While healthcare security and privacy breaches have become recurrent front-page stories, a recent report found that nearly half of U.S. healthcare providers have made little progress in HIPAA Security Rule compliance.
It's not just HIPAA security provisions that are bedeviling providers and payors -- a substantial percentage are still struggling with Privacy Rule compliance as well, according to the study.
The U.S. Healthcare Industry HIPAA Compliance Survey, conducted from July 15 through August 9 this year, found that even though compliance deadlines have come and gone there are still issues with the central regulations of HIPAA: security, privacy, and transactions and code sets (TCS). The survey, conducted semiannually for the past six years, is a joint venture of consulting firm Phoenix Health Systems of Montgomery Village, MD, and the Healthcare Information and Management Systems Society (HIMSS) of Chicago.
The results are based on responses from 220 healthcare representatives who responded to an e-mail invitation to participate. Provider organizations (178) accounted for 81% of the respondents and payors (42) made up the remaining 19% of the survey group.
Even though compliance with the multifaceted HIPPA regulations has required some Herculean efforts on the part of providers and payors, adherence to the standards has provided organizational benefits.
"Despite the privacy provisions, which remain a thorn in the sides of many healthcare workers -- and some patients -- many healthcare leaders agree that implementation of HIPAA standards is making a difference that is undeniably positive," the survey authors wrote.
Security -- size matters
Interestingly, the larger a provider organization is, the less compliant it is with the HIPAA Security Rule, according to the survey.
"Hospitals with less than 100 beds and large physician practices were the most compliant provider groups (70%), reflecting a significant increase from 48% in January 2006," the authors wrote. "Fifty-four (54%) percent of medium-sized practices reported compliance (up from 33% in January 2006), and 68% of small practices (compared to 40% in January 2006) also reported compliance."
Provider entities having the most trouble with Security Rule compliance seem to be large- and medium-sized hospitals. Hospitals with 400 or more beds reported 49% compliance, while facilities with 100 to 400 beds demonstrated 44% compliance. The survey authors noted that in the past six months since the last survey, little significant improvement has been shown by this group, when average compliance levels were approximately 40%.
"From a more negative perspective, the percentage of providers who had implemented all required security provisions by January 2006 increased only one point by July 2006, from 55%," the study authors noted.
Data security breaches continue to afflict survey respondents: 32% of the provider respondents (an increase of 8%) experienced between one and five incidents in the past six months, while 29% of the payors (an uptick of 1%) reported between one and five breaches. The good news is that providers and payors seem to be responding more aggressively to security breaches; only 7% of the providers and 4% of the payors reported between six and 11 security breaches, down 6% and 5%, respectively, from the numbers reported in the January 2006 survey.
TCS -- stalled
More than two years have passed since compliance with HIPAA's TCS Rule was mandated by the Centers for Medicare and Medicaid Services (CMS), although the agency implemented a contingency plan that allowed noncompliance until July of last year. According to the survey results, those payors and providers that have been able to implement the TCS Rule have done so, while the rest seem to be stymied in their efforts.
"Overall TCS compliance -- including actual conversion to HIPAA standardized transactions -- has shown little, if any, improvement over the past year, and appears to be stalled," the authors wrote.
Inadequate collaboration among providers, payors, software vendors, and clearinghouses remains a major stumbling block in compliance efforts, they noted.
If anything, TCS compliance appears to be slipping. A total of 72% of providers indicated that they were fully compliant in the current survey, a 12% downturn compared with the 84% who stated full compliance six months earlier. Payors also seem to be having problems with TCS enactment; 73% reported full compliance in both surveys this year, representing a 7% decline from the 80% who stated full compliance in July 2005.
Most troubling of all, 41% of the providers who are noncompliant do not know if or when their organizations will fully implement standard transactions. Fully one-third (33%) of noncompliant payors indicated that their organizations have no current plans to complete TCS remediation.
Privacy -- setbacks
Privacy of health information is definitely a hot-button issue; more than 19,000 grievances have been filed since the privacy regulations became effective in 2003. Despite the volume of complaints, the federal government has not yet imposed any fines for HIPAA violations, according to the study authors. They observed that the lack of punitive action may actually be impeding adoption of the Privacy Rule by noncompliant organizations.
"While this approach (voluntary compliance) may be effective with organizations that have received complaints, our survey results suggest that it may serve as a disincentive to implementing privacy protections for organizations that have neither complied with the Privacy Rule nor experienced formal complaints," they wrote.
The provider cohort of the survey reported a 78% compliance rate, down 2% in the past six months, with provisions of the HIPAA privacy regulations. Payors demonstrated a negligible increase of 1%, to 87%, in their compliance with the HIPAA Privacy Rule since January 2006. Small- and medium-sized physician practices reported gains in privacy compliance, while hospitals of all sizes and large physician practices all reported declines.
"It is reasonable to conclude that a core group of approximately 20% of providers and 13% of payers have had insufficient incentive to implement required privacy practices within their organizations," the authors noted.
Full compliance with the privacy regulations may be some distance off, according to the study results.
"Despite many providers' and payers' reports that they have fully implemented HIPAA privacy requirements, a more detailed inspection indicates otherwise," the authors wrote. "In fact, NO participating provider organization was able to show in this survey -- or in past surveys -- that it had complied with every key Privacy Rule provision, and payers' performance was only marginally better."
Privacy breaches are commonplace among both segments of privacy-compliant respondents: 52% of providers and 60% of payors reported privacy breaches between January 2006 and July 2006, a decrease of 8% and 6%, respectively. Formal privacy complaints against providers and payors also decreased during this time period, compared with the prior six months, from 24% to 17% for providers and from 26% to 15% for payors.
National provider identifier
Like a monthly book club, HIPAA is a gift that just keeps on giving. By May 23, 2007, healthcare providers will have to obtain and use a unique identifier when filing electronic claims to be in compliance with HIPAA's National Provider Identifier (NPI) Rule.
According to the survey, 67% of providers have applied for an NPI, up 39% from January 2006. Obtaining an NPI is the first step in implementation -- systems, software, and process changes will also be required from providers and payors.
Approximately 77% of the provider participants have begun these implementation steps, with 32% reporting that they have completed related internal testing. Payor groups also reported progress with NPI compliance; 76% reported that they have finished identifying the systems, software, and business process changes they will need to make to enable providers to convert successfully to the NPI.
By Jonathan S. Batchelor
AuntMinnie.com staff writer
November 7, 2006
Related Reading
Private parts: Breast cancer screening and HIPAA compliance, October 2, 2006
Practices that embrace EHR security regulations inspire patient confidence, July 14, 2006
HIPAA compliance remains inconsistent, April 12, 2006
Dealing with HIPAA changes in 2006, April 6, 2006
HIPAA enforcement Final Rule published, February 17, 2006
Copyright © 2006 AuntMinnie.com