HIPAA Regulatory Alert: Survey finds major progress toward HIPAA compliance

HHCA compares old, new responses

According to a survey just released by the Minneapolis-based Health Care Compliance Association (HCCA), the health care industry is continuing to take the necessary steps to ensure compliance with sweeping changes required by the Health Insurance Portability and Accountability Act (HIPAA). The deadline set by the government for the health care industry to comply with new regulation is April 14, 2003. Here are some of the major findings included in the study:

HIPAA Education

Survey respondents indicate that most organizations have held one or two hours of HIPAA privacy training for the majority of the stakeholders such as medical staff, nursing staff, executives, and board members. According to the HIPAA Readiness Survey results, 33% of executive staff received three to five hours of HIPAA training. In all cases, those indicating that no training had been conducted decreased from the previous surveys. (To see survey results, click here.)

Fifty-seven percent of respondents have developed cost estimates for the privacy, security, and transaction requirements, according to the survey.

Policies and Procedures

According to the survey, 68% of respondents have developed policies and procedures related to discipline for breach of privacy principles and security. Progress on other policies developed include the following:

Forty-eight percent of respondents have developed policies addressing the potential exposure of protected health information (PHI) through viewing, paging, or other operational activities, and 55% report having developed policies related to verbal discussions of PHI by authorized persons. (To see survey results, click here.)


According to the survey, 38% of respondents reporting on Security aspects of HIPAA indicate they have performed a "penetration analysis" to determine where and how security breaches may occur; 52% have assessed the physical location and the type of storage media to be used of all PHI; 36% have addressed how to authenticate users and receivers of health information.

Transaction and Code Sets Preparation

Seventy-eight percent of respondents have identified all transaction standards and code sets. Other survey results related to transaction and code sets preparation include:

The rule requires that transaction and code sets be in place by October 2002, but the deadline was pushed back one year to October 2003. (To see survey results, click here.)

HCCA’s Third HIPAA Readiness Survey, released Dec. 11, was conducted in fall 2002 and compares the results to a similar survey conducted in fall 2001. The association developed the survey to track the industry’s progress in preparing for HIPAA privacy and security. It is meant to be a snapshot of the health care industry’s progress rather than a statistically valid study.

Complete results available

The association mailed 3,273 surveys, and 289 surveys are completed and returned. According to the respondents, 96 (33%) came from hospitals, 76 (26%) from health care systems, 26 (9%) from physician/clinics, 21 (7%) from nursing homes, 19 (7%) from academic medical centers, 17 (6%) from health plan, and 34 (12%) indicated "other." Seventy-two percent indicated their organizations were not-for-profit, while 18% were designated as for-profit.

Thirty-seven percent of the respondents indicated their facilities are located in urban areas, 29% are in suburban areas, and 18% are in rural areas. The complete results of this survey are available on the HCCA web site, www.hcca-info.org.