HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA Survey Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Quarterly Industry HIPAA Survey Results -  Winter 2001

from Phoenix Health Systems'
HIPAAdvisory.com and HIPAAlert

Industry Collaboration: HIPAA Solution, or Unrealistic Pipedream?

Over 600 healthcare industry professionals can't be wrong -- or can they? In the largest ever nationwide HIPAA survey of providers, payers, clearinghouses, vendors and others, sponsored in January, 2001 by Phoenix Health Systems,  all 610 respondents resoundingly agreed: they "should form a coordinated task force and share efforts" to achieve HIPAA compliance.  Yet, when payers were asked if they have begun coordinating with providers, only a third reported doing so; two thirds are "working on their own" to remedy existing systems or develop new HIPAA-compliant software. Similarly, 75% of hospitals reported that they have not discussed HIPAA compliance with their payers.  At the same time, over 60% payers stated that they wouldn’t be ready to accept and transmit all required HIPAA-compliant transactions for 18 or more months -- bringing them down to the wire of compliance deadlines. Only 5% of hospitals have undertaken HIPAA impact analyses, which presumably, would require input from payers and vendors. About 40% of healthcare vendors have not begun coordinating their product remediation efforts with clients. The signs are there: providers, payers and vendors don't know what each other are doing about HIPAA.  How will industry-wide compliance result?

THE SURVEY

During the last two weeks in January 2001, Phoenix Health Systems conducted its fourth quarterly industry HIPAA compliance survey through its HIPAAdvisory.com web site and HIPAAlert email newsletter.  The 610 online respondents included:

  • 115 hospitals with 400+ beds
  • 141 hospitals with 400 - beds
  • 37 physician practices
  • 43 other providers
  • 93 payers
  • 17 clearinghouses
  • 64 vendors
  • 100 other (consultants, govt, assoc)

    The majority of respondents, 73%, hold official roles in HIPAA compliance within their organizations.

    HIPAAWARENESS

    Among hospital and other provider respondents, about two thirds reported that their senior management have moderate to high knowledge of HIPAA and its implications.  This represents almost no change from the Fall 2000 Survey results; it can be theorized that the remaining third of senior staff believed they already know as much as they need to know, or they put their attention "on hold" during the holidays while awaiting the final Privacy rule and/or the change in federal administrations.  About 75% of payer respondents believed that their senior management have moderate to high HIPAA knowledge.

    Bar graph of HIPAA knowledge

    Providers indicated that about 32% of their department heads have moderate to high knowledge of HIPAA; payers reported that 63% of department heads have similar knowledge. When asked how the publication in late December 2000 of the final Privacy rule has affected their organizations' sense of HIPAA urgency, about 75% of all industry respondents felt that urgency was increased moderately to greatly.

    FOCUS OF HIPAA EFFORTS

    Most industry respondents reported that their compliance efforts are still focussed on internal HIPAA education, as they were in the Fall 2000 survey results. HIPAA impact/gap assessments are on the rise; however, only 5% of the hospital organizations have actually completed one.   Since all final HIPAA regulations haven't yet been finalized, even these organizations will have more assessment work to do.  Of the 219 respondents who knew their analysis plans, 80% expected to complete impact/gap analyses in the first three to six months of the year.

    Bar graph of Impact/Gap Analysis Schedule

    Significantly, within the overall industry, survey results indicated a trend that HIPAA is being addressed as a whole rather than by individual regulation.  As a result, even though the final rule for Security is still to be published, the industry is focussing almost as much education and assessment energy on meeting expected Security requirements as on the already-published Transactions and Privacy rules. Presumably, there is general agreement that the final Security rule is not likely to differ greatly from the proposed rule published in 1999.

    Among those organizations that have put together formal HIPAA compliance plans, 80% expected to complete impact analyses within the next three to six months.  Another 15% don't plan to complete their analyses for 12 or more months; by most standards, it can be assumed that they are unlikely to achieve compliance within HIPAA deadlines.

    THE BARE MINIMUM?

