Although the Centers for Medicare & Medicaid Services (CMS) has repeatedly extended its deadline for compliance with HIPAA’s transactions and code sets (TCS) standards in the past year, the healthcare industry isn't even close to standardizing healthcare business transactions, according to the results of the summer 2004 edition of the U.S. Healthcare Industry HIPAA Compliance Survey.
The consulting firm Phoenix Health Systems of Montgomery Village, MD, and the Healthcare Information and Management Systems Society (HIMSS) of Chicago conducted the survey from June 1-15. The survey results are based on the responses of 540 healthcare industry representatives, with 86% of these respondents holding an official role for HIPAA compliance within their organization.
Provider organizations accounted for 73% of participants, payors made up 14%, vendor representatives totaled 10%, and clearinghouses comprised the remaining 3%.
According to the 2004 summer survey results, much of the healthcare industry is still struggling with HIPAA provisions.
"The crux of HIPAA transactions compliance and genuine administrative simplification is readiness by all parties. These most recent findings indicate that many providers and payers may be ready to produce compliant transactions, but their trading partners cannot accept or transmit them," said D'Arcy Guerin Gue, executive vice president of Phoenix Health Systems. "The questions that continue to stump the healthcare industry are: how will it join together, as it must, to achieve across-the-board readiness, and when will it do so?"
TCS -- better than half
If TCS compliance today were to be assigned a letter grade, a solid "D" is the best U.S. healthcare has achieved. Progress with TCS compliance is not overly encouraging; only 65% of providers, 62% of payors, and 64% of clearinghouses indicate that they are currently fully compliant, according to survey results.
Even more troubling, the survey found that less than half of providers and payors are conducting all the standard transactions required for their business functions. Of the covered entities not yet compliant, 68% have completed internal testing, but only 27% have completed external testing. In addition, only 50% of providers and 46% of payors have completed other TCS remediation activities unrelated to testing.
The key measure of TCS compliance focuses on whether a covered entity is currently conducting the transactions required for its business functions using the standard HIPAA transactions. Responses to the survey indicate that less than half of the participants are actually compliant with using the standard transactions. Only 44% of the total provider respondents and 44% of the total payor respondents were conducting all the transactions required for their specific organizations.
Healthcare information systems, such as RIS, that are already in place aren't the culprits for the TCS compliance breakdown. More than 60% of the payors and half of the providers indicated that there are transactions that their information systems can produce, but that are not being conducted due to the inability of trading partners to accept or transmit them.
The survey asked the reason for lack of full TCS compliance, and most covered entities cited trading partners’ lack of compliance and coordination as causes. In fact, 51% of providers reported that their payors were not ready to accept or transmit IS-based transactions, and 34% of providers indicated clearinghouses were not ready. On the other hand, 62% of payors claimed having systems in place that were capable of conducting certain transactions that their providers could not yet process.
Finger pointing aside, the healthcare industry is aware it has a problem and is seeking more time to find a solution. The survey results show that 40% of providers, 36% of payors, and 51% of vendors feel that the CMS should maintain its contingency plan for another three months.
Currently, the CMS contingency plan remains in effect and allows acceptance of noncompliant HIPAA transactions. However, on July 1, CMS modified its guidelines so that noncompliant transactions submitted to Medicare require another 13 days for payment. For practices struggling to maintain revenue flows, this decision provides cold comfort.
"It is easy to report noncompliance, but the bigger question must focus on identifying what needs to done, and then taking the right steps so that standardization of business transactions can take place," said Joyce Sensmeier, HIMSS director of professional services.
Privacy -- of a sort
Despite the risk of complaints and federal penalties (the HIPAA Privacy Rule deadline was April 2003), 22% of providers and 9% of payors reported that they remain noncompliant with the Privacy Rule, according to survey results.
It is of interest to note that payors saw a 5% increase in Privacy Rule compliance since the last survey (January 2004), while providers reported a 2% decrease in compliance. Within the group of provider respondents, medium-size physician practices were the most compliant at 94%, while hospitals with 100-400 beds were the least compliant at 67%. On a more positive note, 71% of noncompliant providers expect to complete privacy remediation within the next three months, according to survey findings.
The report said that even compliant organizations cited gaps in key areas, including establishing business associate agreements and monitoring internal privacy compliance. Implementation of comprehensive privacy programs remains to be completed, according to survey results, with a troubling 64% of provider and 58% of payor respondents reporting between one and five privacy breaches in the first six months of 2004.
Security -- a work in progress
Although compliance with the HIPAA Security Rule is not required until April next year, the survey asked all the groups for their current compliance levels, projected timelines for remediation efforts, and the measures implemented to ensure secure transmission of transactions. Overall, the survey noted that organizations appear to be focusing on the Security Rule, but progress toward compliance remains slow.
Providers did make some progress over the past six months, the authors noted, with compliance levels increasing from 12% in the winter 2004 survey to 18% in the summer 2004 survey. However, compliance levels among payors, 13%, and clearinghouses, 40%, have not improved since the previous survey. An encouraging 65% of the polled vendors expressed confidence that they are meeting their Security Rule-related obligations today as a business associate of covered entities.
The majority of respondents -- 87% of providers, 91% of payors, and 90% of clearinghouses -- reported that their organizations will be ready on or before the April 21 deadline.
The respondents were asked to indicate the number of security breaches their organizations had experienced in the past six months. Of concern is the finding that more than 30% of the group had experienced at least one data security breach, with 28% of providers (up from 21% in the winter 2004 survey) and 17% of payors (down from 25%) reporting that they had experienced one to five data security breaches.
However, because compliance with the HIPAA Security Rule is not yet required, it is likely that some organizations have yet to fully establish tracking mechanisms for security breaches, noted the survey report.
By Jonathan S. Batchelor
AuntMinnie.com contributing writer
August 30, 2004
Related Reading
Web connectivity brings payor, provider benefits, February 25, 2004
HIPAA TCS standards float in compliance limbo, October 17, 2003
HIMSS offers advice on CMS contingency plan, September 25, 2003
CMS to accept non-compliant transactions after October 16, September 23, 2003
New HIPAA transaction standards in spotlight, September 16, 2003
Copyright © 2004 AuntMinnie.com