Management staff have little HIPAA knowledge

Your management team may still be in the dark about regulations governing electronic health information, a new survey shows.

The survey was conducted by HIPAAlert, a free e-mail newsletter published by Phoenix Health Systems. The survey asked about respondents’ "first steps" in complying with the long-awaited standards on electronic health information, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). About 425 organizations responded to the on-line survey, more than half from hospitals. Other respondents included payers, vendors, and consulting firms. About half of the respondents said they play a role in HIPAA compliance in their organizations.

Here are some of the highlights from the survey:

• Senior and middle management knowledge of HIPAA in all responding organizations are low, indicating a serious need for education and training. More than half of all respondents ranked their senior management’s knowledge of HIPAA as low. Over two-thirds ranked the department heads’ knowledge of HIPAA in their organizations as low. This indicates the need to better educate the leaders of the health care community.

Respondent comments included, "There are still only a few of us who try to keep up with HIPAA," and "Y2K was bad enough. . . . Management seems to want to turn a deaf ear on HIPAA."

HIPAAlert did find the survey encouraging in that most respondents indicated that HIPAA training is under way in their organizations. However, this response may be skewed by the possibility that respondents to this survey (and therefore, their organizations) may be more advanced in their interest in, and attention to, HIPAA issues, the newsletter reports. Typically, HIPAA training is being performed by internal staff, rather than by outside experts or consultants.

• In provider organizations, the compliance/ security officers or the CIO are most frequently asked to take the leadership for HIPAA compliance. Among the 199 provider respondents answering this question, approximately 25% have given their compliance/security officers responsibility for HIPAA compliance. Another 25% of the providers have given responsibility to the CIO, 10% to the medical records director, and just under 10% to the risk manager. The remaining 30% have selected other individuals.

• A large portion of all organizations responding are already working on risk assessments and action plans, or will be within the next three months. Two-thirds or more of respondents’ organizations are taking the following specific actions within the next three months: budgeting funds, taking inventory of systems, and alerting vendors and partners. However, 20% of providers are waiting at least six months to do their plans, thereby eating significantly into the time allowed to achieve compliance. Most vendors are working on an action plan now.

HIPAAlert says it finds the 20% of providers waiting at least six months before developing an action plan to be somewhat worrisome. Even taking into account the current delays in publishing the final regulations, these providers may end up spending a substantial portion of the two-year compliance period on planning, at the risk of leaving insufficient time for implementation and testing, HIPAAlert says. Some providers are taking their time. As one person responding to the survey explained, "Things haven’t heated up yet — let’s wait for the regs!" That wait may be a costly one, HIPPAlert comments.

• So far, vendors are more aggressive in planning and taking actions such as budgeting, taking inventory of systems, and alerting partners.

The survey shows that as a group, vendors have more immediate plans for action than all other respondents.

(For more information about the survey or to subscribe to HIPAAlert, visit the Web site: www. hipaalert.com.)