Preparing for HIPAA: How does your facility compare?

Most health care providers are doing what’s necessary to comply with the Health Insurance Portability and Accountability Act (HIPAA), according to the results of the Philadelphia-based Health Care Compliance Association’s (HCCA) second HIPAA Readiness Survey, released April 22.

For example, survey respondents indicate that most organizations have held one or two hours of training on HIPAA privacy regulations for the majority of their stakeholders, including physicians, staff, executives, and board members. Most of them also report an increase of more than five hours of training for these stakeholders.

According to the survey, organizational steps also are well under way. "Most have begun to separate the areas of privacy and security," HCCA reports.

Here are some of the important benchmarks included in the study:

  • 96% (93% previous survey) report that a HIPAA Task Force has been established;
  • 83% (77% previous survey) indicate that a privacy officer has been designated;
  • 67% (60% previous survey) have designated a security officer;
  • 61% (40% previous survey) have developed organization structure delineating responsibilities for privacy and security;
  • 82% (81% previous survey) have determined the organization’s designation as a covered entity;
  • 68% (64% previous survey) have reviewed employee screening and background-checking practices.

Thirty-seven percent of the 253 respondents, roughly three-quarters of whom were from hospitals, have developed cost estimates for privacy, security, and transaction requirements.

Notably, only 38% indicated that the privacy and security responsibilities have been assigned to one individual, compared to 53% who reported doing so in the first survey, conducted last year. HCCA suggests that one explanation for this is that most large organizations have separated the privacy officer role from the security officer role.

According to the survey, providers are moving ahead with the development of privacy policies and procedures. For example, 44% have developed a grievance policy to address complaints and breaches of confidentiality, compared to 41% in the first survey. Meanwhile, 59% have developed policies related to patient access records (53% first survey), and 44% have developed disposal of personal health information (37% first survey).

For additional findings from the survey, go to