|
|
HIMSS / Phoenix Health Systems
US Healthcare Industry HIPAA Compliance Survey Results:
Winter 2005
Executive Overview
Winter 2005 marks our fifth year of tracking and reporting on the status of HIPAA compliance within the healthcare industry. For the first time, our survey focused solely on healthcare Provider and Payer organizations, requesting feedback to determine compliance status with specific HIPAA Security, Transactions and Code Sets (TCS), and Privacy requirements. Although the deadlines for Privacy and TCS have “officially” passed, we continue to monitor progress toward full compliance, while looking ahead to the April 2005 Security compliance deadline.
By all indications, the road to compliance remains difficult. As we tracked industry progress toward HIPAA compliance over the past four years, we noted that roadblocks tended to shift throughout each step of the process. Many initial implementation obstacles were internal in nature, such as obtaining management support for HIPAA initiatives, or mounting campaigns to increase staff awareness of issues and requirements. Further along the road, the problems were more external, with collaborative difficulties arising among industry trading partners as each struggled with various components of the TCS requirements. As the next deadline approaches, we see many organizations exploring the inter-relationship among the HIPAA regulations, especially for Privacy and Security.
Overall, survey results for Winter 2005 are mixed. The past six months have seen exceedingly slow progress in implementing the HIPAA Security Rule, even though the compliance deadline is just two months away. This development raises a flag of concern – how can patient privacy be preserved and the use of electronic transactions proliferate without adequate hardware and software security protections? However, there has been significant improvement in the area of TCS compliance since our previous survey conducted in June, 2004. Although the Centers for Medicare and Medicaid Services (CMS) Contingency Plan remains in effect, and logistical issues continue, significant progress is being made towards successful collaboration of Payers, Providers and their vendors to implement the standard transactions. As in June, Privacy Rule compliance remains incomplete, despite the fact the Privacy Rule deadline passed nearly two years ago.
Key findings of the Winter 2005 Survey include:
- HIPAA Security
- Thirty percent (30%) of Payers (up from 13% in June 2004) and only 18% of Providers indicate that they are currently compliant with the HIPAA Security Regulations.
- The number of organizations that expect to be fully compliant by April 2005 has actually declined over the past six months. Only 74% of Providers (down from 87%), and 80% of Payers (down from 91%), indicated they will be compliant on or before the deadline.
- Ninety-three percent (93%) of Providers and 98% of Payers have designated an individual as the organizational Security Officer.
- Forty percent (40%) of Providers and 26% of Payers indicated that their organizations had experienced at least one data security breach in the past six months.
- HIPAA Transactions and Code Sets
- Progress toward TCS compliance has improved over the past six months – 73% of Providers and 70% of Payers indicated compliance (up from 65% and 62% respectively).
- Ninety percent (90%) of Providers are transmitting at least one of the HIPAA standard transactions to their Payers. Seventy percent (70%) of Providers are transmitting over one-half of the transactions and 49% are transmitting ALL of them.
- Fifty-six percent (56%) of Payers are capable of conducting ALL of the HIPAA standard transactions.
- Forty-seven percent (47%) of Providers and 62% of Payers indicated that there are transactions which their information systems are capable of producing, but that are not being conducted at this time, in part due to the inability of their trading partners to accept/transmit them.
- Forty-eight percent (48%) of Providers and 65% of Payers are currently taking advantage of the CMS Contingency Plan. However, the percentage of organizations that support continuance of the plan is declining.
- HIPAA Privacy
- Only 78% of Providers and 90% of Payers indicated that they are compliant with the Privacy Rule, almost two years after the deadline (April 2003). Sixteen percent (16%) of Providers and 8% of Payers reported that they remain non-compliant. This reflects little or no improvement since our Summer 2004 Survey.
- Even among “compliant” organizations, gaps remain in certain areas, such as establishing Business Associate Agreements and monitoring internal Privacy compliance.
- Seventy-three percent (73%) of Providers and 56% of Payers reported their organizations had experienced one or more privacy breaches over the past six months.
