HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA Survey Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIMSS / Phoenix Health Systems

US Healthcare Industry HIPAA Compliance Survey Results:
Winter 2006

Executive Overview

As healthcare information exchange initiatives proliferate across the country, HIPAA is taking on new significance. No longer in the forefront of healthcare industry change, HIPAA standards for Privacy and Security have become important building blocks for numerous web-based communication infrastructures that support collaboration of hospitals, physicians, patients, and payers. Most states are either developing or considering involvement in a RHIO (Regional Health Information Organization), for the purpose of electronically exchanging health information across defined regions – while still protecting patient privacy and ensuring data security. The Federal government has put a renewed focus on its stated objective to form a National Health Information Network (NHIN), by contracting with four healthcare/IT groups to develop architectural prototypes. Individual healthcare organizations are internally institutionalizing the concept of a secure healthcare environment that protects patients' rights without sacrificing or interfering with quality care. They are also incorporating these principles into the fabric of new community health networks that streamline and enhance the continuum of care. Many organizations are expanding their use of electronic transactions through these infrastructures, as Federally-required standardization begins to deliver on its long-standing promise of "administrative simplification."

HIPAA's impact on the healthcare industry is evolving from "compliance" to an emphasis on new, electronically-based opportunities for better communications across the continuum of care; and greater patient safety, cost-savings, and overall efficiency. As a result, the focus of our six years young series of national HIPAA Surveys has broadened to begin including reported actual and projected benefits of HIPAA implementation.

Key Findings of the Winter 2006 Survey include:

  • HIPAA Return-on-Investment
    • Both Provider and Payer Survey participants agree that HIPAA implementation has resulted in greater attention to patient privacy and data security by their workforces, as well as increased consumer confidence.
    • Twenty-two percent (22%) of Providers are implementing return-on-investment (ROI) initiatives related to HIPAA. Of these, 88% will expand their usage of standard electronic transactions. Other initiatives include computerized practitioner order-entry (CPOE) adoption and conversion to electronic medical records.
  • HIPAA Security
    • Just over half (55%) of healthcare Providers reported that they are now compliant with Security standards. Seventy-two percent (72%) of Payers are reportedly compliant.
    • The majority of non-compliant organizations projected full implementation of Security standards within six months; however, this group predicted a similar timeline in the Summer 2005 Survey.
    • Data security incidents continue to plague at least one-third of Providers and Payers.
  • HIPAA Transactions
    • Adoption of HIPAA transactions has increased steadily over the last year; as of January 2006, 84% of Providers and 73% of Payers reported that they are able to conduct all HIPAA standardized healthcare transactions.
    • About 67% of Payers are, in fact, conducting all HIPAA-required transactions, and 66% of Providers are conducting over one-half of the standard transactions.
  • HIPAA Privacy
    • Privacy compliance levels remain consistent with previous Survey reports in the last two years: 80% of Providers and 86% of Payers reported in January that they have met Privacy Rule requirements. It can be inferred that a core group of about 20% of covered entities is either unable or unwilling to implement federal Privacy requirements.
    • Even among "compliant" organizations, implementation gaps remain in certain areas, including establishing Business Associate Agreements, monitoring internal Privacy compliance, and maintaining an accounting of disclosures.
    • The incidence of Privacy breaches within Provider organizations has remained flat – but high – over the past six months, at approximately 60%. The percentage of Payers reporting privacy breaches has risen from 45% in July 2005 to 66% in January 2006. The majority of organizations experienced between one and five such breaches, but over 20% experienced six or more breaches.

THE SURVEY

Phoenix Health Systems and HIMSS conducted the Winter 2006 US Healthcare Industry HIPAA Compliance Survey from January 8 to January 23, 2006. A total of 324 healthcare industry representatives (Providers and Payers) responded to email notices about the Survey that were sent to HIMSS members and to Phoenix HIPAAlert newsletter subscribers. The online Survey was anonymously completed via the Phoenix web site, HIPAAdvisory.com.

