HIMSS / Phoenix Health Systems

US Healthcare Industry Quarterly HIPAA Compliance Survey Results:
Winter 2004

Executive Overview

HIMSS and Phoenix Health Systems conducted the Winter 2004 Survey from January 5 through January 20, 2004, approximately three months after the October 16, 2003 deadline for Transactions and Code Sets (TCS) compliance. A total of 631 healthcare industry representatives responded. The Survey placed special emphasis on Providers, Payers, Clearinghouses and Vendors' TCS compliance progress, including their readiness to conduct HIPAA transactions, prioritization of specific electronic transactions, the impact of the federal Contingency Plan, and the impediments facing compliance progress. In the Privacy arena, covered entities were questioned regarding their implementation of keystone requirements and incidents of patient privacy breaches. Progress toward meeting Security Rule requirements was also examined, as well as current measures in place to ensure secure transmission of transactions.

Key findings of the Winter 2004 Survey include:

• HIPAA Transactions and Code Sets
• Less than one-half of respondents from all industry segments reported that they are ready to conduct all HIPAA standard transactions. Only 50% have completed external testing.
• Eighty-five percent of Payers continued to accept non-compliant transactions into January. Of these, 34% will stay on this course for at least three more months, and another 34% until the Centers for Medicare and Medicaid Services (CMS) ends its Contingency Plan.
• Over half of Providers and one-third of Payers felt that CMS should maintain its Contingency Plan for up to 90 days; 32% of Providers and 50% of Payers want it extended up to six months or longer.
• Technical obstacles and poor communication among healthcare trading partners remained severe ongoing impediments to TCS compliance success.


• HIPAA Privacy
• Twenty percent of Providers and 14% of Payers reported that they remain non-compliant with the Privacy Rule, nine months after its effective date.
• Even among "compliant" organizations, gaps remain in such areas as establishing Business Associate Agreements and monitoring internal Privacy compliance.
• An average of 56% of Provider and Payer respondents reported that their organizations had experienced one or more privacy breaches since April 2003.


• HIPAA Security
• Initiatives for Security Rule compliance are moving slowly - over half of Providers and Payers reported they will not be fully compliant until 2005.
• An average of 24% of Providers, Payers and Clearinghouses reported that their organizations had experienced one or more data security breaches from October to December 2003.

THE SURVEY

Phoenix Health Systems and HIMSS conducted the Winter 2004 US Healthcare Industry Quarterly HIPAA Compliance Survey during the first three weeks of January. Following email appeals to HIMSS 13,000+ members and to Phoenix ' 19,000+ HIPAAlert newsletter subscribers, a total of 631 healthcare industry representatives responded. The online survey was completed anonymously via Phoenix' web site, HIPAAdvisory.com.

The Participants

Eighty-eight percent (88%) of survey respondents hold an "official" role within their organization for HIPAA compliance, with 28% working specifically in the compliance/security arena. Over one-half of respondents (52%) are CIOs, senior managers, and department managers. Respondents from Provider organizations accounted for 70% (440) of participants. The breakout of participants follows:

• Providers – 70%
  • Hospitals with 400+ beds: 18%
  • Hospitals with 100-400 beds: 20%
  • Hospitals with less than 100 beds: 13%
  • Medium-sized physicians practices (11 to 29 physicians)/other providers: 8%
  • Small physicians practices (10 or fewer physicians)/other providers: 11%
• Clearinghouses – 2%
• Payers – 19%
  • Covering fewer than 150,000 lives: 6%
  • Covering 150,000-500,000 lives: 4%
  • Covering 501,000-1,500,000 lives: 4%
  • Covering more than 1,500,000 lives: 5%
• Vendors – 9%
  • Annual revenues less than $50M: 5%
  • Annual revenues of $50M-$100M: 1%
  • Annual revenues more than $100M: 3%

Transactions and Code Sets Compliance

The official deadline for compliance with the HIPAA Transactions and Code Sets (TCS) Rule was October 2003. Despite reports of new progress towards industry-wide TCS standardization, Providers, Payers, Vendors and Clearinghouses continue to struggle with external testing obstacles, poor communications and technical difficulties. The CMS Contingency Plan, announced in September 2003 gave organizations additional time to comply with TCS requirements, but will remain in effect only temporarily. Several Payer organizations also offered similar contingency plans. The Winter 2004 Survey questions addressed TCS compliance in the current climate.

Overall TCS Compliance

Not unlike the Fall 2003 Survey results, Payer organizations led once again in completion of overall TCS remediation – 76% of Payers reported that they had completed TCS remediation (excluding testing, which is detailed below), including putting into place all necessary policies, procedures, processes and systems. The only industry group to show no improvement in this area was Providers.

The table below provides an overview, by industry, of TCS remediation completion percentages and timelines.