- Twenty-seven percent (27%) of Providers and 31% of Payers have had at least one formal complaint of privacy violation filed against them, either with the Federal government or in a civil proceeding, since the Privacy compliance deadline.
- Only 78% of Providers and 90% of Payers indicated that they are compliant with the Privacy Rule, almost two years after the deadline (April 2003). Sixteen percent (16%) of Providers and 8% of Payers reported that they remain non-compliant. This reflects little or no improvement since our Summer 2004 Survey.
- Even among “compliant” organizations, gaps remain in certain areas, such as establishing Business Associate Agreements and monitoring internal Privacy compliance.
- Seventy-three percent (73%) of Providers and 56% of Payers reported their organizations had experienced one or more privacy breaches over the past six months.
- Twenty-seven percent (27%) of Providers and 31% of Payers have had at least one formal complaint of privacy violation filed against them, either with the Federal government or in a civil proceeding, since the Privacy compliance deadline.
THE SURVEY
Phoenix Health Systems and HIMSS conducted the Winter 2005 US Healthcare Industry HIPAA Compliance Survey from January 4 to January 20, 2005. A total of 400 healthcare industry representatives (Providers and Payers) responded to email invitations to participate in the survey that were sent to HIMSS 13,000+ members and to Phoenix’ nearly 16,000 HIPAAlert newsletter subscribers. The online survey was anonymously completed via the Phoenix web site, HIPAAdvisory.com.
The Participants
Provider organizations accounted for 80% (318) of participants, and Payers for 20% (82). The distribution of survey participants follows:
- Providers – 80%
- Hospitals with 400+ beds: 25%
- Hospitals with 100-400 beds: 17%
- Hospitals with less than 100 beds: 14%
- Medium-sized physicians practices (11 to 29 physicians)/other providers: 7%
- Small physicians practices (10 or fewer physicians)/other providers: 17%
- Payers – 20%
- Covering fewer than 150,000 lives: 8%
- Covering 150,000-500,000 lives: 4%
- Covering 501,000-1,500,000 lives: 4%
- Covering more than 1,500,000 lives: 4%
Almost half of the respondents (46%) are CIOs, senior managers, and department directors/managers. Eighty-four percent (84%) of total survey respondents hold an “official” role within their organization for HIPAA compliance, with 20% of those respondents functioning as Privacy Officer and an additional 20% involved in Security compliance. Reporting relationships vary from organization to organization – compliance staff may report to the Chief Executive Officer (26%), Chief Information Officer (16%) or Chief Compliance Officer (16%); however, 35% reported “other” superiors.
Note: The percentages provided in this summary report are based on the total number of respondents for each question, unless noted otherwise. Some participants did not complete all questions.
Roadblocks to HIPAA Compliance
We continue to track “major roadblocks” to overall HIPAA compliance, this time focusing only on Providers and Payers, and the rankings are almost identical to those posted in the Summer 2004 Survey. “Achieving successful integration of new systems, policies, and procedures across the enterprise” ranked as the primary impediment to HIPAA compliance for the second time. “Interpretation of HIPAA regulations” ranked second, “budget constraints” ranked third, and "time constraints" ranked fourth. Comments from respondents indicated that many feel CMS has not provided adequate guidance regarding interpretation and implementation of the Security regulations.
Sample of Written Survey Comments/Responses :
Provider: “Lack of assistance from CMS regarding interpretations. With Privacy, they offered many helpful sample forms, procedures, etc. There has been nothing for Security, including additions to the BAA [Business Associate Agreements] to cover security.”
Provider: “[There has been a] lack of information from CMS on many outstanding issues.”
Security Compliance
The deadline for compliance with the Security Rule is only weeks away – April 20, 2005. We asked Providers and Payers to indicate current levels of compliance, and estimated completion timeframes. Only 18% of Provider organizations reported being currently compliant with the Security Regulations – indicating no progress, overall, since the Summer 2004 survey, when compliance was also reported at 18%. Among hospitals, only 9% of hospitals with 400 or more beds reported that they are already compliant, and 18% of hospitals with less than 400 beds said they are already compliant. The number of Payer organizations currently compliant with the Security Regulations increased from 13% in Summer 2004 to 30% in Winter 2005. (See table below.)
