Healthcare Information and Management Systems Society. U.S. Healthcare Industry HIPAA Compliance Survey Results: Summer 2005

Transcription

1 Healthcare Information and Management Systems Society U.S. Healthcare Industry HIPAA Compliance Survey Results: Summer 2005

2 U.S. Healthcare Industry HIPAA Survey Results: Summer 2005 Executive Overview Summer 2005 marks our sixth consecutive year of tracking and reporting on the status of HIPAA compliance within the healthcare industry. The Summer 2005 Survey also marks a HIPAA milestone: for the first time, the three major HIPAA deadlines have all officially passed. With the Privacy Rule deadline occurring over two years ago (April 14, 2003), the Transactions and Code Sets (TCS) deadline 20 months old for those who received extensions (October 16, 2003), and the Security deadline well behind us (April 20, 2005), one might expect that yet another survey measuring HIPAA compliance is unnecessary. True, some organizations that have long since implemented HIPAA requirements are now moving past the off-putting concept of compliance toward internally communicating a more palatable cultural recipe of good or best practices. These forward-thinking organizations are in the process of institutionalizing HIPAA principles, practices and desired outcomes greater patient privacy, and secure nation-wide use of standard electronic healthcare transactions. On the other hand, as we will report here, surprisingly large percentages of covered organizations have yet to achieve many of the basics of HIPAA. This dichotomy reflects at least two contributing issues: HIPAA implementation can often resemble a moving target. With many diverse components contributing to overall compliance, actual implementations do not always go according to plan. HIPAA compliance is a team effort, both internally (senior management buy-in, steering committees, staff support, compliance officials, etc.) and externally (trading partners, vendors, consulting experts). Many action items comprising HIPAA initiatives are dependent on steps that came before, and all require adequate resources including time, talent and money. This complex combination of factors has been a prescription for compliance delay, if not failure, for many organizations. Current survey results show, for the first time in the Survey s six-year history, that many healthcare organizations have simply chosen not to implement many, if not all, HIPAA requirements. The two most reported roadblocks to HIPAA compliance in the Summer 2005 Survey were no public relations or brand problems anticipated with non-compliance and no anticipated legal consequences for non-compliance. Key Findings of the Summer 2005 Survey include: HIPAA Security (Deadline passed April 2005) Seventy-four percent (74%) of Payers (up from 3 in January 2005) indicated that they are currently compliant with the HIPAA Security Regulations. Only 43% of Providers (up from 18% in January 2005) have achieved Security compliance. Though the number of organizations experiencing data security breaches declined over the past six months, 32% of Providers (down from 4 in January 2005) and 27% of Payers (consistent with January 2005) indicated that their organizations had experienced data security breaches between January and June Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

3 HIPAA Transactions and Code Sets Progress toward TCS compliance has improved slowly over the past six months -- 8 of Providers and Payers indicated compliance (up from 73% of Providers and 7 of Payers in January 2005). Seventy-one percent (71%) of Provider respondents are now transmitting over one-half of the HIPAA standard transactions. Sixty-eight percent (68%) of Payers (up from 56% in January 2005) are capable of conducting ALL of the HIPAA standard transactions. An average of 55% of Providers and Payers indicated that there are transactions which their information systems are capable of producing, but that are not yet being conducted, in great part because their trading partners are unable to accept or transmit them. HIPAA Privacy Privacy Rule compliance apparently has reached a plateau. While 78% of Providers and 9 of Payers stated they are compliant with the Rule, 18% of Providers and 6% of Payers reported that they remain non-compliant, more than two years after the deadline. As these numbers are consistent with survey results both in June 2004 and January 2005, it can be inferred that little or no progress is being made by a core group of non-compliant covered entities. Even among compliant organizations, significant gaps remain in certain areas, especially in establishing Business Associate Agreements and monitoring internal Privacy compliance. While the number of organizations experiencing privacy breaches declined over the past six months, 59% of Providers (down from 73% in January 2005) and 45% of Payers (down from 57% in January 2005) reported their organizations had experienced one or more privacy breaches from January to June Twenty-one percent (21%) of Providers and 15% of Payers have had formal complaints of privacy violation filed against them, either with the Federal government or in a civil proceeding, over the past six months. THE SURVEY Phoenix Health Systems and HIMSS conducted the Summer 2005 US Healthcare Industry HIPAA Compliance Survey from June 1 to June 20, A total of 383 healthcare industry representatives (Providers and Payers) responded to invitations to participate in the survey that were sent to HIMSS members and to Phoenix HIPAAlert newsletter subscribers. The online survey was anonymously completed via the Phoenix web site, HIPAAdvisory.com. The Participants Provider organizations accounted for 8 (282) of participants, and Payers for 2 (71). The distribution of survey participants follows: Providers 8 Hospitals with 400+ beds: 22% Hospitals with beds: 17% Hospitals with less than 100 beds: 13% Medium-sized physician practices (11 to 29 physicians)/other providers: 9% Small physician practices (10 or fewer physicians)/other providers: 19% Payers 2 Covering fewer than 150,000 Lives: 1 Covering 150, ,000 Lives: 3% Covering 501,000-1,500,000 Lives: 4% Covering more than 1,500,000 Lives: 3% Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