TCS Testing

Successful conversion to HIPAA standard transactions requires internal testing of the new formats, followed by external testing with trading partners. The percentage of organizations completing internal testing has increased, overall, since our Fall 2003 Survey report, as indicated below. While external testing progress has also increased, it is notable that an average of only 50% of the industry has completed external testing. There is no increase in the percentage of Payers that have completed external testing since the Fall 2003 Survey.

The following graphs indicate internal and external TCS testing activity by industry segment, comparing Spring, Summer and Fall 2003 with Winter 2004 Survey results.

Readiness to Accept/Transmit HIPAA Transactions

Most respondents stated that they are ready to accept/transmit one or more, but not all, standard transactions. As a group, Payer organizations are most likely to indicate they are ready to accept/transmit one or more transactions (92%). Eighty percent (80%) of Providers, 76% of Vendors, and 75% of Clearinghouses are ready to accept/transmit one or more transactions.

Providers have made the most dramatic progress in this area. About 80% (up from 30% in the Fall 2003 Survey) are currently able to accept/transmit one or more transactions, and 45% (up from 18%) are ready to accept/transmit all the transactions. See table below, sorted by Provider type.

Transaction Types

Providers and Payers, asked to specify which types of transactions their organizations were preparing to send and receive initially, indicated that their implementation efforts were primarily focused on the 837 Claims Encounter and 835 Claims Payment transactions. (See table below for additional detail.)

CMS' Temporary Contingency Plan

The Centers for Medicare and Medicaid Services (CMS) announced a contingency plan on September 23, 2003 in response to the industry's inability, as a whole, to comply with the October 16, 2003 TCS deadline. The plan allowed temporary continued processing of non-compliant Medicare claims, and encouraged other health plans to implement similar contingency plans where appropriate.

When asked how the CMS Contingency Plan announcement had impacted their overall TCS course of action, 59% of Providers said these developments had no effect, and only 17% said they had been affected "somewhat." Most of these Providers had continued to submit non-compliant transactions following the TCS deadline. The overwhelming majority of Providers (92%) were confident in their ability to demonstrate "good faith efforts" toward compliance, as required by CMS.

Eighty-five percent (85%) of Payers (down from 90% in the Fall 2003 Survey) accepted non-compliant transactions following the October 2003 deadline. More than one-third (34%) have indicated that they will continue to do so for at least three months, and another 34% until CMS discontinues its Contingency Plan and requires compliant transactions.

About 52% of Providers and 34% of Payers indicated that they feel CMS should maintain its Contingency Plan for another one to three months; another 32% of Providers and 50% of Payers want the Plan to be extended four to six months or longer.

Covered Entity Contingency Plans

The majority of all participants in the Winter 2004 survey had set up contingency plans if they were unable to transmit compliant transactions. Providers planned to rely on manual (paper) transactions, use Direct Data Entry (DDE) where possible (43%), or use a compliant Clearinghouse (22%). Payers' contingency plans included reliance on manual processing (45%) or continuing to accept proprietary (non-compliant) transactions (36%). Vendor contingency plans included advising clients to use a compliant Clearinghouse (44%), or continuing to process proprietary transactions (28%).

Roadblocks to HIPAA Compliance

The Survey continues to track "major roadblocks" to overall HIPAA compliance. The early number-one barrier "Not enough time" has given way to "Resolving issues with third parties" as deadlines came and passed, and TCS issues escalated. This quarter, however, "Interpretation of HIPAA regulations" ranked as the primary roadblock to compliance for the first time, up from second place last quarter. Also a first, "Achieving successful integration of new systems, policies, and procedures across the enterprise" ranked as the second major impediment, indicating that an increasing number of organizations are struggling with technical obstacles as they move toward TCS compliance.

"Resolving issues with third parties" was reported as the third most serious roadblock, but clearly remains a contentious issue, judging from written comments received from respondents across the industry. (See sample comments below.) Respondents continue to believe that their own organizations have been cooperative and forthcoming with needed information, but blame business partners for poor communications. Payers (90%), Clearinghouses (100%), and Vendors (92%) said they had communicated "all" or "much" information to their clients regarding HIPAA compliance plans, progress, and timelines. However, Providers don't agree - 56% of Providers identified Clearinghouses as moderately to very forthcoming, and only 49% of Providers noted the same about their Payers. Sixty-eight percent (68%) of Providers and 60% of Payers considered Vendors to be moderately to very forthcoming.

When asked if they had provided valuable assistance to their Providers in efforts toward HIPAA compliance, 81% of Payers said they had provided much or moderate support. However, only 44% of Providers agreed that their Payers had provided them with a satisfactory level of assistance.

Obstacles to TCS compliance.

