HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA Survey Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Quarterly Industry HIPAA Survey Results – Summer 2001

from Phoenix Health Systems'
HIPAAdvisory.com and HIPAAlert

HIPAA Implementation is IN – Delay is OUT

by D'Arcy Guerin Gue, Executive Vice President, Phoenix Health Systems

August 6, 2001 -- HHS' confirmation of the Privacy Rule confirmation in April and its publication of the first Guidance in June seems to have convinced the healthcare industry that HIPAA is here to stay. For the first time since Phoenix Health Systems' initial quarterly HIPAA survey in early 2000, the industry has reported that it is focusing more on compliance assessment and implementation than on the preliminary step of creating HIPAA awareness within their organizations.

Assessments, project planning and implementations are well underway across the industry, according to the 925 healthcare respondents to the late July survey. Over three quarters of hospital-based participants say their enterprise HIPAA impact/gap assessments will be complete by year end; and nearly 15% have already completed assessments. Two thirds of hospitals, payers, and clearinghouses, and over half of vendors are doing project planning. About a third of hospitals, and half of payers, clearinghouses and vendors have started implementing the HIPAA regulations. Even physician practices and other providers, historically behind in HIPAA awareness, are moving forward: of nearly 200 responding, about half have begun doing assessments, and over a third are working on project planning and implementation.

Through the combined efforts of Phoenix Health Systems and the Healthcare Information and Management Systems Society (HIMSS), the complete results of this quarterly survey have been forwarded to several Administration and Congressional offices, at their request. Recipients include DHHS leaders, members of the House Ways and Means Committee and other Capitol Hill leaders who want to better understand factors in the health industry's compliance progress.

THE SURVEY

During the last two weeks of July, Phoenix Health Systems conducted its sixth quarterly industry HIPAA compliance survey through its website HIPAAdvisory.com. With HIMSS' support, a record 925 healthcare industry representatives participated. Provider organization staff accounted for 63% of participants. The final break-out follows:

  • 42% -- hospitals: 17% -- 400+ beds; 24% -- 400 or fewer beds
  • 12% -- other providers
  • 9% -- physician practices
  • 20% -- payers
  • 15% -- vendors
  • 2 % -- clearinghouses

Compliance officers, IT management, and department heads each represented about a quarter of total respondents; senior management comprised 16% of the total. Just under 80% of all respondents reported that they have official HIPAA roles within their organizations.

HIPAAWARENESS and the EFFECT OF JUNE PRIVACY GUIDANCE

Overall awareness of HIPAA was reported at an all-time high: about 75% of senior managers and 55% of department heads industry-wide were judged as having moderate to high knowledge of HIPAA and its implications. Notably, respondents stated that 6 % of all senior managers, and 7% of provider senior managers still have little or no knowledge of HIPAA -- representing no change since our April survey, and little change from January survey results.

Bar Graph of Industry HIPAA Knowledge

When asked if the Privacy Guidance published in June by DHHS improved their understanding of the Privacy Rule, about 40% of all respondents indicated it helped them "quite a lot" or "greatly." Another 44% reported that the Guidance helped them "somewhat."

FOCUS OF ENTERPRISE HIPAA EFFORTS

As summarized earlier, the number of organizations focusing on assessment, project planning and implementation components of HIPAA compliance has increased significantly in the last quarter. About a fourth of all survey participants plan to implement basic or minimum compliance. However, the great majority -- about 3/4 of all respondents -- hope to tie their compliance efforts to organizational strategic plans (including exceeding HIPAA requirements, in many cases) and reap the potential benefits associated with HIPAA. Given this proactive approach, it is not surprising that about 2/3 of all providers agreed that their organizations will have to be HIPAA-compliant in order to execute their E-health strategies. (15% aren't planning E-health initiatives.)

ASSESSMENTS

  • HOSPITALS -- Respondents from hospitals with over 400 beds reported that 75% are conducting assessments, primarily in Transactions and Privacy, and 1/2 also are doing Security and Identifiers assessments. 14% have completed their assessments, 33% expect to be done within 3 months, and another 33% expect to finish within 6 months. In hospitals with 400 or fewer beds, 2/3 are conducting Transactions, Privacy and Identifiers assessments, with 1/3 doing Security assessments. 11% of 400- bed hospitals have completed assessments, 32% expect to be done within 3 months, and another 37% at the end of the year.
  • OTHER PROVIDERS -- Other providers including physicians practices lag behind hospitals in performing impact assessments. Though some have begun, nearly 30% of respondents indicated they wouldn't be complete for a year or more, and another 22% "don't know" when they will complete assignments.
  • PAYERS -- About 70% of payer respondents reported they are conducting Transactions and Privacy assessments, but only 7% have begun addressing Security.
  • VENDORS & CLEARINGHOUSES -- Two thirds of vendor participants reported that they are conducting Security and Privacy assessments, with just over half also addressing Transactions. 2/3 of clearinghouses are conducting assessments in Privacy and Transactions, with less emphasis on Security and Identifiers.

PROJECT PLANNING AND IMPLEMENTATION

Over half of all participants reported that they are conducting HIPAA project planning and implementation, primarily in Transactions and Privacy, with lesser emphasis on Security and least on Identifiers.

  • HOSPITALS -- Among hospitals with over 400 beds, participants reported that 2/3 are preparing Transactions, Privacy and Security project plans; 1/3 are already working on implementation. Half of respondents from hospitals with 400 or fewer beds are doing Transactions and Privacy project plans, with less emphasis on Security. 25% are working on implementations, again primarily in Transactions and Privacy.
  • PAYERS -- Among payer respondents, 2/3 reported doing Transactions and Privacy project plans, with 50% also planning Security. Well over half reported that they are also doing Transactions implementation; a fourth are implementing Transactions and Security.
  • VENDORS & CLEARINGHOUSES -- Over half of vendor and clearinghouse participants reported they are conducting project planning and implementation in Privacy, Security and Transactions.

