HIPAAlert
Industry HIPAA Progress Survey – Fall 2000
Results Are In On Largest-Ever Healthcare Industry
HIPAA Survey...
HIPAAlert's Fall 2000 Survey:
Patchy But Significant New Energies Focus on HIPAA Compliance
During two weeks in late September/early October, 2000, over 450
representatives of healthcare organizations, including providers,
payers, clearinghouses, vendors and others, participated in the
largest ever nationwide survey on HIPAA compliance within the healthcare
industry. The online survey was the third in a series of quarterly
HIPAA surveys conducted by Phoenix Health Systems through its HIPAAdvisory.com
web site and HIPAAlert newsletter.
The 468 survey respondents included:
- 231 providers (97 hospitals of 400+ beds, 86 hospitals under
400 beds, and 48 other providers)
- 86 payer organizations
- 11 clearinghouses
- 59 healthcare vendors
- 81 others (i.e. consultants, advisory groups, government agencies)
HIPAA AWARENESS
Since Phoenix' June HIPAA Survey of 371 participants, knowledge
of HIPAA and its implications has continued to increase across the
industry's senior management -- from 53% of the total reporting
moderate or high awareness in June, to 65% by early October. Among
providers, 48% felt their executives had moderate to high awareness
in June increased to 59% by October. However, HIPAA awareness at
the department head level remains low throughout the industry, with
60% of all respondents (Figure 1), and 72% of providers (Figure
2) still reporting little or no department head knowledge in October.
One respondent commented, "It's tough to deal with HIPAA when only
you and your boss understand it, and everyone else gives you the
'doe in the headlights look' when you mention it." Similarly, another
provider claimed "other pressing issues" are delaying its awareness
efforts until next year. By contrast, a third respondent reported,
"Our company has been actively participating in the NPRM process,
HIPAA-watching and planning."
Figure 1: HIPAA Knowledge
Figure 2: HIPAA Knowledge
The fact that the first final HIPAA rule (Transactions and Code
Sets) was published this August has increased a sense of "HIPAA
urgency" among many industry groups. A range of 67 to 75% of payers,
vendors and clearinghouses were galvanized by the rule's publication,
though only 49% of providers reported moderate to strong response.
One provider commented, "Transaction sets is generally viewed in
the organization as a payer and IS vendor issue." Another believed
that, "like Y2K," HIPAA vendor compliance won't occur until right
before compliance deadlines. "Our chances of testing applications
are nil until then...thus the feet dragging."
FOCUS OF HIPAA EFFORTS
Not surprisingly, active HIPAA compliance efforts of most industry
organizations (approximately 80% of providers and 75% of payers)
are still strongly focused on building internal awareness. Over
half of all respondents have also begun to look at the assessment
process. In general, the industry appears to be undertaking these
efforts from an overall HIPAA perspective, rather than focusing
on HIPAA rule by rule.
When it comes to actual compliance, clearinghouses and vendors
are leading the way, with over half reporting they are well into
planning and implementation efforts, compared to less than a third
of providers and payers. One provider stated its cautious stance
succinctly: "We have a formal HIPAA steering committee with 4 sub-committees.
We are working on transaction sets security risk assessment. At
this point, we are educating, preparing, but not making any changes
until finalized rules are in place."
By contrast, 75% of vendors indicated that they should complete
internal testing of HIPAA compliant systems within the next 12 months,
and all clearinghouse respondents reported they will be HIPAA-ready
within 18 months.
Notably, over half of payers don't think they'll be ready to accept
all HIPAA transactions for 24 months or longer -- in other words,
until after compliance deadlines. One payer may have hit on an important
reason: "There seems to be a great deal of confusion between payers
about what is actually required to be compliant. A lot of questions
are being asked, and no one seems to have the answers yet."
Figure 3:
HIPAA COMPLIANCE AND STRATEGIC PLANNING
Many healthcare organizations have decided to turn HIPAA compliance
to their benefit, if possible: over half (including 52% of providers
and 59% of payers) intend to incorporate compliance into their strategic
plans (Figure 4).
Figure 4:
Among hospitals this is not as surprising as it might
have been prior to the industry's exploding E-health initiatives;
two-thirds of hospital respondents indicated that HIPAA compliance
will be integral to achieving their E-health strategies. In fact,
only 28% of hospitals intend to ensure only basic HIPAA compliance.
On the other hand, only 16% plan to exceed HIPAA requirements. Approximately
25% of hospitals reporting still have no formal plans for HIPAA
implementation (Figure 5).
Figure 5:
RELIANCE ON OUTSIDE RESOURCES
Of those hospitals (143) who have already decided whether to handle
compliance internally or with outside consulting help, 45% expect
to engage consulting support, primarily in the areas of compliance
planning and assessment. According to one HIPAA project manager,
"The hardest part of HIPAA is trying to figure out how to proceed
with an assessment/risk analysis. Organizing it and understanding
what to look for is a monumental task." Almost 75% of payers who've
decided on this question are also expecting to use consultants.
While there has been much discussion within the industry on whether
the new Transactions and Code Sets standards will cause healthcare
providers to move towards -- or away -- from using outside clearinghouses
to conduct transactions, the Fall Survey reports neither scenario
is likely. An underwhelming 6% of providers indicated they plan
such a change, while over 75% plan not to shift.
BUDGETS
Of 183 hospital survey participants, only 99 (54%) disclosed their
HIPAA budgets for 2001; in many cases, budgets were either unknown
or had not been determined. Within hospitals of 400+ beds who reported
budgets (58), nearly half plan a 2001 HIPAA budget ranging from
$100K to $500K, 19% will spend between $500 and $1 million, and
14% expect to spend over $1 million. The remaining 19% have budgeted
less than $100K for 2001 HIPAA costs.
Figure 6:
Within hospitals of less than 400 beds who reported budgets (41),
46% have planned HIPAA expenses of less than $100K, and another
41% will spend between $100K and $500K. About 12% expect to spend
over $500K.
Regarding where dollars and efforts will actually be spent, one
provider comment seemed to reflect an opinion of many: "Coordination
of transactions and code sets implementations will be a bear! But,
privacy is bigger and will cost a whole lot more - not only its
implementation, but also the ongoing processes that will follow."
INDUSTRY-WIDE COOPERATION
The majority of survey respondents indicated that they feel the
industry should work together as a "coordinated task force" to achieve
industry-wide compliance. However, providers appeared more skeptical,
with only 35% favoring industry coordination. Providers' reasoning
on this was not clear; it is possible that they felt that a coordinated
industry approach was not realistic, rather than unattractive. About
30% of providers felt they should utilize strategies "tailored"
to their organizations, and 25% believed providers should "lead
industry efforts."
On the other hand, payers were especially enthusiastic about the
industry's working together, with 80% of them favoring this approach.
As one payer explained, "It's important to develop a consistent
plan and time line for implementation across the healthcare industry.
Individual organizations need to develop a plan that meets their
specific needs, but we need to be consistent in our approach."
|
