Three weeks after the publication of this story, the deadline for implementation of the HIPAA Security Rule will occur. According to a survey conducted in January this year, the vast majority of healthcare providers and payors in the U.S. report that they are still far from compliant with HIPAA security regulations.
The U.S. Healthcare Industry HIPAA Compliance Survey, conducted from January 4 through January 20 this year, found that only 30% of the surveyed payors and a mere 18% of the responding providers indicated that they are currently compliant with the HIPAA Security Rule. The survey is a joint venture by consulting firm Phoenix Health Systems of Montgomery Village, MD, and the Healthcare Information and Management Systems Society (HIMSS) of Chicago.
The results are based on responses from 400 healthcare representatives who replied to an e-mail invitation to participate in the survey. Provider organizations (318) accounted for 80% of the respondents, and payors (82) made up the remaining 20% of the cohort. Approximately 84% of the total respondents indicated that they hold an official role within their organization for HIPAA compliance.
"For the first time, our survey focused solely on healthcare provider and payor organizations, requesting feedback to determine compliance status with specific HIPAA Security, Transactions and Code Sets (TCS), and Privacy requirements," the study authors wrote.
The provider organizations were broken down into facility and practice. Approximately 25% of the respondents were from hospitals with 400+ beds, 17% from institutions with 100-400 beds, and facilities with fewer than 100 beds made up 14% of the provider portion of the survey. Medium-size physician practices of 11-29 members comprised 7% of the provider respondents, while smaller practices of 10 or fewer members made up the remaining 17%.
Payors were stratified into those covering more than 1.5 million lives (4%), those covering 501,000 to 1.5 million lives (4%), those with 150,000 to 500,000 lives (4%), and those organizations covering fewer than 150,000 lives (8%), according to the survey data.
According to the results of the 2005 winter survey, much of the healthcare industry is still struggling with HIPAA provisions.
"By all indications, the road to compliance remains difficult," the study authors noted.
TCS -- still a struggle
Although the Centers for Medicare and Medicaid Services (CMS) has extended its October 2003 contingency plan for compliance with HIPAA's TCS standards for more than a year, logistical issues still exist. If TCS compliance today were assigned a letter grade, U.S. healthcare has risen to a C- from the D it earned in the last survey.
Progress with TCS compliance is not overly encouraging; only 73% of providers, and 70% of payors, indicate that they are currently fully compliant, according to the survey. Both groups have risen 8%, respectively, in their TCS compliance since a June 2004 survey.
The survey authors noted that although 73% of the providers said they were fully TCS compliant, only 49% responded that they were actually doing so. On the payor side of the TCS equation, 56% indicated that they are conducting all of the HIPAA standard transactions.
All is not bleak for TCS compliance -- approximately 90% of the surveyed providers are transmitting at least one of the HIPAA standard transactions to payors. In addition, the survey found that 70% of providers are transmitting more than one-half of the transactions and 49% are transmitting all of them.
Logistical issues with information system interfaces between payors and providers continue to bedevil the healthcare industry's capability to implement TCS compliance. More than 60% of the payors and almost half of the providers indicated that there are transactions that their information systems are capable of producing, but that are not being conducted due to the inability of trading partners to accept or transmit them.
"The primary obstacle (to TCS implementation) is that certain provider and payor organizations are still not ready or able to process the standard transactions," the survey authors wrote. "Of equal importance is the assertion that critical vendors have not supplied providers and payors with necessary HIPAA-compliant software."
Privacy -- enforcement on the rise
The deadline for the HIPAA Privacy Rule was April 2003 and despite the risk of complaints and federal penalties, 16% of providers and 8% of payors continue to report that they remain noncompliant with the privacy rule, according to the survey. This represents little to no privacy compliance change since the June 2004 survey.
Among the providers, medium-size physician practices were the most compliant (95%), while smaller physician practices indicated the most trouble with adopting the privacy rule, with only 67% reporting compliance. The respondents from hospitals with 400+ beds reported 82% compliance, hospitals with 100-400 beds said they were 81% compliant, and facilities with fewer than 100 beds claimed 72% compliance.
Although almost two years have elapsed since the privacy rule was implemented, gaps remain in certain areas, such as the establishment of business associate agreements and the monitoring of internal privacy compliance, the survey noted. Even more troubling, 73% of the providers and 56% of the payors reported that their organizations had experienced one or more privacy breaches over the last six months of 2004.
Enforcement of the privacy rule is starting to rear its head among the survey respondents. According to the report, approximately 27% of the providers and 31% of the payors have had at least one formal complaint of privacy violation filed against them, either with the U.S. government or in a civil proceeding, since the privacy compliance deadline.
Security -- a long way to go
Although compliance with the HIPAA Security Rule is breathing down the necks of U.S. healthcare providers -- April 20 this year -- there has been essentially no progress in adopting its provisions (18% report compliance) within this survey group in the past six months. Hospitals are even more unprepared, according to the survey. Only 9% of 400+ bed facilities reported being compliant, and 18% of institutions with fewer than 400 beds said they were compliant with the security regulations.
Payors have demonstrated a 17% improvement in security compliance since the June 2004 survey was taken, with 30% stating compliance, up from 13% last year.
Four elements of security rule implementation were deemed the most difficult to implement by both payors and providers. These were audit controls, risk management/risk analysis, information system activity review, and data backup plan/disaster recovery plan/emergency mode operation plan.
Both payors and providers are optimistic that they will be in compliance with the security rule by this month, with 74% of the providers and 80% of the payors indicating a belief that they will meet the CMS deadline. Perhaps recognizing that compliance is not an easy effort, this represents a 13% decline in expected readiness among providers and an 11% drop-off by payors from the June 2004 survey.
The respondents were asked to indicate the number of security breaches their organizations had experienced in the past six months. Of concern is the finding that nearly half of the group had experienced at least one data security breach, with 40% of providers (up from 28% in the summer 2004 survey) and 26% of payors (up from 17%) reporting that they had experienced a data-security breach.
The survey authors noted that the continuing lack of security rule compliance may be compromising overall HIPAA objectives.
"Until healthcare providers and payors can confirm that their systems are secure -- that patient data is not vulnerable to inaccessibility or loss, damage or alteration, and/or theft or intrusion -- the ever increasing use of HIPAA standard electronic transitions that has been encouraged by the federal government threatens to turn into patient privacy and security breaches waiting to happen," they wrote.
By Jonathan S. Batchelor
AuntMinnie.com staff writer
April 1, 2005
Related Reading
Evolving information threats make HIPAA Security Rule necessary, February 18, 2005
HIPAA TCS standards provide business intelligence opportunities, February 17, 2005
Seven-step approach offers help for HIPAA integration, February 14, 2005
A practical approach to HIPAA security compliance, February 10, 2005
HIPAA security: IHE guidelines help ensure compliance, November 26, 2004
Copyright © 2005 AuntMinnie.com