HIMSS / Phoenix Health Systems

US Healthcare Industry HIPAA Compliance Survey Results:
Summer 2005

Executive Overview

Summer 2005 marks our sixth consecutive year of tracking and reporting on the status of HIPAA compliance within the healthcare industry. The Summer 2005 Survey also marks a HIPAA milestone: for the first time, the three major HIPAA deadlines have all officially passed. With the Privacy Rule deadline occurring over two years ago (April 14, 2003), the Transactions and Code Sets (TCS) deadline 20 months old for those who received extensions (October 16, 2003), and the Security deadline well behind us (April 20, 2005), one might expect that yet another survey measuring HIPAA compliance is unnecessary.

True, some organizations that have long since implemented HIPAA requirements are now moving past the off-putting concept of "compliance" toward internally communicating a more palatable cultural recipe of "good" or "best" practices. These forward-thinking organizations are in the process of institutionalizing HIPAA principles, practices and desired outcomes – greater patient privacy, and secure nation-wide use of standard electronic healthcare transactions. On the other hand, as we will report here, surprisingly large percentages of covered organizations have yet to achieve many of the basics of HIPAA.

This dichotomy reflects at least two contributing issues:

• HIPAA implementation can often resemble a moving target. With many diverse components contributing to overall compliance, actual implementations do not always go according to plan. HIPAA compliance is a team effort, both internally (senior management "buy-in," steering committees, staff support, compliance officials, etc.) and externally (trading partners, vendors, consulting experts). Many action items comprising HIPAA initiatives are dependent on steps that came before, and all require adequate resources including time, talent, and money. This complex combination of factors has been a prescription for compliance delay, if not failure, for many organizations.

• Current survey results show, for the first time in the Survey’s six-year history, that many healthcare organizations have simply chosen not to implement many, if not all, HIPAA requirements. The two most reported "roadblocks" to HIPAA compliance in the Summer 2005 Survey were "no public relations or brand problems anticipated with non-compliance" and "no anticipated legal consequences for non-compliance."

Key findings of the Summer 2005 Survey include:

• HIPAA Security (Deadline passed April 2005)
• Seventy-four percent (74%) of Payers (up from 30% in January 2005) indicated that they are currently compliant with the HIPAA Security Regulations. Only 43% of Providers (up from 18% in January 2005) have achieved Security compliance.
• Though the number of organizations experiencing data security breaches declined over the past six months, 32% of Providers (down from 40% in January 2005) and 27% of Payers (consistent with January 2005) indicated that their organizations had experienced data security breaches between January and June 2005.
  
• HIPAA Transactions and Code Sets
• Progress toward TCS compliance has improved slowly over the past six months – 80% of Providers and Payers indicated compliance (up from 73% of Providers and 70% of Payers in January 2005).
• Seventy-one percent (71%) of Provider respondents are now transmitting over one-half of the HIPAA standard transactions.
• Sixty-eight percent (68%) of Payers (up from 56% in January 2005) are capable of conducting ALL of the HIPAA standard transactions.
• An average of 55% of Providers and Payers indicated that there are transactions which their information systems are capable of producing, but that are not yet being conducted, in great part because their trading partners are unable to accept or transmit them.
  
• HIPAA Privacy
• Privacy Rule compliance apparently has reached a plateau. While 78% of Providers and 90% of Payers stated they are compliant with the Rule, 18% of Providers and 6% of Payers reported that they remain non-compliant, more than two years after the deadline. As these numbers are consistent with survey results both in June 2004 and January 2005, it can be inferred that little or no progress is being made by a core group of non-compliant covered entities.
• Even among "compliant" organizations, significant gaps remain in certain areas, especially in establishing Business Associate Agreements and monitoring internal Privacy compliance.
• While the number of organizations experiencing privacy breaches declined over the past six months, 59% of Providers (down from 73% in January 2005) and 45% of Payers (down from 57% in January 2005) reported their organizations had experienced one or more privacy breaches from January to June 2005.
• Twenty-one percent (21%) of Providers and 15% of Payers have had formal complaints of privacy violation filed against them, either with the Federal government or in a civil proceeding, over the past six months.

THE SURVEY

Phoenix Health Systems and HIMSS conducted the Summer 2005 US Healthcare Industry HIPAA Compliance Survey from June 1 to June 20, 2005. A total of 383 healthcare industry representatives (Providers and Payers) responded to email invitations to participate in the survey that were sent to HIMSS members and to Phoenix HIPAAlert newsletter subscribers. The online survey was anonymously completed via the Phoenix web site, HIPAAdvisory.com.

