultural change is even slower. Many organizations remain hampered by difficulties in regulatory interpretation, budget constraints, and unsatisfactory communications with trading partners.

Some significant trends noted in the Winter Survey include:

Despite the April 14, 2003 Privacy compliance deadline, only 9% of Providers and 5% of Payers have actually completed Privacy remediation, reflecting little change from our Fall 2002 results when 5% of each industry segment reported completion.
Again, despite the looming Transactions testing deadline (April 16, 2003), only 6% of Providers and 11% of Payers have actually completed TCS remediation efforts. Forty-two percent of Providers have not decided on their testing strategies.
Covered entities reported focusing mainly on Privacy and Transactions compliance, with Security compliance a secondary priority, presumably because they were waiting for publication of the final Security Rule.
90% of all respondents reported that their organizations have applied for the Transactions deadline extension to October 2003, in contrast to early CMS reports that significantly less than half of all covered entities have applied.
Across the industry, HIPAA budgets are generally higher for 2003 than for 2002.

THE SURVEY

Phoenix Health Systems and HIMSS conducted the Winter 2003 US Healthcare Industry Quarterly HIPAA Compliance Survey during the first half of January 2003. Following e-mail appeals to HIMSS 13,000+ individual and corporate members and to Phoenix’ 20,000+ HIPAAlert newsletter subscribers, a total of 666 healthcare industry representatives responded. The online survey was completed anonymously via Phoenix’ web site HIPAAdvisory.com.

The Organizations

Respondents from Provider organizations accounted for 70% (467) of participants. While the percentage of overall Provider participation was approximately the same as in our Fall 2002 Survey, small physicians practices account for a significantly greater proportion of total provider respondents in the current survey: 17%. This compares to 10% participation of small practice groups in Fall 2002, suggesting increasing awareness within this industry segment. The breakout of participants follows:

Providers – 70%
- Hospitals of 400+ beds: 15%
- Hospitals of 100-400 beds: 18%
- Hospitals of less than 100 beds: 13%
- Medium-sized physician practices (11 to 29 physicians)/other Providers: 8%
- Small physicians practices (10 or fewer physicians)/other Providers: 17%
Payers – 20%
Clearinghouses – 2%
Vendors – 8%

Within the Organizations

A total of 89% of respondents reported having an “official” role within their organization for HIPAA compliance, and a third of participants work specifically in the compliance/security arena. The majority of respondents hold management or executive level positions, including 13% at the Senior Management level. Executive support for HIPAA compliance efforts remains fairly strong, with about 62% of respondents reporting that their senior management is providing moderately high to high support. However, only 22% of participants indicated that management is providing “high” support of HIPAA initiatives (“5,” on our scale of 1 to 5).

THE RACE FOR THE FINISH LINE

Privacy Progress: The pace of Privacy Rule compliance remains very slow. Only 9% of all Providers reported that they had completed Privacy remediation by survey time. Among hospitals, those with 400 or more beds lead the list with 11% having completed remediation. Hospitals with fewer than 100 beds reported the least progress; only 4% having completed Privacy remediation. Surprisingly, considering widespread reports of inattention to HIPAA by small Providers, 13% of this group have completed remediation. An additional 75% of all Providers expect to be Privacy compliant by HHS’ April 2003 deadline.

Of the 132 participating Payers, only 6 (5%) had completed Privacy remediation by survey time. Another 83% expect to be compliant by the April deadline. Fourteen percent of Clearinghouses reported they had completed Privacy compliance, with another 71% planning to be in compliance by the deadline. Nearly 20% of vendors reported completion of privacy remediation, and another 51% plan to be finished by April 2003.

Transactions and Code Sets Progress: Remediation progress towards TCS compliance is even less encouraging. Despite the fact that covered entities are required to be ready for Transactions testing in April 2003, as of mid-January, only 6% of Providers had completed remediation. Of greater concern is that only an additional 37% expect to be ready for testing in April. This represents less than half of our survey sample. In fact, 43% do not expect to complete TCSremediation for at least another seven months, leaving little or no time for testing and fine-tuning before the October 2003 “go-live” compliance deadline.