• Providers said:
• Payers are not ready to accept standard transactions
• Payers are not ready for testing
• Cannot get needed information from Vendors, Payers, and/or Clearinghouses (e.g., companion guides, testing schedules, etc.)
• Payers said:
• Providers are not ready for testing
• Providers have not captured the data required for the standard transactions
• Cannot get needed information from Vendors, Providers, and/or Clearinghouses
• Clearinghouses said:
• Payers are not ready for testing
• Payers are not ready to accept/transmit standard transactions
• Providers have not captured the data required for the standard transactions
• Vendors said:
• Ambiguities exist in Implementation Guide specifications
• Payers are not ready to accept/transmit standard transactions
• Providers have not captured the data required for the standard transactions

With regard to the perceived readiness of trading partners to accept and transmit HIPAA-compliant transactions, Vendors received the highest vote of confidence. Providers (57%) and Payers (51%) were relatively certain that their Vendors were ready for the TCS deadline. Both Providers (52%) and Payers (38%) indicated slightly less confidence in their Clearinghouses. Providers professed little confidence in the ability of their Payers' readiness to handle necessary transactions: only 35% indicated that their Payers would be ready.

Sample of Submitted Comments:

Provider: "Clearinghouses and Payers were not ready - and some still are not."

Provider: "Various of our Payers tell us that they are ready, however they provided the wrong PIN, lost our Trading Partner Agreements, fail to return phone calls, lost our test files.."

Payer: "We are currently capable of accepting and sending compliant transactions. We are awaiting our Provider/Clearinghouses to be ready."

Payer: ".We are only able to accept the 837 transaction from our largest Providers. The smaller ones who are using a Clearinghouse are still unable to send because they are too small for the Clearinghouse to have reached them on their testing schedule. Specific to the 835, our large Providers are having software problems."

Clearinghouse: "Our challenges lie in our trading partners' misinterpretation of the Implementation Guides, reduced or non-existent claim-level acknowledgement responses, and their general issues associated with implementing a new X12 system."

Clearinghouse: "Inconsistent interpretation of the implementation guides by the Payers [is] causing more Payer-specific customization in all translator programs than anticipated."

Privacy Compliance

Though compliance with the HIPAA Privacy Rule was required by April 2003, the quarterly Survey has continued to track the healthcare industry's Privacy compliance progress to determine what compliance gaps, if any, remain. Winter 2004 results indicated that organizations have taken steps to complete compliance requirements; however, a significant percentage of Providers and Payers were not able to report 100% compliance. Clearinghouses and Vendors (which have Privacy obligations stemming from Business Associate Agreements with covered entities) indicated the highest compliance levels at 100% and 98% respectively, but Provider compliance levels have increased only to 80% from the 76% reported in the Fall 2003 Survey. Compliance across Provider groups was relatively consistent, with full compliance reported by 82% of large hospitals and by 84% of smaller hospitals. Smaller Providers accounted for the "least" compliant group, with an average of only 75% currently Privacy compliant.

The Winter 2004 Survey asked Privacy-"compliant" organizations additional questions in order to clarify whether gaps remained between their actual privacy practices and the letter of the law. Responses indicated that Payers were more fully compliant than Providers overall, but that, where these groups have compliance gaps, the gaps are occurring within the same regulatory categories.

Consistent with data from the previous three surveys, a very high percentage of "compliant" Providers and Payers reported that they had implemented the most visible HIPAA Privacy requirements, such as the Notice of Privacy Practices, obtaining Patient Authorizations, and enabling patients' rights to review, amend and restrict access to medical records. However, establishing required Business Associate Agreements remained a significant area of non-compliance across the industry: for example, only 73% of "compliant" Providers had completed this work. This suggests that many business partners with access to protected health information (PHI) may not yet be protecting patient privacy as necessary. Similarly, many Provider and Payer participants that have stated they are compliant have not yet put privacy compliance monitoring systems into place. (See table below.)

Incidents of Patient Privacy Breaches

The Winter 2004 Survey questioned "compliant" participants about reported incidents of patient privacy breaches since the HIPAA Privacy deadline in April 2003. On average, over half of Providers reported experiencing privacy breaches, with larger hospitals (73%) reporting the greatest number of breaches. One-half of Payers reported the occurrence of privacy breaches, and small and medium-sized Physician Practices reported the lowest occurrence of privacy breaches. (See table below.)

The majority of Providers (73%) and Payers (64%) that are not yet compliant with the Privacy regulations have taken the first needed step: completing a Privacy gap analysis. It can be inferred that the 27% of non-compliant Providers and 36% of non-compliant Payers that have not completed a Privacy gap analysis also have not yet completed follow-on tasks such as Privacy remediation. Privacy training has been completed by 65% of Providers that are not fully compliant, but many smaller hospitals (50%) have not reached this milestone. On a more positive note, almost three-quarters (74%) of non-compliant Providers and 81% of non-compliant Payers expect to complete Privacy remediation within the next three months. Small Physician practices have progressed the least: only 46% have completed a gap analysis and only 62% have completed privacy training.