The Participants

Provider organizations accounted for 80% (282) of participants, and Payers for 20% (71). The distribution of survey participants follows:

• Providers – 80%
  • Hospitals with 400+ beds: 22%
  • Hospitals with 100-400 beds: 17%
  • Hospitals with less than 100 beds: 13%
  • Medium-sized physician practices (11 to 29 physicians)/other providers: 9%
  • Small physician practices (10 or fewer physicians)/other providers: 19%
• Payers – 20%
  • Covering fewer than 150,000 lives: 10%
  • Covering 150,000-500,000 lives: 3%
  • Covering 501,000-1,500,000 lives: 4%
  • Covering more than 1,500,000 lives: 3%

Eighty-four percent (84%) of total survey respondents hold an "official" role within their organization for HIPAA compliance. Respondents hold positions such as senior manager/department director (32%), Security/Compliance Official (24%), Privacy Officer (20%), and CIO/Director of Information Technology (10%). Reporting relationships vary from organization to organization – compliance staff may report to the Chief Executive Officer (29%), Chief Information Officer (12%) or Chief Compliance Officer (15%); however, 33% reported "other" superiors.

Note: The percentages provided in this summary report are based on the total number of respondents for each question, unless noted otherwise. Some participants did not complete all questions.

Roadblocks to HIPAA Compliance

In our ongoing tracking of the major "roadblocks" to overall HIPAA compliance, we have seen their relative significance shift as organizations entered new stages of the compliance process. Now that the major deadlines have passed, the two most reported roadblocks (for the first time) were "no public relations or brand problems anticipated with non-compliance" and "no anticipated legal consequences for non-compliance" (complaint-driven oversight). "Achieving successful integration of new systems, policies, and procedures" and "interpretation of regulations" were top roadblocks reported in our Winter 2005 and Summer 2004 Surveys, but ranked third and fourth respectively in the Summer 2005 Survey. Sample comments are provided below.

Sample of Written Survey Comments/Responses:

Provider: "Senior Leadership is still not engaged due to the lack of cases prosecuted under HIPAA."

Provider: "The CEO and CFO of the hospital feel [that] securing the processes for handling patient information is a waste of time and money."

Payer: "Senior Management [is] keeping a 'wait and see' approach for compliance."

Payer: "[There is] continued perception that HIPAA is over and done."

The good news is that many organizations are taking advantage of available resources to better understand HIPAA. Written comments from a substantial number of respondents credited attorneys (including internal and external legal counsel, and legal newsletters) as an increasingly important resource in progress toward HIPAA compliance. In addition, Provider and Payer respondents (55%) chose Phoenix Health Systems' "HIPAAdvisory.com" as the most popular tool, followed by resources offered by CMS (50%) and HHS (36%), as well as national associations such as American Hospital Association (AHA), American Health Information Management Association (AHIMA), HIMSS, etc. (31%). Thirty-two percent (32%) of total respondents participate in listserve-style discussion groups focusing on HIPAA (e.g., HIPAAlive).

HIPAA Compliance Drivers

"Enforcement will be 'complaint-driven'," according to the Centers for Medicare and Medicaid Services (CMS) – the federal enforcement agency for HIPAA Security, and the Office for Civil Rights (OCR) – the federal enforcement agency for HIPAA Privacy. Considering the comments noted above, we wondered if this was indeed a major motivator for covered entity compliance with the HIPAA Privacy and Security requirements.

We asked respondents to rank six compliance drivers in order of importance, with "1" representing the most important (see below). For both groups, patient and/or plan member complaints were indeed the biggest factor, in addition to input from attorneys/legal counsel. Surprisingly, adverse press coverage was a much bigger factor for Payers than for Providers.

Security Compliance

The deadline for compliance with the Security Rule was April 20, 2005. Both Provider and Payer organizations have made significant progress toward security compliance over the past six months (see table below). However, full compliance remains an elusive goal for many. Payer compliance levels reflected the strongest advances – from 30% in January 2005 to 74% in June 2005. Providers continue to lag behind in this area – compliance levels increased from 18% in January 2005 to only 43% in June 2005. Of organizations that are currently non-compliant, the majority expect to achieve compliance within three to four months.

