The trusted source for
healthcare information and
HIPAA Regulatory Alert: Surveys gauge current state of HIPAA compliance
HIMSS, OIG release results of separate surveys
Now that two significant HIPAA compliance deadlines have passed — the April 14 deadline for health care industry compliance with the privacy rule and the April 16 deadline for health care business operations to begin testing transactions and code sets — it’s time to take stock of how far along health care organizations really are when it comes to HIPAA compliance. To that end, both the Department of Health and Human Services’ Office of Inspector General (OIG) and Healthcare Information Management Systems Society (HIMSS) have conducted surveys of health care providers.
HIMSS and Phoenix Health Systems conducted the HIMSS Spring 2003 HIPAA Survey. Among its findings are the following:
Looking at privacy compliance in more depth, HIMSS reports that some 98% of reportedly compliant providers have implemented the most publicly visible requirements, such as the Notice of Privacy Practices, obtaining patient acknowledgement of receipt of the notice, and obtaining patient authorizations for use and disclosure of protected health information. But only 88% have put in place other requirements, such as a process for providing an accounting of disclosures to patients, or setting minimum-necessary protected health information access restrictions on health care workers.
Forty percent of "compliant" providers indicated they had not yet finalized business associate agreements that will ensure that business partners with access to protected health information are protecting patient privacy. Twenty-nine percent have not implemented a working process for monitoring privacy compliance, and 18% do not yet have the privacy rule’s required data security protections in place.
A more intense look at the transaction and code set compliance report suggested to HIMSS that on-time implementation of the highly visible privacy regulations may have dominated the focus of health care HIPAA compliance efforts in recent months. That emphasis may have delayed transactions and code sets compliance efforts in many health care enterprises, especially provider organizations.
In this survey, only one-half of all participants reported completing of transaction and code sets implementation activities, and just 53% had begun internal testing by the April 16 deadline. Still, a majority of organizations had completed transaction and code sets HIPAA awareness/education (78%), assessment (73%), and implementation project planning (67%). Further, almost 40% of respondents already had begun external testing with business partners.
Internal transaction testing was being conducted by 49% of all providers, 62% of payers, 55% of vendors, and 80% of clearinghouses as of the April 16 testing deadline. Only 39% of providers, 37% of payers, 39% of vendors, and 53% of clearinghouses were conducting external testing with their trading partners as of the testing deadline.
Spring 2003 survey results showed that 44% of respondents across the industry were using outside consultants to support HIPAA initiatives. As in the past, the biggest users of consultants were larger hospitals (46%) and payers (66%). Approximately 30% of respondents engaged consultants for assessment and implementation planning services, 22% for implementation support, and about 45% for HIPAA awareness and training support.
Hospital budgets for HIPAA compliance in 2003 generally are higher than 2002 HIPAA budgets. Also, payer budgets for 2003 are significantly higher than in 2002, especially for larger payer organizations.
Part A readiness
Meanwhile, OIG’s report used a mail survey of Medicare Part A providers to assess level of readiness in four broad areas — assessment and awareness activities, impediments or current obstacles to achieving compliance, compliance strategies such as sequencing and testing plans, and contingency planning.
OIG says that almost all Part A providers have submitted a compliance extension form giving them until Oct. 16, 2003, to implement electronic standards and code sets. At the time of the OIG survey, 74% of providers were ready to implement the HIPAA electronic standards, and 96% indicated that they had a moderate to high level of satisfaction that they expected to meet the October deadline.
The 4% of providers not expecting to meet the compliance deadline said they were in the process of identifying the steps necessary to implement the standards.
While fewer than 30% of the providers had begun any testing, 90% will have a testing strategy. Most of the testing strategies include internal and external data interfaces. About 25% had begun to test transactions as of November 2002. However, only slightly more than 44% had received any notices from fiscal intermediaries or carriers regarding coordination of electronic transaction testing.
Strategies and barriers
When asked which strategy providers were using to implement the HIPAA standards, they most frequently identified these four: internal staff planning, developing, and implementing the standards; technical systems consultants working with staff and assisting in the process; technical systems consultants or vendors taking full responsibility for planning, developing, and implementing standards; and purchasing components of a new system or additions to current systems from a selected vendor to meet the standards.
Likewise, when asked to list as many as three barriers to compliance, 60% of the respondents listed one or more. The most common were: trading partners will not be ready; vendors will not be ready; inadequate staffing, training, and technical resources; and not enough time to implement.
One-third of those who listed any barriers identified their trading partners (specifically third-party payers, fiscal intermediaries, and/or the Centers for Medicare & Medicaid Services) as potential barriers to compliance. Providers who did not believe they would meet the compliance deadline expressed similar concerns. They cited their trading partners as a potential barrier, as well as inadequate resources.
More information is available from www.hipaadvisory.com.