Survey: HIPAA security compliance not imminent

Numbers declined in recent months

As this month’s Health Information Portability and Accountability Act (HIPAA) security rule deadline arrives, overall compliance with the rule does not appear imminent, judging from a recent survey by the Chicago-based Healthcare Information and Management Systems Society.

April 20, 2005, is the compliance deadline, but only 74% of health care providers anticipated being ready by that date when questioned for the survey, which was co-sponsored by Phoenix Health Systems, a nationwide health care information management firm based in Montgomery Village, MD.

Only 18% of providers indicated they were currently compliant with the security rule when questioned for the U.S. Healthcare Industry HIPAA Compliance Winter 2005 Survey, the results of which were released in mid-February. The same percentage reported readiness when surveyed in June 2004. Thirty percent of payers said they were compliant with the security regulations in the most recent survey, up from 13% in June.

The total number of organizations that were not yet compliant but expected to achieve compliance on or before the deadline actually declined in the six months prior to the survey: 40% of providers and 26% of payers said they had experienced at least one data security breach since June 2004, according to the survey.

While 87% of providers in summer 2004 anticipated compliance by the deadline, only 74% predicted in the winter 2005 survey they would be compliant by then. The percentage of payers predicting compliance by the deadline declined from 91% in summer 2004 to 80% in the winter 2005 survey.

However, the survey results did indicate organizations were making progress in two key areas of security rule compliance:

  • 93% of providers and 98% of payers had designated an individual as the security officer/ official.
  • 32% of provider organizations had conducted required HIPAA security training, with an additional 60% expecting to finish before the deadline.
  • 37% of payer organizations had conducted the required training, with another 58% expecting to finish before the deadline.

Also, as part of the survey, providers and payers were asked to indicate all security standards they found difficult to implement, and differed only slightly in their assessments.

The following reflect the percentage of each group that checked the noted item as one of the standards they found difficult to implement:

Providers

  • Audit controls (55%)
  • Risk management/risk analysis (49%)
  • Information system activity review (48%)
  • Data backup plan/disaster recovery plan/ emergency mode operation plan (39%)

Payers

  • Information system activity review (40%)
  • Risk management/risk analysis (34%)
  • Audit controls (32%)
  • Data backup plan/disaster recovery plan/ emergency mode operation plan (29%)

Privacy compliance not complete

Asked about their status regarding the HIPAA privacy standard, 78% of providers and 90% of payers said they are compliant with the privacy rule, almost two years after the April 2003 deadline. Sixteen percent of providers and 8% of payers reported that they remain noncompliant, which reflects little or no improvement since the June 2004 survey.

Even among compliant organizations, gaps remain in certain areas, such as establishing business associate agreements and monitoring internal privacy compliance, the survey found.

Seventy-three percent of providers and 56% of payers reported their organizations had experienced one or more privacy breaches over the past six months. Additionally, the survey revealed that 27% of providers and 31% of payers have had at least one formal complaint of privacy violation against them, either with the federal government or in a civil proceeding, since the compliance deadline.

Progress toward compliance with the HIPAA transactions and code set (TCS) standard was made in the six months between the surveys, the sponsors reported, with 73% of providers and 70% of payers indicating compliance, up from 65% and 62%, respectively.

In other survey data concerning the TCS standard:

  • 90% of providers are transmitting at least one of the HIPAA standard transactions to their payers; 70% of providers are transmitting more than half of the transactions, and 49% are transmitting all of them.
  • 56% of payers are capable of conducting all of the HIPAA standard transactions.
  • 47% of providers and 62% of payers indicated there are transactions that their information systems are capable of producing, but that are not being conducted at this time, in part due to the inability of their trading partners to accept or transmit them.
  • 48% of providers and 65% of payers are taking advantage of the Centers for Medicare & Medicaid Services contingency plan. However, the percentage of organizations that support continuance of the plan is declining.

Survey: HIPAA security compliance not imminent

Numbers declined in recent months

As this month’s Health Information Portability and Accountability Act (HIPAA) security rule deadline arrives, overall compliance with the rule does not appear imminent, judging from a recent survey by the Chicago-based Healthcare Information and Management Systems Society.

April 20, 2005, is the compliance deadline, but only 74% of health care providers anticipated being ready by that date when questioned for the survey, which was co-sponsored by Phoenix Health Systems, a nationwide health care information management firm based in Montgomery Village, MD.

Only 18% of providers indicated they were currently compliant with the security rule when questioned for the U.S. Healthcare Industry HIPAA Compliance Winter 2005 Survey, the results of which were released in mid-February. The same percentage reported readiness when surveyed in June 2004. Thirty percent of payers said they were compliant with the security regulations in the most recent survey, up from 13% in June.

The total number of organizations that were not yet compliant but expected to achieve compliance on or before the deadline actually declined in the six months prior to the survey: 40% of providers and 26% of payers said they had experienced at least one data security breach since June 2004, according to the survey.

While 87% of providers in summer 2004 anticipated compliance by the deadline, only 74% predicted in the winter 2005 survey they would be compliant by then. The percentage of payers predicting compliance by the deadline declined from 91% in summer 2004 to 80% in the winter 2005 survey.

However, the survey results did indicate organizations were making progress in two key areas of security rule compliance:

  • 93% of providers and 98% of payers had designated an individual as the security officer/ official.
  • 32% of provider organizations had conducted required HIPAA security training, with an additional 60% expecting to finish before the deadline.
  • 37% of payer organizations had conducted the required training, with another 58% expecting to finish before the deadline.

Also, as part of the survey, providers and payers were asked to indicate all security standards they found difficult to implement, and differed only slightly in their assessments.

The following reflect the percentage of each group that checked the noted item as one of the standards they found difficult to implement:

Providers

  • Audit controls (55%)
  • Risk management/risk analysis (49%)
  • Information system activity review (48%)
  • Data backup plan/disaster recovery plan/ emergency mode operation plan (39%)

Payers

  • Information system activity review (40%)
  • Risk management/risk analysis (34%)
  • Audit controls (32%)
  • Data backup plan/disaster recovery plan/ emergency mode operation plan (29%)

Privacy compliance not complete

Asked about their status regarding the HIPAA privacy standard, 78% of providers and 90% of payers said they are compliant with the privacy rule, almost two years after the April 2003 deadline. Sixteen percent of providers and 8% of payers reported that they remain noncompliant, which reflects little or no improvement since the June 2004 survey.

Even among compliant organizations, gaps remain in certain areas, such as establishing business associate agreements and monitoring internal privacy compliance, the survey found.

Seventy-three percent of providers and 56% of payers reported their organizations had experienced one or more privacy breaches over the past six months. Additionally, the survey revealed that 27% of providers and 31% of payers have had at least one formal complaint of privacy violation against them, either with the federal government or in a civil proceeding, since the compliance deadline.

Progress toward compliance with the HIPAA transactions and code set (TCS) standard was made in the six months between the surveys, the sponsors reported, with 73% of providers and 70% of payers indicating compliance, up from 65% and 62%, respectively.

In other survey data concerning the TCS standard:

  • 90% of providers are transmitting at least one of the HIPAA standard transactions to their payers; 70% of providers are transmitting more than half of the transactions, and 49% are transmitting all of them.
  • 56% of payers are capable of conducting all of the HIPAA standard transactions.
  • 47% of providers and 62% of payers indicated there are transactions that their information systems are capable of producing, but that are not being conducted at this time, in part due to the inability of their trading partners to accept or transmit them.
  • 48% of providers and 65% of payers are taking advantage of the Centers for Medicare & Medicaid Services contingency plan. However, the percentage of organizations that support continuance of the plan is declining.