The total number of organizations that are not yet compliant but expect to achieve Security Rule compliance on or before the deadline has actually declined over the past six months. While 87% of Providers in Summer 2004 anticipated compliance by the April 2005 deadline, only 74% in Winter 2005 predicted they will be compliant by then, with the largest hospitals (those with 400 beds or more) indicating the lowest expected compliance level – only 55% by April, 2005. Payer percentages declined from 91% in Summer 2004 to 80% in Winter 2005. Whether or not this recalibration of expectations is accurate obviously remains to be seen.
Although overall Security compliance does not appear imminent – the average number of organizations that are currently compliant with the Security Regulations is only 24% – Winter 2005 survey results demonstrate that organizations are making progress in two important areas of Security compliance. Ninety-three percent (93%) of Providers and 98% of Payers have designated an individual as the Security Officer/Official. Thirty-two percent (32%) of Provider organizations have already conducted required HIPAA Security training – with an additional 60% expecting to finish prior to the deadline. Thirty-seven percent (37%) of Payer organizations have already conducted the required HIPAA Security training – with an additional 58% expecting to finish prior to the deadline.
Looking at HIPAA’s “big picture” of nationwide healthcare administrative simplification, and its overall dependence on the intrinsic interrelationship of data security with the integrity of electronic healthcare transactions and patient privacy, it is logical to question how the continuing lack of Security Rule compliance may be compromising overall HIPAA objectives. Until healthcare Providers and Payers can confirm that their systems are secure – that patient data is not vulnerable to inaccessibility or loss, damage or alteration, and/or theft or intrusion – the ever-increasing use of HIPAA standard electronic transitions (see below) that has been encouraged by the Federal government threatens to turn into patient privacy and security breaches waiting to happen.
Required HIPAA Security Standards – Most Difficult to Implement…
Providers and Payers differed only slightly in their assessment of which HIPAA Security standards were most difficult to implement. The responses below are ranked in descending order of the percent of respondents who cited the standard. (Note: Respondents were asked to indicate ALL of the standards they found difficult to implement – therefore, figures below reflect the percentage of each group who checked off the noted item as ONE of the standards they found difficult to implement.)
- Providers
- Audit Controls (55%)
- Risk Management/Risk Analysis (49%)
- Information System Activity Review (48%)
- Data Backup Plan/Disaster Recovery Plan/Emergency Mode Operation Plan (39%)
- Payers
- Information System Activity Review (40%)
- Risk Management/Risk Analysis (34%)
- Audit Controls (32%)
- Data Backup Plan/Disaster Recovery Plan/Emergency Mode Operation Plan (29%)
Incidents of Data Security Breaches
Providers and Payers were asked to indicate the number of security breaches their organizations had experienced since June 2004. Forty percent (40%) of Providers and 26% of Payers had experienced at least one data security breach. (Note: Since compliance with the Security regulations is not yet required, it is likely that some organizations have yet to fully establish tracking mechanisms for security breaches.)
Transactions and Code Sets Compliance
The deadline for compliance with the HIPAA Transactions and Code Sets regulations was originally October 16, 2003. Due to industry-wide difficulties in achieving TCS compliance, CMS implemented a temporary Contingency Plan on September 23, 2003, allowing covered entities to transmit non-compliant transactions. On July 1, 2004, CMS issued a modification to the Contingency Plan (non-compliant claims submitted to Medicare will require an extra 13 days to process). The Contingency Plan as modified remains in effect.
Overall TCS Compliance
Compliance with the TCS regulations includes implementation of all necessary policies, procedures, processes and systems in order to first test and then regularly conduct the standard HIPAA transactions required for the business functions performed by the covered entity.
Winter 2005 survey results show that overall TCS compliance has improved over the past six months. Seventy-three percent (73%) of Providers (up from 65% in Summer 2004) and 70% of Payers (up from 62% in Summer 2004) believe they are fully compliant with HIPAA TCS requirements. Of the remaining “non-compliant” organizations, 77% indicated that they have completed a gap analysis, and most expect to complete TCS remediation activities within six months.