Only 11% of Payers have completed TCS remediation; like Providers, only another 34% expect to be ready for testing by the testing deadline. Seven percent of Clearinghouses reported completion of TCS remediation, with another 36% expected to finish by April. Just under 35% of Vendors have completed TCS remediation, with another 13% expecting to be finished by April. Less than 20% of Payers, Clearinghouses and Vendors overall expect to finish in the next four to six months, and about 25% do not expect to complete TCS remediation for seven to ten months – again leaving little time, if any, for transactions testing before the compliance deadline in October.

Security Remediation Progress: Respondents indicated that Security remediation efforts are progressing slowly; while 11% of Vendors have completed Security remediation, only 2% of Providers, 5% of Payers and 0% of Clearinghouses have done so. Another 15% of Vendors, 17% of Providers, 15% of Payers and 7% of Clearinghouses anticipate completion by April 2003. While many of the remainder (see below) predict completion within a year or less, approximately 30% of all respondents did not know at survey time when their organizations were likely to finish Security remediation. The majority (about 60%) of participants reportedly are still conducting Security gap/risk analyses; Vendors have made the most progress with about 43% reporting that they are well into implementation efforts.

The First Milestone – Gap Analysis: Across the industry, progress on gap analyses has improved dramatically from Fall 2002, when fewer than 50% of all respondents had completed a gap assessment. A total of 59% of Providers, 71% of Payers, 50% of Clearinghouses and 57% of Vendors had completed their gap analyses by the time of the survey. The majority of those who had not finished planned to do so by April 2003 – minimizing the likelihood of achieving needed remediation by the compliance deadline.

HIPAA Hurdles

Participants who reported that they had completed Transactions and Code Sets and Privacy remediation were unanimous in reiterating Fall 2002 Survey respondent concerns that “understanding/interpreting the legal requirements” has been the most difficult aspect of the HIPAA remediation process. A close second for all industry segments was “achieving successful integration of new policies and procedures” (for the first time in our surveys ranked one of the top three obstacles), suggesting that the predicted challenges of cultural change are perhaps becoming a reality. The third ranked issue was “resolving issues with third parties” – indicating that communication/tracking problems continue among trading partners. The following is a sampling of
comments from our participants:

Small Physician: “My goal is to automate everything that can be automated. The human factor, however, will prove to be the success or failure of HIPAA compliance in the months and years to come.”

Payer: “Nothing about HIPAA seems to be in black and white. No one seems to be able to provide clear answers or direction. We are relying on documentation and due diligence.”

Vendor: “Business Associate (BA) contract negotiations are killing us...no 2 BA contracts are the same! We need trade associations and/or the Department (HHS) to step up and recommend complete standard sample language that their members will follow.”

Provider representatives who are still heavily involved in HIPAA compliance efforts, identified similar factors as impediments to HIPAA compliance. “Interpretation of the regulations” and “not enough time” were ranked first as the biggest roadblocks, followed by “potential changes in regulations.” In addition, comments (similar to those published in the Fall 2002 Survey) focused on a need for more specific guidance from HHS regarding HIPAA regulations, and standard language or standardized sample forms from which to work. Specific comments from Providers follow:

“Everyone is confused about the impacts, both financially and operationally, that HIPAA will have on our facility. It also seems that interpretation of the regulations is different depending on which "expert" is consulted…[and] that there is no clear-cut approach to any of the regulations, thereby contributing to the confusion.”
“Expertise is available -- funding to acquire the expertise is the problem. Not being 'sure' of what you are doing causes misuse of the limited amount of time left to achieve compliance.”
“The addenda to the Implementation Guides need to be published so that everyone will be on the same page. Privacy and Security are intertwined… and should have been published closer together.”
“At small facilities, one person has to wear many hats and it is difficult to carve out time to work on HIPAA compliance.”

Impact of Pending Security Rule

Though the final Security Rule had not been published by the time of this survey, respondents were asked how its publication would affect overall HIPAA compliance efforts within their organizations. One third of total respondents say they are either compliant now, or have already begun Security compliance work, so they anticipate no real impact. However, a larger number (59%) of respondents indicated that their focus on Security compliance would increase following publication of the final regulations, with 24% continuing to focus mainly on Privacy compliance, and another 17% on both Privacy and TCS compliance efforts.