The Participants

Provider organizations accounted for 81% (261) of participants, and Payers for 19% (63). The distribution of Survey participants follows:

  • Providers – 81%
    • Hospitals with 400+ beds: 27% of Providers
    • Hospitals with 100-400 beds: 23%
    • Hospitals with less than 100 beds: 16%
    • Medium-sized physician practices (11 to 29 physicians)/other providers: 12%
    • Small physician practices (10 or fewer physicians)/other providers: 21%
  • Payers – 19%
    • Covering fewer than 150,000 lives: 47% of Payers
    • Covering 150,000-500,000 lives: 19%
    • Covering 501,000-1,500,000 lives: 21%
    • Covering more than 1,500,000 lives: 13%

Ninety-one percent (91%) of Provider respondents and 75% of Payer respondents hold an "official" role within their organization for HIPAA compliance, and have such positions as Senior/Department Manager, Security Officer, and Privacy Officer.

Note: The percentages provided in this report are based on the total number of respondents for each question, unless noted otherwise. Some participants did not complete all questions.

Roadblocks to HIPAA Compliance

Providers and Payers varied greatly in their ranking of the roadblocks they have faced in achieving compliance with the Privacy, Security, and Transactions regulations. For Providers, "changes/potential changes in regulations/deadlines," "organizational constraints," and "no anticipated legal consequences for non-compliance" were the top three obstacles reported. For Payers, "interpretation of regulations," "inadequate expertise available," and "achieving successful integration of new systems and process" ranked highest. These responses are reasonably consistent with results of our 2005 Surveys. Sample comments by respondents are as follows:

Sample of Written Survey Comments/Responses:

"[Our] size limits resources available."

"Physicians [have] perception that privacy practices make them less efficient."

"[There is] lack of buy-in from senior leadership."

Both Providers and Payers rely on a variety of industry resources to better understand HIPAA. HIPAAdvisory.com, the Centers for Medicare and Medicaid Services (CMS) web site, and various listserves ranked as the top three most helpful resources used.

HIPAA Compliance Drivers

According to CMS and the Office for Civil Rights (OCR), enforcement of HIPAA Security and Privacy is "complaint-driven." However, Survey participants noted that key drivers of compliance by their organizations are somewhat different. "Peers/trading partners (including attorneys)," "press stories," and "internal whistle blowers" were ranked as the most significant factors influencing their organizations' compliance efforts.

Security Compliance

Though the deadline for compliance with the Security Rule was April 20, 2005, a large number of Providers and Payers remain non-compliant. Providers have made relatively minor progress, from 43% reporting compliance in July 2005 to 55% in January 2006. (See table below.) Among Providers, hospitals with over 100 beds had the lowest compliance levels reported: 48%. Between 33% and 40% of smaller organizations, including hospitals with fewer than 100 beds and physician practices, remained non-compliant. Reported Payer compliance levels actually decreased slightly from 74% in July 2005 to about 72% in January 2006. Among all organizations that remain non-compliant, the majority expects to be compliant with six months; it must be noted, however, that this group made the same prediction in the Summer 2005 Survey.

When reportedly non-compliant respondents were asked to list the specific Security standards their organizations had implemented thus far, "contingency planning" and "emergency access procedures" ranked lowest. "Risk management/risk analysis" and "workstation use and security" were ranked highest.

Incidents of Data Security Breaches

Providers and Payers were asked how many data security breaches their organizations had experienced in the six-month period between July 2005 and January 2006. Twenty-four percent of Providers (down from 32% reported in July 2005) experienced between one and five incidents, and 13% reported six to eleven incidents (up from 4%). Consistent with our July 2005 data, 28% of Payers experienced between one and five security incidents, though another seven percent experienced between six and eleven breaches (up from 4% reported in July 2005).

Transactions and Code Sets Compliance

The original deadline for compliance with the HIPAA Transactions and Code Sets (TCS) Rule was October 16, 2003, but CMS implemented a temporary Contingency Plan that essentially allowed non-compliance until July 2005. Compliance includes implementation of all necessary policies, procedures, processes, and systems in order to test and then conduct the standard HIPAA transactions required for healthcare business functions.