Readiness to Accept/Transmit HIPAA Transactions
Compared with results of the Summer 2004 Survey, a significantly higher percentage of Provider and Payer organizations indicated that they are now ready to accept/transmit the standard HIPAA transactions. Ninety percent (90%) of Providers are transmitting at least one of the HIPAA standard transactions to their Payers. Seventy percent (70%) of Providers are transmitting over one-half of the standard transactions. Less than 1% of Providers said they were not conducting any of the transactions.
An average of 49% of Provider respondents (up from 44% in Summer 2004) and 56% of Payer respondents (up from 44% in Summer 2004) were conducting ALL of the transactions required for their specific organizations. (See table below.) Percentages for physicians’ practices increased from 51% in Summer 2004 to 65% in Winter 2005, for smaller hospitals from 43% to 51%, and for medium-sized hospitals from 38% to 55%. Percentages for smaller Payers increased from 30% in Summer 2004 to 47% in Winter 2005, for medium-sized Payers from 25% to 44%, and for larger Payers from 50% to 71%.
Please note that when asked if they were fully compliant with the TCS requirements, 73% of Providers indicated they were fully compliant, but when asked if they were conducting the necessary standard transactions for their organizations, only 49% responded that they were actually doing so. Similarly, 70% of Payers reported “full compliance,” but only 56% indicated they were conducting all of their required transactions. Respondents interpret being “ready to conduct” or “capable of conducting” as being compliant.
In that vein, when participants were asked if there were transactions that were not being exchanged with their trading partners even though their own information systems were capable of conducting them, 47% of Providers and 62% of Payers said “Yes.” Of those, 37% of Providers (down from 51% in Summer 2004) reported the reason was that their Payers were not ready to accept/transmit those transactions, and another 25% of Providers indicated that operational processes within their organization were not yet adjusted to handle the transactions. Payers (44%) claimed their systems were capable of conducting certain transactions that their Providers could not yet process.
Providers expressed confidence that most of their information technology vendors are capable of supporting needed HIPAA-compliant standard transactions. Among Providers, 49% have confirmed that the software is capable of conducting ALL transactions, and 23% have confirmed that the software is ready to conduct one or more transactions. Sixty-seven percent (67%) say vendors have been moderately to very forthcoming regarding details of HIPAA compliance plans, progress, timelines and status. Payers expressed more dissatisfaction with their vendors, who say that some have not supplied them with necessary HIPAA-compliant software.
The majority of Providers 65% perceived their Payers to be capable of handling the required transactions. Over one-third (36%) have confirmed that their Payers are capable of conducting ALL transactions, and 28% have confirmed that their Payers are capable of conducting one or more transactions. Over one-half of Providers (55%) say Payers have been moderately to very forthcoming regarding details of HIPAA compliance plans, progress, timelines and status. Eighty-six percent (86%) of Payers say they have communicated all or much of the required information to Providers.
Sixty-eight percent (68%) of Payers plan to use a Clearinghouse for conducting HIPAA standard transactions. Eighty-eight percent (88%) of Payers reported that they currently accept HIPAA standard transactions from Providers, either directly or through a Clearinghouse. We asked those same Payers: “ How many of your Provider trading partners are transmitting AT LEAST ONE of the HIPAA standard transactions to you (either directly or through a Clearinghouse)?” Their responses are shown in the following chart, indicating that 28% of Payers reported that ALL their Provider clients were conducting at least one transaction, and that 37% said MOST of their clients were doing so.