Transactions and the Transactions Extension

When asked if they had taken advantage of the Transactions compliance deadline extension offered in the Administrative Simplification Compliance Act, 90% of respondents said “yes.” This contrasts sharply with reports by CMS officials that less than half of the country’s estimated two million covered entities applied for the extension by the required October 2002 deadline. As for the original October 2002 TCS compliance deadline, only 3% of survey respondents indicated that they were in compliance by that time. Additionally, with just three months left until the April 2003 Transactions testing deadline, 37% of all respondents and 42% of Provider respondents were either unaware of or had not planned their organizations’ testing strategies.

About 28% of participants indicated that their organizations plan to use third-party certification of their transactions capabilities, and 17% will recommend that trading partners certify with a third party prior to sending transactions. Twenty one percent indicated that they plan to perform their own testing with trading partners without using a third-party certification service. Only 12% plan to “require” trading partners to certify through a third party.

Compliance Activity by Phase

OVERALL HIPAA AWARENESS – HIPAA awareness and education continue to be a major focus of ongoing compliance activity in all major compliance areas. Across all industry segments, organizations reportedly are involved in HIPAA awareness and education activities as follows: Transactions – 53%, Security – 62%, Privacy – 60% and Unique Identifiers – 55%.

TRANSACTIONS AND CODE SETS – Compliance activities focusing on Transactions and Code Sets generally have moved beyond assessment into project planning and implementation phases. With some overlap, 50% of respondents are doing project planning, and a total of 61% are in the implementation phase (up from 52% in Fall 2002). By industry segment: 55% of Providers, 60% of Vendors, 80% of Payers, and 78% of Clearinghouses are engaged in transactions implementation initiatives.

PRIVACY – Respondent organizations are primarily focused on Privacy initiatives. Survey results reflect a visible shift from assessment and project planning to the implementation phase, which has engaged 78% of all participants are engaged in. Similarly, 67% of participants are working on Privacy training activities.

SECURITY – Over 50% of respondents reported that they are engaged in Security assessment activities. Activity is gradually increasing in both the Security project planning (47%) and implementation (32%) phases.

UNIQUE IDENTIFIERS – Participants continue to focus on general awareness (55%), with 31% engaged in assessments, 28% in project planning, and 23% working on actual implementation of standard identifiers.

The Winner’s Circle?

Participants were once again asked to consider the long-term “benefits” of HIPAA compliance, and reactions were almost identical to those reported in the Fall 2002 Survey report. Over half (57%) of respondents reported that their organizations’ strategic goals include realizing benefits from their HIPAA efforts. However, just under half (43%) say they do not have long-term goals focused on realizing such benefits. Participants identified “prevention of future privacy/security breaches” as the number one hoped-for benefit (41%), followed closely by “increasing patient confidence through better privacy/security” (39%). Harking back to one original intent of HIPAA administrative simplification, the goal of “saving time, effort and money through transactions standardization” was identified by 35% of respondents, who indicated less optimism about the beneficial impact of implementing security and privacy measures (18%). Sample comments follow:

Provider: “The good news is that HIPAA will help to streamline our processes and add efficiency. The bad news is that achieving compliance is an overwhelming task!”

Payer: “Some of the HIPAA expenses are in applying new software tools that will directly apply towards meeting other compliance requirements.”

Payer: “We are following these [third parties] closely, primarily to determine their probable HIPAA compliance success, in order to develop contingencies to handle a potentially huge increase in paper claims. We believe HIPAA will initially harm us administratively.”

THIRD-PARTY COMMUNICATIONS

Payers reported a near-even split between working alone towards HIPAA compliance (43%) and coordinating more directly with Providers (39%). However, approximately two-thirds say they have communicated “all” or “much” of their HIPAA compliance plans, progress and timelines to clients. A total of 87% of Payers predict they will be ready to accept and transmit all HIPAA-compliant transactions by the October 2003 deadline. The majority also believe that their Clearinghouses and Vendors will be ready for the testing deadline, and that they have been “moderately” or “very” forthcoming in their communications.