Overall TCS compliance has improved steadily over the past year. Note: respondents interpret being "ready to conduct" or "capable of conducting" transactions as being HIPAA-compliant. Thus, while 84% of Providers indicated they were fully compliant (up from 80% in July 2005 and 73% in January 2005), when asked if they were actually conducting all the necessary standard transactions for their organizations, only 46% responded affirmatively (as compared to 44% in our Summer 2005 Survey). Seventy-three percent (73%) of Payers reported "full compliance" (down from 80% in July 2005), and 67% indicated they were conducting all required transactions. Sixty-six percent (66%) of Providers reported that they are transmitting over one-half of the standard transactions. While most non-compliant organizations expect to complete TCS implementation within the next year, 7% of non-compliant Providers and 33% of non-compliant Payers reported that they have no plans to do so. (See table below for overall compliance comparison.)

When participants were asked if there were transactions that were not being exchanged with trading partners even though their own information systems were capable of conducting them, 40% of Providers and 61% of Payers said "Yes." Both groups claim that the primary reason is a lack of readiness on the other end – trading partners are not able to process the transactions. In the meantime, most Providers are utilizing Clearinghouses or direct data entry (DDE) as a work-around.

Identifying the Obstacles to TCS Implementation

The obstacles to TCS implementation being faced today by Providers and Payers are consistent with those reported during the last 18 months, with one notable exception. For the first time, non-compliant organizations ranked "insufficient management support and budget/resources" among the top three barriers to TCS implementation. They are as follows (in ranked order):

  • Insufficient management support and budget/resources.
  • Installation of critical software not complete.
  • Ambiguities in information released by CMS regarding standard transactions requirements.

Privacy Compliance

Compliance with the HIPAA Privacy Rule was required by April 2003 – but a substantial percentage of Providers and Payers remain non-compliant, according to respondents to this Survey. Just 80% of Providers and 86% of Payers indicated they were compliant with the HIPAA Privacy Regulations as of January 2006. These results are generally consistent with Summer 2005 Survey data and our preceding Surveys throughout 2005 and 2004. (See table below.)

Among Providers, hospitals with more than 400 beds were the "most compliant" (85%), while hospitals with less than 100 beds and large physician practices were the "least compliant" (80%). Eighty-four percent (84%) of hospitals with 100 to 400 beds, 80% of medium-sized physician practices, and 70% of small practices said they were currently compliant with the Privacy Regulations. Within the Payer sector, compliance levels also ranged between 80% and 90%, with the notable exception of Payers in the 500,001 to 1.5 million lives' size, who reported 100% compliance.

As in past Surveys, we asked reportedly compliant Provider and Payer representatives to indicate their success in implementing several specific HIPAA Privacy requirements as a "reality check." The table below – comparing responses from the Winter 2006 Survey to the Summer 2005 Survey – confirms that gaps remain between actual privacy practices and the specific requirements of the Privacy standards – most significantly in the areas of monitoring internal compliance, completing Business Associate Agreements, and maintaining an accounting of disclosures.


Summary of Privacy Practices Implemented by "Compliant" Organizations
 

Providers

Payers

Areas of Privacy Compliance

2006

2005

2006

2005

Obtain patient authorizations for use and disclosure of PHI

100%

100%

94%

95%

Enable mandated patients’ rights (review, amend, restrict records)

98%

99%

97%

100%

Obtain acknowledgement of receipt of Notice of Privacy Practices

97%

98%

N/A

N/A

Post and distribute Notice of Privacy Practices

97%

97%

97%

98%

Provide ongoing workforce Privacy training

93%

97%

94%

98%

Maintain accounting of disclosures

94%

96%

94%

100%

Use “minimum necessary” restrictions

95%

94%

N/A

N/A

Monitor organizational compliance with Privacy Regulations

90%

88%

89%

93%

Have obtained all required Business Associate Agreements

87%

82%

91%

90%

The majority of Providers and Payers who have not completed implementation of Privacy requirements indicated that they expect to do so within the next six months. However, it must be noted that similar projections have been reported by this group in every Survey we have undertaken since January 2004.