Transactions Currently Being Conducted
Providers and Payers, asked to specify which types of transactions their organizations were preparing to send and receive initially, indicated that their implementation efforts were primarily focused on the 837 Claims Encounter and 835 Claims Payment transactions. (See table below for additional detail.)
| |
Provider |
Payer |
| |
|
|
|
|
| 837 Claims, COB, Equivalent Encounter |
|
|
|
63% |
| 835 Payment, Remittance Advice |
51% |
|
|
50% |
| 276/277 Claims Status |
17% |
|
|
33% |
| 270/271 Eligibility for Health Plan |
24% |
|
|
33% |
| 834 Enrollment/Disenrollment |
12% |
|
|
43% |
| 820 Premium Payment |
12% |
|
|
33% |
CMS' Contingency Plan
Many organizations have taken advantage of the CMS Contingency plan to allow continued processing of non-compliant Medicare claims, and similar contingency arrangements implemented by other health plans; 48% of Providers and 65% of Payers are currently taking advantage of the plan. A n average of only 20% of both Providers and Payers (down from 75% in the Summer 2004 survey) indicated that the plan should be maintained for up to six more months. However, more than one-quarter of respondents (27%) expressed no opinion on this issue, and 100% of the organizations not taking advantage of the contingency plan say it should not continue any longer.
Identifying the Obstacles to TCS Implementation
The obstacles to TCS implementation being faced today by Providers and Payers are consistent with those reported during the last eighteen months. The primary obstacle is that certain Provider and Payer organizations are still not ready or able to process the standard transactions. Of equal importance is the assertion that critical vendors have not supplied Providers and Payers with necessary HIPAA-compliant software. When survey participants were asked to select the “reasons” for the lack of compliance, they responded (in ranked order) as follows:
- Providers
- Payers are not ready to accept standard transactions.
- Critical vendors have not provided compliant software.
- Clearinghouses are not ready to accept or transmit transactions.
- Payers
- Critical vendors have not provided compliant software.
- Providers are not ready to accept standard transactions.
- Installation of critical software updates is not complete.
Privacy Compliance
Compliance with the HIPAA Privacy Rule was required by April 2003. This survey continues to track the healthcare industry’s Privacy compliance progress to identify any remaining compliance gaps. Results for Winter 2005 are almost identical to Summer 2004 – 90% of Payer respondents indicated they were now compliant with the HIPAA Privacy regulations. Providers continue to lag behind with only 78% reporting their organizations were in full compliance.
Within the group of respondents from the Provider sector, medium-sized physician practices were the “most compliant” (95%), while smaller physician practices were the “least compliant” (67%). Hospital respondents fell within these two markers – 72% of hospitals with less than 100 beds, 81% of hospitals with 100 to 400 beds, and 82% of hospitals with more than 400 beds indicated that they were currently compliant with the Privacy Regulations. Within the Payer sector, Health Plans covering 501,000 to 1,500,000 lives were the most compliant – 100%.
As in past surveys, Privacy “compliant” organizations were asked to clarify whether gaps remained between their actual privacy practices and the requirements of the Privacy standards. Responses to questions about specific Provider and Payer privacy practices indicated that the majority of organizations have been diligent in addressing the regulations, although gaps remain. Winter 2005 r esponses indicated that the only area in which there are no “gaps” – for Providers or Payers – is “obtaining patient authorizations for use and disclosure of protected health information.” (See table.)
Summary of Privacy Practices Implemented for "Compliant"
Organizations |
| |
Providers |
Payers |
|
Areas of Privacy Compliance |
|
|
|
|
| Obtain Patient Authorizations for use and disclosure of PHI |
|
100% |
|
100% |
| Enable mandated patients’ rights (review, amend, restrict records) |
99% |
100% |
|
96% |
| Post and distribute Notice of Privacy Practices |
98% |
97% |
|
98% |
| Provide ongoing Privacy training |
95% |
97% |
|
96% |
| Obtain acknowledgement of receipt of Notice of Privacy Practices |
98% |
96% |
|
N/A |
| Maintain Accounting of Disclosures |
93% |
96% |
|
98% |
| Train workforce on reporting violations without risk of retaliation |
N/A |
96% |
|
N/A |
| Use “Minimum Necessary” Restrictions |
94% |
89% |
|
N/A |
| Monitor organizational compliance with Privacy regulations |
76% |
88% |
|
96% |
| Have obtained all required Business Associate Agreements |
73% |
88% |
|
94% |
Even with slight gaps remaining in compliance with specific Privacy Rule requirements, the information provided in the preceding table shows that overall Provider and Payer compliance has improved over the past year. In the area of “monitoring organizational compliance with the Privacy Regulations,” Providers have moved from 76% last January (Winter 2004 Survey) to 88% this January Winter 2005 Survey). Providers also improved in the area of required Business Associate Agreements – up to 88% this year from 73% last January (Winter 2004 Survey) – although these two areas remain the focus of greatest non-compliance.
