HIPAA emerges as top compliance issue

Sixty-two percent of survey respondents to the Philadelphia-based Health Care Compliance Association’s (HCCA) Fourth Annual Profile of Health Care Compliance Officers report that compliance with the Health Care Portability and Accountability Act (HIPAA) is the biggest issue they face today.

In response to the question, "What specific goals do you hope to achieve in your compliance program in the next three years?" HIPAA compliance also was cited most frequently (84%), closely followed by monitoring/auditing (83%), education/training (76%), and conducting program effectiveness evaluations (65%).

Many compliance officers say this finding illustrates the almost dual role that compliance officers now face in getting their organizations ready for the sweeping privacy regulations, which go into effect in April 2003.

HIPAA clearly is a priority with all hospitals, says Anthony Boswell, chief compliance officer for Laidlaw in Arlington, TX. He says the initial challenge for hospitals was trying to determine what version of privacy and security regulations would be implemented and whether a privacy or security officer would be required. The challenge today is meeting obligations in the face of diminishing resources, Boswell says.

According to the HCCA survey, the average departmental budget increased 12%, from roughly $293,000 last year to $327,000 this year. There is a wide disparity, however, with larger organizations averaging almost $690,000 and smaller organizations hovering around $130,000.

Further complicating budgetary matters for hospitals is the uncertainty surrounding the security requirements of HIPAA. A final regulation in that area is expected by the end of the year, but there is no guarantee that will happen. Privacy regulations are scheduled to become effective in 18 months and the transaction requirements are scheduled to take effect October 2002.

Further delays are still possible, however. For example, Sen. Larry Craig (R-ID) still is pushing a bill he introduced last spring that would establish a delayed compliance date for several areas including transactions and security. If that bill passes, the deadline for the transaction requirements would be extended until October 2003. House Ways and Means Committee Chairman Bill Thomas (R-CA) opposes the measure.

Last year, two-thirds of all survey respondents ranked program development/implementation as a top priority, but only 29% cited that as a top issue this year. The other priority issues cited this year — monitoring/auditing (83%) and education/training (76%) — were no surprise.

Many of the other trends uncovered by the survey were more subtle. The number of respondents who say their major constituencies have a basic understanding of compliance increased from 84% last year to 87% this year. The number of organizations that reported having an active compliance program in place increased from 55% in 1999 to 71% in 2000, and to 80% in 2001.

The percentage of organizations with a compliance officer job description inched up from 82% last year to 86% this year. Sheryl Vacca, a director with Deloitte & Touche in Sacramento, CA, says that any hospital that lacks a job description does not even have the basics in place.

According to Vacca, the first prerequisite to an effective compliance program is to be sure that everybody understands the responsibilities of the compliance officer. "If all you are doing is reporting and other activities, people do not understand what the job actually does," she asserts.