    Though many industry observers have suggested that "covered entities" are likely to take a minimalist approach to complying with HIPAA, over 50% of all survey respondents reported that their organizations are incorporating their strategic decisions with HIPAA compliance. About 45% plan to work to achieve the benefits that can be associated with HIPAA compliance. Fully 90% of hospital respondents agreed, for example, that potential e-health initiatives (and resulting benefits) would necessitate their HIPAA compliance. About 9% of hospitals, 11% of payers, and 23% of vendors are planning to exceed HIPAA requirements.  About 24% of all respondents plan to meet no more than basic requirements. Just fewer than 15% still have no formal HIPAA strategy.

    RELIANCE ON OUTSIDE RESOURCES

    One third of all hospital respondents indicated they would engage outside consultants to support HIPAA compliance; 78% of these noted that they would use the consultants to conduct impact analyses/risk assessments, and 44% will engage them to conduct compliance planning.  Seventy per cent of payers are engaging consultants; like providers, payers will use consultants primarily for risk assessment work, and half of them will enlist them to conduct compliance planning.

    Thirty per cent of vendors will utilize consultant assistance.

    BUDGETS

    Provider respondents were asked how much their organizations are budgeting for HIPAA compliance in 2001. About 40 percent of all hospital respondents did not report budgets for their organizations. HIPAA Budgets, less than 400 beds

    HIPAA Budgets, more than 400 beds

    Of the 83 hospitals with 400 or fewer beds who reported having 2001 budgets, 55% will spend $100,000 or less in 2001. 34% will spend between $100,000 and $500,000, and 11% expect to spend over $500,000 -- including five hospitals who have budgeted over $1 million in 2001.

    Of the 67 hospitals with 400 or more beds who reported 2001 budgets, 28% have set aside less than $100,000; 39% will spend between $100,000 and $500,000; 19% will spend between $500,000 and $1 million; and 13% expect to go over the $1 million mark.

    Generally, hospital HIPAA budgets for this year appear to be unrealistically low -- most notably for the 28% of organizations of over 400 beds who have budgeted less than $100,000.  It should be questioned whether or not they will be able to meet compliance requirements -- including deadlines -- with such small HIPAA investments.

    READINESS TO DO HIPAA-COMPLIANT BUSINESS

    Of the 93 payer organization respondents, 12% indicated they would be ready to accept and transmit HIPAA compliant transactions by the end of 2001.  However, 26% estimated up to  18 months to be ready, and 62% expected it would take even longer -- clearly taking them up to and past the October 2002 deadline for compliance with the Transactions and Code Sets rule.

    Clearinghouses have been very active in working towards compliance; over 50% of the 17 clearinghouse respondents are already coordinating their remediation efforts with clients. Over 75% of clearinghouses predicted they would be ready to handle all HIPAA compliant transactions before the compliance deadline.

    Graph of Vendor Remediation Progress

    Vendor responses were a mixed bag: about 40% have not begun coordinating with clients to understand remediation needs, and 16% have made no progress of any kind on compliance. About half indicated they are 25% to 50% ready, and another 25% of them believed they have completed three quarters of the work needed to either remedy existing products or develop new ones that will support HIPAA compliance. About 35% of vendors expected to have completed internal testing by September 2001, and another 44% will be finished between nine and 15 months from now.  Assuming they remain on course, most vendors should be "ready for HIPAA" before compliance deadlines. 

    PARTICIPANT COMMENTS MAY SAY IT ALL…

    Many provider comments reported a lingering sense of internal indirection regarding HIPAA: "There is no movement yet from upper management or IT to get organized"…"Hospital senior management is not particularly interested"…"Education for management is currently underway -- hopefully, this will drive the process."

    Other providers expressed overall frustration: "Vendors are unwilling to give information about their compliance plans or schedules"…"Once again, we're (also) steeped in multiple projects like systems integration across multiple campuses -- resources are increasingly difficult to come by." And, finally: "There is a great need for institutions to develop an understanding of HIPAA that every person shares."

    From payers: "It will be tough meeting the prescribed deadlines"…"Human resources are scarce and this is a major effort!"…"Our delay in HIPAA budgeting means no money, can't hire staff."

    From vendors: "With seriously out-dated legacy systems, just the analysis phase will take over a year."   "Most customers have adopted a wait and see attitude."…Some vendors reported awaiting the final Security rule --"It is not acceptable business practice to get too far out in front of the requirements."

    View results from past surveys.

    Go to TOP

    		•