“As a Payer that gets 77% of our total claims volume electronically, we are very concerned that Providers/Vendors/Clearinghouses will not be ready to submit compliant transactions by 10/16/2003, which will result in regression to paper. Our efforts now are focused on working with the key trading partners that submit 80% of our electronic volume.”

Clearinghouse participants are focusing on both internal software remediation (64%) and internal new software development (64%), with only 29% providing custom software development services to their clients. However, the majority indicated that they have communicated “all” or “much” of their HIPAA compliance plans to clients. All predict they will be ready to accept and transmit all HIPAA compliant transactions by the October 2003 deadline.

Over 60% of Vendor respondents stated that they have communicated “all” or “much” information to their clients regarding their HIPAA compliance plans, progress, and timelines, but 28% indicated that they have communicated “little” of this information, and 9% indicated that they have had no such communications with their covered entity clients.

Provider Perceptions

There appears to be a disconnect between the perceptions of Providers and Payers regarding HIPAA compliance data communications. Just under two-thirds of Providers respondents (61%) indicated that Payers are only “somewhat” or “not at all” communicative when it comes to HIPAA compliance. Providers appear more satisfied with other third-party communications related to HIPAA, reporting that their Vendors and Clearinghouses (54% and 57% respectively) are moderately or very communicative.

Based on the quality of communications with Payers, many Providers were skeptical that their trading partners would be ready to transmit HIPAA transactions by required deadlines. Nearly two-thirds of Provider participants (62%) predicted that many, if not most, of their Payers would NOT be able to meet the Transactions Rule deadlines. On a more positive note, 71% of Providers predicted that their Clearinghouses would be ready and 62% predicted that their Vendors would be ready.

USE OF OUTSIDE CONSULTANTS

Survey results for Winter 2003 showed that 42% of respondents across the industry are currently using outside consultants to support HIPAA initiatives. The biggest users of consultants are larger hospitals (50%) and Payers (61%). Respondents indicated that the majority of consulting support is being used for awareness, assessment and project planning (60%). Utilization of consultants for implementation efforts has slightly increased since Fall 2002 from 16% of respondents to 18%. Nineteen percent of consulting support is focused on training and other HIPAA-related objectives.

HIPAA BUDGET HIGHLIGHTS

Hospital budgets for HIPAA compliance in 2003 are generally higher than 2002 HIPAA budgets.

Hospitals with less than 100 Beds: 39% will spend less than $30K in 2003, just over 20% will spend between $30K and $50K, about 19% between $50K and $100K, and 12% between $100K and $250K.

Hospitals with 100 to 400 Beds: 25% will spend less than $50K, 38% between $50K and $100K, 22% between $100K and $200K, 9% between $200K and $500K, and 7% over $500K.

Hospitals with 400 or More Beds: 10% have budgeted between $30K and $50K, 8% between $50K and $100K, 23% between $100K and $200K, 25% between $200K and $500K, 17% between $500K and $1 million, 11% between $1 million and $2 million, and 5% $2 million+.

Payer budgets for 2003 are somewhat higher, and 2003 Vendor budgets are significantly higher than 2002 budgets. A graphical comparison of hospital, Payer and Vendor HIPAA budgets, by year, is offered below.

CONCLUSION:

The Winter 2003 HIPAA Compliance Survey Results suggest that on-time healthcare industry readiness for HIPAA compliance remains a serious concern. While 75% of Provider respondents (17% of which represent small physician practices), and 30% of Payers, Clearinghouses and Vendors reported that they will be ready for the Privacy deadline, only 9% of Providers and 5% of Payers have actually completed Privacy remediation. Even though 90% of respondents have applied for the extension of the Transaction and Code Sets deadline, only 37% expect to be ready for testing at the expected check point in April 2003. Compliance with the Security Rule remains an additional concern with 60% of respondents still doing gap and risk analyses, suggesting that the majority are waiting for the final rule. Clearly, much remains to be done.