HIPAA news
HIPAA advisory
HIPAAdvisory > HIPAAnews Phoenix Health Systems
news
regs
action
tech
views
wares
alert
live
notes
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

New Provider Survey: HIPAA Infrastructure is Growing

Philadelphia, PA—December 5, 2001—The health care industry appears to have taken the organizational steps necessary to comply with the HIPAA privacy rule, according to a survey conducted by the Health Care Compliance Association (HCCA) unrestricted educational grant from Vinson & Elkins, LLP. This new regulation, which affects every aspect of the health care industry’s business and clinical operations, calls for sweeping changes in the way in which an individual’s health information is handled. Hospitals, physicians, laboratories, outpatient clinics, surgery centers, nursing homes, home care, managed care, health care insurers, and other health care entities are all affected by this new omnibus rule. The government has given the health care industry until April 2003 to comply with the comprehensive regulation meant to protect the privacy of an individual’s medical information. The HCCA released the results of HIPAA privacy readiness survey, which it conducted of its members in the fall of 2001, during the December 5 morning session at the HIPAA Forum, held in San Diego, CA. The HCCA received 237 completed surveys.

According to the survey 107 of the responses come from hospitals. In addition, 62% of the respondents indicated their facilities are located in urban areas, 22% are in suburban areas, and 16% are in rural areas.

An important step toward implementing this new rule is educating the organization on the way patients’ medical information will be handled. Staff education about the new privacy rules is under way. Most organizations have held one or two hours of training on HIPAA privacy regulations for the majority of their stakeholdersphysicians, staff, executives, and board members. According to the survey 55% indicate their Board of Directors has already received one to two hours of HIPAA education, 52% indicate the same for staff, while 46% report that medical staff has received one to two hours of training on HIPAA privacy, and 42% of executive staff has received the same. The survey also indicates that 43% of medical staff, 30% of Board of Directors, 31% of staff, and 8% of executive staff have received no HIPAA privacy training.

Initial organizational steps are underway. Of those responding to the survey,

  • 93% report that a HIPAA Task Force has been established,
  • 77% indicate that a Privacy Officer has been designated
  • 64% have reviewed employee screening and background checking practices
  • 81% have determined the organizations designation as a covered entity
  • 60% report that a Security Officer has been designated, and
  • 54% report that the Privacy and Security responsibilities have been assigned to one individual

Respondents report that 40% have developed organizational structures that delineate responsibilities for privacy and security, while 33% have developed cost estimates for privacy, security, and transaction requirements.

The development of HIPAA privacy policies and procedures is moving forward. Forty-nine percent (49%) note policies have been developed related to discipline for breach of privacy principles and breaches of security, 41% have developed a grievance policy to address complaints and breaches of confidentiality, and 53% have developed policies related to patient access to records. However, 78% indicate they have not developed access to “minimum necessary” information policies, 80% have yet to develop policies addressing the potential exposure of PHI [protected health information] through viewing, paging, or other operational activities, and 73% have not developed policies related to verbal discussions of PHI by authorized persons.

The fact that the security regulations related to health information are proposed and not final may account for the reason that they are not as far along. According to the survey 26% of survey respondents reporting on Security aspects of HIPAA indicate that they had performed a "penetration analysis" to determine where and how security breaches may occur, 19% have determined how system security will be certify compliance, 29% have assessed the physical location and the type of storage media to be used of all PHI, 23% have addressed the issue of how to authenticate users and receivers of health information and only 11% have asked if vendors have been through a SAS70 audit.

Those responding to the survey on issues related to Transaction and Code Sets report that 59% have identified all transaction standards and code sets, 32% have determined preparedness of trading partners, 28% have developed system for on-going maintenance of standards transactions and code sets, 30% have educated business office on standards and code sets, and 47% have identified all electronic data interchange partners. The rule requires that Transaction and Code Sets be in place by October 2002.

Read the complete survey results on HCCA's web site (PDF).

Go to TOP