The dog days of summer tend to reduce activity of all kinds as hot, sultry temperatures take over. This year even healthcare facilities seem to have been affected. According to the recent U.S. Healthcare Industry HIPAA Compliance Survey, payors and providers seem to be showing a seasonal deceleration in their HIPAA compliance efforts.
The survey, conducted from June 1 through June 20 this year, found that while progress has been made in all three areas of compliance -- security, privacy, and transactions and code sets (TCS) -- a surprisingly large percentage of covered organizations have yet to achieve many of the basics of HIPAA. The survey is a joint venture by consulting firm Phoenix Health Systems of Montgomery Village, MD, and the Healthcare Information and Management Systems Society (HIMSS) of Chicago.
The results are based on responses from 383 healthcare representatives who responded to an e-mail invitation to participate. Provider organizations accounted for 80% of the respondents, and payors made up the remaining 20% of the cohort. Approximately 84% of the total respondents indicated that they hold an official role within their organization for HIPAA compliance.
"Current survey results show, for the first time in the survey's six-year history, that many healthcare organizations have simply chosen not to implement many, if not all, HIPAA requirements," the study authors wrote.
The provider organizations were broken down into facility and practice categories. Approximately 22% of the respondents were from hospitals with more than 400 beds, and 17% were from institutions with 100 to 400 beds. Facilities with fewer than 100 beds made up 13% of the provider portion of the survey. Medium-size physician practices or other healthcare providers of 11 to 29 members comprised 9% of the provider respondents, while smaller practices of 10 or fewer members made up the remaining 19%, according to the survey data.
Payors were stratified into those covering more than 1.5 million lives (3%), 501,000 to 1.5 million lives (4%), 150,000 to 500,000 lives (3%), and those organizations covering fewer than 150,000 lives (10%).
According to the survey respondents, even though all major compliance deadlines have passed, the two most reported roadblocks to HIPAA adoption were the following:
- No public relations or brand problems anticipated with noncompliance
- No anticipated legal consequences for noncompliance (complaint-driven oversight)
"Many action items comprising HIPAA initiatives are dependent on steps that came before, and all require adequate resources including time, talent, and money," the study authors noted. "This complex combination of factors has been a prescription for compliance delay, if not failure, for many organizations."
Security still porous
The security compliance deadline was last April, but less than three-quarters of payors (74%) indicated that they are currently compliant with the HIPAA security regulations. However, the group as a whole has made a strong effort to become compliant in the past six months, compared with the 30% that stated they were compliant in January of this year.
Providers are struggling to achieve security compliance, although they, too, have shown significant gains over the past six months. Approximately 43% of the surveyed providers said their organizations were compliant, yet this is a vast improvement over the 18% who reported they were compliant in January.
"Of organizations that are currently noncompliant, the majority expect to achieve compliance within three to four months," the study authors wrote.
Risk management and analysis, information system activity review, and audit controls were the elements of Security Rule implementation that payors and providers deemed most difficult to implement. About half of the providers found contingency planning to be a stumbling block, while payors said security incident response and reporting was a problem for their organizations.
Security breaches remain a problem. Approximately 32% of the providers (a 12% downturn from the 40% reported in January) and 27% of payors experienced at least one security breach. The authors noted that given overall levels of Security Rule compliance, some organizations may not yet have established tracking mechanisms for security breaches.
Privacy plateau
And although compliance with the HIPAA privacy rule may have plateaued, privacy violations continue. Survey results indicate that 78% of providers and 90% of payors are compliant with the rule.
However, 18% of providers and 6% of payors report that they remain noncompliant, more than two years after the April 2003 deadline. Consistent with survey results both in June 2004 and January 2005, these numbers infer little or no progress with a core group of noncompliant covered entities.
"It is not difficult to draw the conclusion that incentives to implement HIPAA-required privacy practices have been -- and may remain -- insufficient to induce 100% compliance by the healthcare industry," the study authors wrote.
Even more troubling than the minority of compliance-resistant healthcare entities is the ongoing struggle with privacy breaches. More than half (59%) of the providers and 45% of the payors reported privacy breaches in the past six months. However, this is a marked improvement from the prior six months, when 73% of the providers and 57% of the payors experienced known privacy breaches.
TCS ticking down
The Centers for Medicare and Medicaid Services (CMS) have set an October 1 final deadline for compliance with HIPAA's TCS standards. After that date, the agency will return all reimbursement claims that do not meet compliance to their originator for resubmission as compliant claims.
Given that economic incentive, one would expect all payors and providers to be 100% compliant with TCS. However, according to the survey, approximately 20% of payors and providers are still noncompliant.
Of the 80% of payors that reported full compliance, only 68% said they were conducting all required transactions. For the providers that indicated full TCS compliance, only 44% indicated they were conducting all required transactions.
Logistical issues with information system interfaces between payors and providers continue to bedevil the healthcare industry's capability to implement TCS compliance. An average of 55% of providers and payors noted that while their information systems are capable of producing certain transactions, their trading partners cannot accept or transmit them.
"Many healthcare organizations are to be congratulated for their diligence in working toward the objectives of HIPAA," said D'Arcy Guerin Gue, executive vice president of Phoenix Health Systems. "But it is dismaying that large industry segments remain noncompliant with this national initiative to achieve standardized, secure healthcare transactions, and high patient privacy levels that will improve the quality and cost-effectiveness of our healthcare delivery system. One must ask -- if security threats, federal penalties, and prospects for significantly reducing healthcare errors, costs, and other inefficiencies are not sufficient incentives, what are?"
By Jonathan S. Batchelor
AuntMinnie.com contributing writer
August 24, 2005
Related Reading
CMS sets final date for HIPAA TCS compliance, August 5, 2005
HIPAA compliance still a distant goal as deadline looms, April 1, 2005
Evolving information threats make HIPAA Security Rule necessary, February 18, 2005
HIPAA TCS standards provide business intelligence opportunities, February 17, 2005
Seven-step approach offers help for HIPAA integration, February 14, 2005
Copyright © 2005 AuntMinnie.com