Patient Privacy Breaches and Formal Complaints

Both Providers and Payers that are reportedly Privacy-compliant have experienced numerous incidents of patient privacy breaches since July 2005. Sixty percent (60%) of compliant Providers indicated that they had experienced privacy breaches between July 2005 and January 2006, compared to 59% during the preceding six-month period. Forty-one percent (41%) experienced between one and five privacy breaches, and another 19% had six or more breaches. Sixty-six percent (66%) of Payers (up from 45% in July 2005) reported privacy breaches; 54% indicated that they had between one and five privacy breaches, 3% had 11 or more breaches, and 9% had an unknown number.

The incidence of formal privacy complaints historically has been somewhat lower than the incidence of reported privacy breaches; this remained true for the period between July 2005 and January 2006. The number of reportedly compliant Providers that experienced formal complaints decreased from 27% in July 2005 to 24% in January 2006. The number of reportedly compliant Payers who experienced formal privacy complaints during the period increased from 17% to 26%. None of our respondents reported more than five formal privacy complaints between July 2005 and January 2006.

National Provider Identifier

Healthcare providers are required under HIPAA to obtain and use – by May 23, 2007 – a unique identifier when filing electronic claims, in order to help streamline related electronic processes. This Survey marks our starting point in tracking compliance with the National Provider Identifier (NPI) Rule.

Thirty-nine percent (39%) of Provider participants reported that their organizations have already applied for their NPI. Thirty-six percent (36%) have not yet applied, and the remaining 25% of respondents did not know their organization’s status. In addition, 18% of Providers have also taken first implementation steps by identifying the systems, software, and process changes that will be required. Eight percent (8%) have begun related internal testing.

National Patient Identifier System

The concept of establishing a National Patient Identifier system continues to be considered by the Department of Health and Human Services (HHS), but has remained a widely criticized concept since the inception of HIPAA. We asked both Providers and Payers if their organizations would find that the value of National Patient Identifiers would outweigh such concerns as potential errors or threats to patient privacy. Thirty percent (30%) of Providers and 45% of Payers agreed that the benefits would outweigh potential negatives. However, 23% of Providers and 28% of Payers disagreed. Roughly one-fourth of both groups had no opinion.

HIPAA Return-on-Investment Initiatives

While compliance with HIPAA is a key element of today's healthcare environment, the achievement of long-term benefits was the original driver of HIPAA in 1996 when it was legislated by Congress. In particular, implementation of HIPAA standards for Privacy, Security, and Transactions was intended to be the foundation for lowering healthcare costs and reducing errors through safe, universal electronic communication of healthcare transactions across the industry. Today, with the passing of the most critical implementation deadlines over the last three years, and the arguably high degree of compliance by most Providers and Payers, many have begun to focus on the benefits and opportunities that accompany HIPAA. For the first time, this Survey asked participants related questions to illuminate the impact of HIPAA on their organizations.

We asked Survey participants what benefits, if any, have resulted from their organizations' implementation of HIPAA Privacy (a highly controversial Rule since its inception). Both Providers and Payers ranked "greater attention to patient privacy by staff" first among benefits achieved, with "increased patient privacy," "more effective systems and processes," and "increased consumer confidence" also ranked high.

Less than five percent (5%) of all Survey participants felt that no benefits have been achieved. When asked what negative impacts, if any, have resulted from compliance with the Privacy Rule, "excessive work by staff," ranked highest, followed by "negative attitudes in patients towards HIPAA" and "negative attitudes in staff towards HIPAA." About 10% of all participants felt that their organizations had experienced no negative impacts.

Providers were asked if their organizations have begun – or intend to begin – implementing ROI initiatives related to HIPAA. One percent (1%) of Providers has already begun to implement such initiatives, and another 21% of respondents indicated that their organizations have plans to do so. Forty-nine percent (49%) do not have plans and another 29% did not know. Of those Providers undertaking ROI initiatives, 88% will expand their usage of standard electronic transactions. Examples of ROI initiatives reported include adoption of CPOE, conversion to electronic medical records (EMRs), and transacting directly with payers rather than clearinghouses.

Hospital Spending for HIPAA – 2006 Budgets vs. 2005 Actual

Hospital budgets for HIPAA compliance efforts in 2006 are generally consistent with HIPAA expenditures in 2005. See tables below for a comparison of reported spending in 2005 against 2006 budgets, based on hospital size.

View results from past surveys.

Go to TOP