USE OF OUTSIDE CONSULTANTS

Payer participants indicated they are engaging consultants more often than providers are -- but both groups have determined they require outside support. Among hospitals, 45% of respondents said they are using outside consultants to support HIPAA compliance; 83% of these to conduct or support assessments, 47% for project planning, and 27% for implementation. Among payers, 63% said they are using consultants; 78% of these will use consultants for assessment help, 50% for project planning and implementation.

PROVIDER BUDGETS

Provider respondents, only, were asked how much their organizations are budgeting for HIPAA compliance in 2001 and 2002. A large portion of respondents have continued to report that 2001 and 2001 budget figures are unknown. Since 80% of respondents have official HIPAA responsibility within their organizations, it can be concluded that if they are unable to report budgets, it is likely that no budgets have been set.

  • 2001 BUDGETS
    • In hospitals of less than 400 beds: 39% -- less than $100K; 23% -- $100K-$500K; 4% -- $500K-$1 mil; 3% -- $1 mil+; 31% -- unknow
    • In hospitals of 400+ beds: 18% -- less than $100K; 32% -- $100K-$500K; 7% -- $500K-$1 mil; 13% $1 mil+; 31% -- unknown
    • Budgets for all providers: 31% -- less than $100K; 22% -- $100K-$500K; 4% -- $500K-$1 mil; 5% -- $1 mil+; 37% -- unknown. 50% of representatives of Physicians and Other Providers indicate that 2001 budget is not known.


Bar Graph of 2001 HIPAA Budgets

  • 2002 BUDGETS
    • In hospitals of less than 400 beds: 23% -- less than $100K; 23% -- $100K - $500K; 8% -- $500K - $1 million; 6% -- $1 million+; 40% -- unknown
    • In hospitals of 400+ beds: 5% -- less than $100K; 18% -- $100K - $500K; 9% -- $500K - $1 million; 28% -- $1 million+; 40% -- unknown
    • Budgets for all providers -- 19% -- less than $100K; 16% -- $100K - $500K; 7% -- $500K - $1 million; 12% -- $1 million+; 45% -- unknown

Bar Graph of 2002 HIPAA Budgets

READINESS TO DO HIPAA-COMPLIANT BUSINESS

  • PAYERS: Of the 187 payer respondents, about 50% indicated they have begun coordinating remediation with their clients -- the other 50% are going it alone. 2/3 reported they are upgrading their software, with the remainder developing new software. About 2/3 expected to accept/transmit their first HIPAA transaction with 12 months - and all transactions within 12-18 months. 16% expected to miss the deadline of October, 2002 to have ALL transactions compliant.

Bar Graph of Payer Readiness

  • CLEARINGHOUSES: Clearinghouse participants reported that 65% have begun coordinating remediation with clients. 55% are approaching compliance by developing new software, including 30% who are customizing for clients; 55% are doing software remediation. 30% are currently ready to accept / transmit their first HIPAA transaction; another 55% will be ready within 6-12 months. A total of 60% reported they will be ready to handle ALL transactions within 6-12 months. 5% predicted that they won't be able to handle ALL transactions until after the October 2002 deadline.

  • VENDORS: Vendor representatives stated that 65% are coordinating remediation with clients. 12% have made no progress on compliance, 1/3 some progress, and 1/3 are 50-75% complete. Internal testing has been completed by 13% of respondents; 58% will complete it within 12 months. 30% have communicated their compliance plans to customers, and 38% will do so within 6 months. The majority, 73%, are offering compliance assistance to clients.

ROADBLOCKS TO COMPLIANCE

Providers, only, were asked to rank-order the following factors as impediments to their organizations' achieving HIPAA compliance:

"Not enough time" and "interpretation of the regulations" vied for number 1 and 2 ranking as the most serious roadblocks facing providers. Approximately 25% of respondents ranked each of these concerns #1, and roughly 20% ranked each #2. "Budget constraints" ranked 3rd and "potential changes to the regulations" ranked 4th most important. "Senior management buy-in" and the question of "vendor readiness" were considered to have the least impact on provider compliance, with about 45% of respondents ranking each as 5th or 6th most significant.

FINAL THOUGHTS

Even with the "roadblocks" described above, it appears that many enterprises are well along in their HIPAA assessment and implementation efforts. Not surprisingly, compliance progress is greater on the Privacy and Transactions regulations, which have been finalized -- than on Security and Identifiers, which are still in "proposed" form.

Survey indications are that the industry IS clearly traveling the road to HIPAA-compliance. Nevertheless, it may not be coincidental that providers felt "not enough time" and "interpretation of the regulations" were the greatest compliance roadblocks facing them.

The two concerns, of course, are somewhat related. Considering the industry's strong positive response to DHHS' user-friendly Privacy Guidance, it's reasonable to think that additional, speedy clarifications could help shorten the industry implementation timeline. And, despite DHHS assurances that the final Security Rule will closely follow the proposed rule, immediate FINAL publication of the Security and Identifier Rules would also allay continuing doubts, confusion, and compliance delays.

The combination of Transactions standardization, strong new Privacy and Security measures, and use of final Identifiers is expected to create an industry-wide synergism that will improve access to and confidence in our healthcare delivery system -- once the rules are implemented. Implementing the rules together, as part of one integrated process, is also important to the many thousands of industry organizations who must somehow "get it done" within required timeframes and available budgets.

View results from past surveys.


Go to TOP