When comparing patient privacy breaches experienced by Providers and Payers since April 2003, we found no measurable difference between compliant and non-compliant organizations: the average was 56%. We also asked non-compliant organizations if they had received any formal Complaint of Privacy Violation (either Federal or in a civil proceeding) in the past nine months. The following table indicates that very few organizations have not had a formal complaint filed against them.

Security Compliance

With Security Rule compliance not required until April 2005, remediation efforts continue to progress slowly across the industry. The following table illustrates current levels of Security compliance by covered entity group, and projected completion timelines. Reported Provider compliance levels increased from 6% in the Fall 2003 Survey to 12% in the Winter 2004 Survey; Payer performance increased from 14% to 23%; and Clearinghouses increased from 17% last quarter to 63% in Winter 2004. More than half of Providers (53%), Payers (54%) and Vendors (50%) projected completion of Security remediation by the beginning of 2005.

Compliance with the security requirements of the Privacy Rule (which should have been met by April 2003) improved from last quarter to this quarter: only 11% of Providers (down from 22%) and 5% of Payers (down from 12%) had not completed necessary remediation.

Incidents of Data Security Breaches

Providers, Payers and Clearinghouses were asked to indicate the number of Security breaches experienced by their organizations over the past three months. Reports for this quarter were almost identical to those submitted in the Fall 2003 Survey. Twenty-one percent of Providers, and 25% of Payers and Clearinghouses reported that their organizations had experienced one or more data security breaches from October to December 2003. The vast majority (between 59% and 75%) of respondents reported experiencing no breaches at all. (See table below.)

Are You Transmitting Secure Transactions?

We solicited written comments on the following question: "How is your organization ensuring that it will be transmitting secure (PHI-protected) compliant transactions if you have not completed your security remediation efforts?" The following list offers the solutions most frequently reported:

• Virtual Private Network (VPN)
• Encryption
• Secured Socket Layer (SSL) Web Site
• Direct Connection to Third Party
• Bulletin Board System (BBS) Connection
• Secure Dedicated Lines
• Password Protection
• Secure File Transfer Protocol (FTP)
• Authentication and Access Control on Transactions

E-Health Strategies and Return on Investment (ROI)

We asked Provider participants to indicate whether their organizations had implemented (or planned to implement) e-Health strategies – using the Internet to conduct business or patient care. Over 50% of Providers had e-Health strategies planned or in place, and only 28% did not. (The remainder did not know.) Participants reported using e-Health strategies for several functions, including online patient registration, scheduling or billing, physician off-site (remote) access to facility PHI for their patients, and facility web sites.

Providers were also asked to comment on their strategies for return on investment (ROI) related to HIPAA initiatives. More than one-third (36%) of Providers indicated that they had already, or planned to, implement ROI projects. Of those pursuing ROI benefits, 88% planned to expand the organization's use of electronic HIPAA standard transactions. In terms of expected cost savings, organizations specifically mentioned reduction in staff, faster turnaround for eligibility and authorizations, reduction in Accounts Receivable days, and reduced dependence on Clearinghouses. Not surprisingly, transactions mentioned most in relation to achieving ROI were the 835, 270/271 and 276/277.

Use of Outside Consultants

Winter 2004 survey results showed that 49% of respondents across the industry are currently using outside consultants to support HIPAA compliance efforts. As in the past, the biggest users of consultants are larger hospitals (64%) and Payers (63%). Among those using consultants, the majority had contracted for HIPAA Assessment and Implementation Planning and/or Implementation Support services. In addition, written responses indicated that outside consultants have been brought in specifically for legal review, generation of policies and procedures, and security risk analyses.

HIPAA Budget Highlights – 2003 and 2004

Across the industry, budgets for HIPAA compliance are reportedly lower in 2004 than in 2003 (perhaps because many organizations have achieved some level of compliance). Among Payers, hospital Providers and Vendor organizations, the number of entities with lower budgets in 2004 has increased, while those spending higher dollars decreased. For example, the number of Vendors spending less than $200,000 increased from 42% to 55%, while the number of Vendors spending between $201,000 and $500,000 decreased from 23% to 16%. On average, Payers plan to spend much less on HIPAA compliance in 2004 - the percentage spending over $2 million dropped from 23% to 7%. Hospital budgets remained more constant, though overall spending is less in 2004 than in 2003.

Graphical comparisons of hospital, Payer, and Vendor HIPAA budgets, by year, are offered below.

Hospital Budgets: 2003 vs. 2004

Payer Budgets: 2003 vs. 2004

Vendor Budgets: 2003 vs. 2004

View results from past surveys.

Go to TOP