There is a considerable difference between the number of organizations that planned to be compliant with the HIPAA Security Regulations, as reported in January 2005, and the number that actually achieved compliance. Seventy-four percent (74%) of Providers planned to be compliant by the April 2005 deadline. In light of these expectations, results from the Summer 2005 Survey are dismaying – 51% of Providers remain non-compliant. The one bright spot is that small physician practices reported a 200% increase in compliance. A compliance breakdown by Provider and Payer organization type is provided below.

Required HIPAA Security Standards – Most Difficult to Implement…

Both Providers and Payers have continued to nominate "audit controls," "risk management/risk analysis," and "information system activity review" for our list of most problematic Security Standards. In addition, nearly half of Providers cited “contingency planning” as a stumbling block. Payers cited "security incident response and reporting" as a problem. Actual percentages are provided below, and responses are ranked in descending order of the percent of respondents who cited the standard. (Note: Respondents were asked to indicate ALL of the standards they found difficult to implement – therefore, figures below reflect the percentage of each group who checked the noted item as ONE of the standards they found difficult to implement.)

• Providers
  • Audit Controls (55%)
  • Contingency Planning (47%)
  • Risk Management/Risk Analysis (45%)
  • Information System Activity Review (45%)
• Payers
  • Risk Management/Risk Analysis (41%)
  • Information System Activity Review (36%)
  • Audit Controls (32%)
  • Security Incident Response and Reporting (27%)

Incidents of Data Security Breaches

Providers and Payers were asked to indicate the number of data security breaches their organizations had experienced in the six-month period from January to June 2005. Fifty-seven percent (57%) of Providers and 68% of Payers reported no incidents. However, 32% of Providers (down from 40% in January 2005) and 27% of Payers (consistent with January 2005) experienced at least one security breach, including an average of 4% of both Providers and Payers that experienced between six and ten security breaches. (Note: It is likely, given overall levels of Security Rule compliance, that some organizations have yet to fully establish tracking mechanisms for security breaches.)

Transactions and Code Sets Compliance

The original deadline for compliance with the HIPAA Transactions and Code Sets regulations was October 16, 2003. Due to industry-wide difficulties in achieving TCS compliance, CMS implemented a temporary Contingency Plan in September 2003, allowing covered entities that requested conditional extensions to transmit non-compliant transactions. At the time that our Summer 2005 survey questionnaire was released, CMS had recently announced the termination of the Contingency Plan, effective July 2005.

Overall TCS Compliance

Compliance with the TCS regulations includes implementation of all necessary policies, procedures, processes and systems in order to test and then regularly conduct the standard HIPAA transactions required for the business functions performed by the covered entity.

The Summer 2005 survey results are somewhat encouraging – overall TCS compliance has improved slowly but steadily over the past year. Note: respondents interpret being "ready to conduct" or "capable of conducting" transactions as being HIPAA-compliant. Thus, while 80% of Providers indicated they were fully compliant (up from 73% in Winter 2005 and 65% in Summer 2004), when asked if they were conducting all the necessary standard transactions for their organizations, only 44% responded affirmatively. Eighty percent (80%) of Payers reported "full compliance" (up from 70% in Winter 2005 and 62% in Summer 2004), but only 68% indicated they were conducting all required transactions. Seventy-one percent (71%) of Providers reported transmitting over one-half of the standard transactions. Less than 1% of Providers (and none of the Payers) said they were not conducting any of the transactions. A breakdown by organization type is included below.

When participants were asked if there were transactions that were not being exchanged with trading partners even though their own information systems were capable of conducting them, an average of 55% said "Yes." The primary reason appears to be a lack of readiness on the other end – trading partners are not able to process the transactions. For example, over half of Providers (52%) reported the reason was that their Payers were not ready to accept/transmit those transactions, while only 24% indicated that their own organizations had not yet implemented processes to handle the transactions. Payers posted identical statistics – 52% claimed their systems were capable of conducting certain transactions that their Providers could not yet process, and another 40% indicated a lack of readiness on the part of their vendors.

In contrast, Providers expressed confidence that most of their information technology vendors are capable of supporting needed HIPAA-compliant standard transactions. Forty-six percent (46%) of Providers confirmed their vendors’ software is capable of conducting ALL transactions, and an additional 24% have confirmed that the software is ready to conduct one or more transactions.

Use of Clearinghouses (current or planned) for transmission of HIPAA-compliant transactions has increased significantly over the past six months, to 80% (up from 68% in January 2005).

