HIPAA Regulatory Alert

Survey suggests shift toward long-term benefit

55% of providers compliant with security standards

The latest U.S. Healthcare Industry HIPAA Survey sponsored by the Healthcare Information and Management Systems Society and Phoenix Health Systems indicates participants in the health care system view the HIPAA privacy and security standards as building blocks for web-based communication structures rather than simply a compliance burden.

"Most states are either developing or considering involvement in a regional health information organization," the survey says, "for the purpose of electronically exchanging health information across defined regions while still protecting patient privacy and ensuring data security…Individual health care organizations are internally institutionalizing the concept of a secure health care environment that protects patients' rights without sacrificing or interfering with quality care. They are also incorporating these principles into the fabric of new community health networks that streamline and enhance the continuum of care. Many organizations are expanding their use of electronic transactions through these infrastructures, as federally required standardization begins to deliver on its long-standing promise of administrative simplification. HIPAA's impact on the health care industry is evolving from 'compliance' to an emphasis on new, electronically based opportunities for better communications across the continuum of care, and greater patient safety, cost-savings, and overall efficiency."

Participants in both the payer and provider surveys indicated HIPAA implementation has resulted in greater attention to patient privacy and data security by their employees and increased consumer confidence. Some 22% of providers are implementing return-on-investment initiatives related to HIPAA, with 88% of them expanding use of standard electronic transactions. Other initiatives include adoption of computerized practitioner order entry and conversion to electronic medical records.

Some 55% of providers reported compliance with HIPAA security standards, along with 72% of payers. The majority of non-compliant organizations projected full implementation of security standards within six months, although the report authors noted that group gave a similar time projection in the summer 2005 survey. Data security incidents continue to plague at least one-third of both payers and providers.

HIPAA transaction use growing

Adoption of HIPAA transactions has increased steadily over the last year and, as of January 2006, 84% of providers and 73% of payers reported being able to conduct all HIPAA standardized health care transactions. Some 67% of payers said they were actually conducting all HIPAA-required transactions, and 66% of providers reported conducting more than one-half of the standard transactions.

The report said privacy compliance levels remain consistent with previous survey results over the last two years — 80% of providers and 86% of payers reported in January they had met privacy rule requirements.

"It can be inferred that a core group of about 20% of covered entities is either unable or unwilling to implement federal privacy requirements," the authors said.

But even among compliant organizations, there are implementation gaps in certain areas, including establishing business associate agreements, monitoring internal privacy compliance, and maintaining an accounting of disclosures.

The incidence of privacy breaches in organizations has remained flat but high at 60% over the past six months. The percentage of payers reporting privacy breaches increased from 45% in July 2005 to 66% in January 2006. The majority of organizations experienced between one and five such breaches, but more than 20% experienced six or more.

Download the survey report from www.hipaadvisory.com/action/surveynew/results/winter2006.htm.