4 Eighty-four percent (84%) of total survey respondents hold an official role within their organization for HIPAA compliance. Respondents hold positions such as senior manager/department director (32%), Security/Compliance Official (24%), Privacy Officer (2), and CIO/Director of Information Technology (1). Reporting relationships vary from organization to organization -- compliance staff may report to the Chief Executive Officer (29%), Chief Information Officer (12%) or Chief Compliance Officer (15%); however, 33% reported other superiors. Note: The percentages provided in this summary report are based on the total number of respondents for each question, unless noted otherwise. Some participants did not complete all questions. ROADBLOCKS TO HIPAA COMPLIANCE In our ongoing tracking of the major roadblocks to overall HIPAA compliance, we have seen their relative significance shift as organizations entered new stages of the compliance process. Now that the major deadlines have passed, the two most reported roadblocks (for the first time) were no public relations or brand problems anticipated with non-compliance and no anticipated legal consequences for non-compliance (complaint-driven oversight). Achieving successful integration of new systems, policies, and procedures and interpretation of regulations were top roadblocks reported in our Winter 2005 and Summer 2004 Surveys, but ranked third and fourth respectively in the Summer 2005 Survey. Sample comments are provided below. Sample of Written Survey Comments/Responses Provider: Senior Leadership is still not engaged due to the lack of cases prosecuted under HIPAA. Provider: The CEO and CFO of the hospital feel [that] securing the processes for handling patient information is a waste of time and money. Payer: Senior Management [is] keeping a wait and see approach for compliance. Payer: [There is] continued perception that HIPAA is over and done. The good news is that many organizations are taking advantage of available resources to better understand HIPAA. Written comments from a substantial number of respondents credited attorneys (including internal and external legal counsel, and legal newsletters) as an increasingly important resource in progress toward HIPAA compliance. In addition, Provider and Payer respondents (55%) chose Phoenix Health Systems HIPAAdvisory.com as the most popular tool, followed by resources offered by CMS (5) and HHS (36%), as well as national associations such as American Hospital Association (AHA), American Health Information Management Association (AHIMA), HIMSS, etc. (31%). Thirty-two percent (32%) of total respondents participate in listserve-style discussion groups focusing on HIPAA (e.g., HIPAAlive). HIPAA COMPLIANCE DRIVERS Enforcement will be complaint-driven', according to the Centers for Medicare and Medicaid Services (CMS) the federal enforcement agency for HIPAA Security, and the Office for Civil Rights (OCR) the federal enforcement agency for HIPAA Privacy. Considering the comments noted above, we wondered if this was indeed a major motivator for covered entity compliance with the HIPAA Privacy and Security requirements. Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

5 We asked respondents to rank six compliance drivers in order of importance, with 1 representing the most important (see below). For both groups, patient and/or plan member complaints were indeed the biggest factor, in addition to input from attorneys/legal counsel. Surprisingly, adverse press coverage was a much bigger factor for Payers than for Providers. Compliance Driver Provider Ranking Payer Ranking Patients/Plan Members and their Families 1 1 Accrediting Bodies JCAHO, NCQA, URAC 2 4 Attorneys 3 3 Internal Staff Whistleblowers 4 6 Press Stories 5 2 Peers or Trading Partners 6 5 SECURITY COMPLIANCE The deadline for compliance with the Security Rule was April 20, Both Provider and Payer organizations have made significant progress toward security compliance over the past six months (see table below). However, full compliance remains an elusive goal for many. Payer compliance levels reflected the strongest advances from 3 in January 2005 to 74% in June Providers continue to lag behind in this area compliance levels increased from 18% in January 2005 to only 43% in June Of organizations that are currently non-compliant, the majority expect to achieve compliance within three to four months. Industry Security Compliance Comparison: Winter 2005 with Summer Winter 2005 Summer 2005 Providers Payers There is a considerable difference between the number of organizations that planned to be compliant with the HIPAA Security Regulations, as reported in January 2005, and the number that actually achieved compliance. Seventy-four percent (74%) of Providers planned to be compliant by the April 2005 deadline. In light of these expectations, results from the Summer 2005 Survey are dismaying 51% of Providers remain non-compliant. The one bright spot is that small physician practices reported a 20 increase in compliance. A compliance breakdown by Provider and Payer organization type is provided below. Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

