HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA Survey Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAAlert
Next Steps Survey – June 2000

Overview

During the week of June 12, 2000, 371 healthcare industry members cooperated in a survey to provide a current snapshot of the industry's progress towards HIPAA compliance. Respondents included nearly 200 hospital representatives, 37 members of other provider organizations, 54 from payers or clearinghouses, and 36 from vendor firms. The survey was the second in a series of quarterly HIPAA surveys conducted with healthcare industry subscribers to HIPAAlert.

Figure 1: Employment of respondents.

Figure 1

 

HIPAA Compliance Strategy Progression

Most organizations (over 70% overall) have identified a HIPAA compliance leader. Among providers, this is most frequently either the CIO (MIS Director) or a dedicated compliance officer. However, just under 50% of all providers report that they have not yet developed an organizational HIPAA compliance strategy, with only 40% stating that they are generally "on track" with HIPAA preparations. payers appear more proactive, with 76% indicating they're on track with their preparations and only 16% reporting no HIPAA strategy underway. About 75% of vendors also report being on track, with 22% noting they've not yet developed their strategy.

Figure 2: HIPAA Strategy Progression.

Figure 2

 

HIPAA Knowledge

Among providers, 51% note their senior management still have little or no knowledge of HIPAA and its implications; 71% are currently receiving education, with the remainder expected to receive it within 6 months. Department heads are even less aware:75% know little or nothing of HIPAA, though most of them will receive training within 6 months. As one participant commented, "The biggest concern is that there is no concern."

Figure 3: Provider HIPAA Knowledge and Training

Figure 3

Risk Assessments

Despite the immediacy of the final Transactions and Code Sets rule, 50% of all respondents haven't begun risk assessment planning, including 61% of providers. Over half of providers plan to wait until the final rule on Security and/or Privacy is published before taking more action on compliance. Apparently providers, and hospitals in particular, see the wait for final rules as a reason to delay, rather than an opportunity to get a head start on compliance - even though, as one person noted, "It can be assumed that the requirements for Security will remain much as they were in the draft."

Transactions and Code Sets Strategy

When it comes to Transactions and Code Sets, 59% of providers will convert internal systems or rely on existing relationships with a clearinghouse for compliance. In other words, they will rely on third parties, rather than themselves, to ensure their compliance. Clearly, these providers should closely monitor the progress of these external groups. 41% of providers are undecided on how they will comply, though few plan to develop new clearinghouse relationships as a solution. Many others are awaiting vendor responses.

Figure 4: Provider Strategy for T&CS

Figure 4

Cost is a Leading Concern

Not surprisingly, the biggest single concern regarding HIPAA is its potential cost, expressed in budget, resources, time or liability. However, few providers have budgets for HIPAA compliance this year, though 71% of respondents reported plans to develop budgets in 3 to 6 months. Only 13 hospitals with under 400 beds have Year 2000 budgets; these ranged widely from $5000 to $1 million. 24 hospitals of this size showed 2001 budgets ranging from $15,000 to $2 million. In the 400+ bed category, only 15 hospital providers had Year 2000 budgets; they ranged from $75,000 to $5 million. The 2001 budgets of 17 400+ bed hospital providers ranged from $100,000 to $4 million.

Similarly, while many provider respondents listed difficulty in achieving compliance within regulatory time frames as a prime concern, these were often the same organizations who are waiting until final rules are published before taking action.

Summary

In summary, provider knowledge of HIPAA is generally weak, with providers continuing to delay risk assessments and other compliance steps, including budgeting, until the rules are finalized. As one person noted, " HIPAA is being viewed as a cost, not a savings opportunity." Another commented, "HIPAA isn't on management's radar screen till final rules come out; then there will be a mad rush to compliance." A final warning from another participant: "Re-engineering business processes around privacy and security will require an extremely focused effort from the entire organization."

Note:

Not all respondents answered all questions and some respondents gave more than one answer, so adding responses will not yield 100%.

View results from past surveys.

Go to TOP