When Providers were asked which areas of privacy compliance presented the greatest challenge, they ranked “managing the organizational process for accounting of disclosures” as the number one challenge and “maintaining appropriate patient privacy and confidentiality within clinical settings” as the second most challenging. The top three challenges for Payers were: “maintaining ‘minimum necessary’ when handling requests for disclosure of PHI from third parties,” “maintaining Business Associates’ contracts,” and “managing the organizational process for accounting of disclosures.”
Patient Privacy Breaches and Formal Complaints
The Winter 2005 Survey questioned “compliant” participants about reported incidents of patient privacy breaches from June to December of 2004. Almost three-quarters (73%) of Providers reported occurrences of privacy breaches. For Provider respondents: 45% indicated that they had five or fewer privacy breaches, 12% had six to ten breaches, 10% had eleven or more breaches, and 6% had an unknown number. Fifty-seven percent (57%) of Payers reported privacy breaches: 37% indicated that they had five or fewer privacy breaches, 6% had six to ten breaches, 8% had eleven or more breaches, and 6% had an unknown number.
The majority of both compliant Providers (62%) and Payers (58%) have had no formal complaint of privacy violation brought against them. Twenty-seven percent (27%) of Providers and 31% of Payers have had at least one formal complaint of privacy violation filed against them, either with the Federal government or in a civil proceeding, since the Privacy compliance deadline.
Use of Outside Consultants
Winter 2005 Survey results indicated that use of outside consultants for HIPAA remediation is slowly declining across the industry – an average of 37% of respondents (down from 42% in Summer 2004 and 49% in Winter of 2004) are currently using consultants, mostly in the area of Security Rule compliance. Numbers are lower among Providers – only 34% of all Providers are actively working with consultants – while an average of 46% of Payer organizations are currently using consultants. Larger Payer organizations reported the greatest use of consultants at almost 50%. Of all Provider and Payer respondents reporting the use of consultants, 55% contracted for security assessments and implementation planning services, 38% for security awareness/education, and 33% for oversight or third party review/audit of HIPAA Security practices.
Strategies for e-Health and Return on Investment
We asked Providers if their organizations had begun to implement (or intended to) HIPAA-enabled or HIPAA-compliance e-Health strategies, including using the Internet to conduct business or patient care. Nineteen percent (19%) had already begun to implement e-Health strategies, and an additional 32% planned to implement. Providers were also asked to comment on their strategies for Return on Investment (ROI) related to HIPAA initiatives. Only 23% of Providers (down from 30% in Summer 2004) indicated that implementing ROI projects was part of their HIPAA compliance efforts; however, many remained uncertain. Of those pursuing ROI benefits, all planned to expand the organization’s use of electronic HIPAA standard transactions.
In light of the obstacles and challenges in achieving compliance and recognizing ROI, the good news is that many organizations are taking advantage of available resources to better understand the benefits of HIPAA. Provider and Payer respondents (53%) chose Phoenix Health Systems’ “HIPAAdvisory.com” as the most popular tool, followed by resources offered by CMS (50%) and HHS (37%), as well as National Associations such as AHA, AHIMA, HIMSS, etc (33%). In addition, 33% of total respondents participate in listserv-style discussion groups focusing on HIPAA (e.g., HIPAAlive).
Hospital Budgets for HIPAA – 2004 vs. 2005
Graphical comparisons of specific Provider budgets, by year, are offered below. On average, smaller hospitals (less than 100 beds) will spend less than $50,000 on HIPAA compliance activities in 2005. Hospitals with 100-400 beds may spend as much as $250,000 on HIPAA in 2005. For larger hospitals (over 400 beds) spending in the $1,000,000 range is increasing.
|
 |
 |