Transactions Currently Being Conducted

Providers and Payers were asked to indicate the transactions currently being conducted by their organizations. The table below displays a comparison of results from the Winter and Summer 2005 Surveys. In all cases, the percentages for Payers increased dramatically over the past six months, especially for the 276/277 and 270/271 transactions. Transmission of the standard transactions by Providers showed a slight, but relatively consistent increase over the same period.

CMS' Contingency Plan

CMS' Contingency Plan took effect in September of 2003, allowing qualifying covered entities to continue to transmit non-compliant Medicare transactions. In late May 2005, CMS announced its intention to discontinue the temporary Contingency Plan, effective July 2005. However, when asked if they felt that the Plan should be discontinued, only 41% of Providers and Payers said "Yes." The remainder was generally split between having no opinion, or feeling that the Plan should stay in force. When asked how termination of the Plan would affect their organizations, 27% of Providers and 24% of Payers said "substantially," or "moderately."

For those organizations that indicated they were transmitting non-compliant transactions, only a handful reported experiencing delays in reimbursement, and even then, the delay was less than five business days. Sixty-three percent (63%) of Providers and 71% of Payers reported experiencing no delays in reimbursement for non-compliant transactions.

Identifying the Obstacles to TCS Implementation

The obstacles to TCS implementation being faced today by Providers and Payers are consistent with those reported during the last eighteen months. They are as follows (in ranked order):

• Providers
  • Payers are not ready to accept standard transactions.
  • Critical Vendors have not provided compliant software.
  • Ambiguities in information released by CMS regarding standard transactions requirements.
• Payers
  • Providers are not ready to accept standard transactions.
  • Capturing the data required for the standard transactions.
  • Clearinghouse(s) not ready to accept/transmit transactions.

Privacy Compliance

Compliance with the HIPAA Privacy Rule was required by April 2003 – but a substantial percentage of Providers, in particular, remain non-compliant. Survey results for Summer 2005 show no variation over the past year – an average of 90% of Payer respondents and only 78% of Provider respondents indicated they were compliant with the HIPAA Privacy Regulations as of June 2005.

Among Providers, hospitals with more than 400 beds were the "most compliant" (81%), while hospitals with less than 100 beds were the "least compliant" (74%). Eighty percent (80%) of hospitals with 100 to 400 beds and 75% of both small- and medium-sized physician practices indicated that they were currently compliant with the Privacy Regulations. Within the Payer sector, compliance averaged 89% to 90% across Health Plans of all sizes. It is not difficult to draw the conclusion that incentives to implement HIPAA-required Privacy practices have been – and may remain – insufficient to induce 100% compliance by the healthcare industry.

As a check on their full compliance, Privacy "compliant" Provider and Payer organizations were asked to indicate their success in implementing several specific HIPAA requirements (see table below – comparing responses from the Summer 2004 Survey to the Summer 2005 Survey). This information confirms that gaps remain between actual privacy practices and the specific requirements of the Privacy standards – most significantly in the areas of monitoring internal compliance and obtaining required Business Associate Agreements.

Patient Privacy Breaches and Formal Complaints

While the percent of "compliant" Provider and Payer participants improved from the Winter 2005 Survey to the Summer 2005 Survey, a large proportion of both groups reported incidents of patient privacy breaches since January 2005. Fifty-nine percent (59%) of Providers indicated that they had experienced privacy breaches between January and June 2005, compared to 73% during the preceding six-month period. Forty-three percent (43%) experienced between one and five privacy breaches, 7% had six to ten breaches, 7% had eleven or more breaches, and 2% had an unknown number. Less than half (45%) of Payers (down from 57% in Winter 2005) reported privacy breaches: 40% indicated that they had between one and five privacy breaches, 2.5% had six to ten breaches, and 2.5% had eleven or more breaches.

Reports of formal privacy complaints filed by patients against reportedly compliant healthcare organizations have somewhat decreased. A majority of compliant Providers (73%, up from 62% in Winter 2005) and Payers (83%, up from 58% in Winter 2005) have had no formal complaint of privacy violation brought against them this year. However, 21% of Providers and 15% of Payers have had between one and five formal complaints of privacy violation filed against them, either with the Federal government or in a civil proceeding. None of our respondents reported more than five formal privacy complaints between January and June 2005.

Hospital Budgets for HIPAA – 2004 vs. 2005

Hospital budgets for HIPAA compliance efforts have decreased overall for hospitals in the "less than 100 beds" category and for hospitals "with 100 to 400 beds." However, spending for hospitals with "400 or more beds" has remained stable. Please refer to the pie charts below.

View results from past surveys.

Go to TOP