6 Providers and Payers HIPAA Security Compliance Breakdown Payer 1.5 million+ lives Payer 501K -1.5 million lives Payer K lives Payer <150K lives Hospitals 400+ beds Hospitals beds Hospitals <100 beds / 30+ Physicians Medium Physician Office MDs Small Physician Office <10 MDs 9% 9% 19% 17% 23% 44% 29% 34% 36% 41% 43% 32% 5 63% 64% 66% 88% 86% Summer 2005 Winter 2005 Required HIPAA Security Standards Most Difficult to Implement Both Providers and Payers have continued to nominate audit controls, risk management/risk analysis, and information system activity review for our list of most problematic Security Standards. In addition, nearly half of Providers cited contingency planning as a stumbling block. Payers cited security incident response and reporting as a problem. Actual percentages are provided below, and responses are ranked in descending order of the percent of respondents who cited the standard. (Note: Respondents were asked to indicate ALL of the standards they found difficult to implement therefore, figures below reflect the percentage of each group who checked the noted item as ONE of the standards they found difficult to implement.) Providers Audit Controls (55%) Contingency Planning (47%) Risk Management/Risk Analysis (45%) Information System Activity Review (45%) Payers Risk Management/Risk Analysis (41%) Information System Activity Review (36%) Audit Controls (32%) Security Incident Response and Reporting (27%) Incidents of Data Security Breaches Providers and Payers were asked to indicate the number of data security breaches their organizations had experienced in the six-month period from January to June Fifty-seven percent (57%) of Providers and 68% of Payers reported no incidents. However, 32% of Providers (down from 4 in January 2005) and 27% of Payers (consistent with January 2005) experienced at least one security breach, including an average of 4% of both Providers and Payers that experienced between six and ten security breaches. (Note: It is likely, given overall levels of Security Rule compliance, that some organizations have yet to fully establish tracking mechanisms for security breaches.) Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

7 TRANSACTIONS AND CODE SETS COMPLIANCE HIMSS / Phoenix Health Systems The original deadline for compliance with the HIPAA Transactions and Code Sets regulations was October 16, Due to industry-wide difficulties in achieving TCS compliance, CMS implemented a temporary Contingency Plan in September 2003, allowing covered entities that requested conditional extensions to transmit non-compliant transactions. At the time that our Summer 2005 survey questionnaire was released, CMS had recently announced the termination of the Contingency Plan, effective July Overall TCS Compliance Compliance with the TCS regulations includes implementation of all necessary policies, procedures, processes and systems in order to test and then regularly conduct the standard HIPAA transactions required for the business functions performed by the covered entity. The Summer 2005 survey results are somewhat encouraging overall TCS compliance has improved slowly but steadily over the past year. Note: respondents interpret being ready to conduct or capable of conducting transactions as being HIPAA-compliant. Thus, while 8 of Providers indicated they were fully compliant (up from 73% in Winter 2005 and 65% in Summer 2004), when asked if they were conducting all the necessary standard transactions for their organizations, only 44% responded affirmatively. Eighty percent (8) of Payers reported full compliance (up from 7 in Winter 2005 and 62% in Summer 2004), but only 68% indicated they were conducting all required transactions. Seventy-one percent (71%) of Providers reported transmitting over one-half of the standard transactions. Less than 1% of Providers (and none of the Payers) said they were not conducting any of the transactions. A breakdown by organization type is included below. Covered Entities Conducting ALL Transactions Required for Organizational Business Functions Payer 1.5 million+ lives Payer 501K -1.5 million lives Payer K lives Payer <150K lives Hospitals 400+ beds Hospitals beds Hospitals <100 beds / 30+ Physicians Medium Physician Office MDs Small Physician Office <10 MDs 25% % 43% 42% 38% 37% 43% 46% 51% 54% 58% 47% 67% 73% 75% 79% Summer 2005 Summer 2004 When participants were asked if there were transactions that were not being exchanged with trading partners even though their own information systems were capable of conducting them, an average of 55% said Yes. The primary reason appears to be a lack of readiness on the other end trading partners are not able to process the transactions. For example, over half of Providers (52%) reported the reason was that their Payers were not ready to accept/transmit those transactions, while only 24% indicated that their own organizations had not yet implemented processes to handle the transactions. Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

8 Payers posted identical statistics -- 52% claimed their systems were capable of conducting certain transactions that their Providers could not yet process, and another 4 indicated a lack of readiness on the part of their vendors. In contrast, Providers expressed confidence that most of their information technology vendors are capable of supporting needed HIPAA-compliant standard transactions. Forty-six percent (46%) of Providers confirmed their vendors software is capable of conducting ALL transactions, and an additional 24% have confirmed that the software is ready to conduct one or more transactions. We asked Payers: How many of your Provider trading partners are transmitting AT LEAST ONE of the HIPAA standard transactions to you (either directly or through a Clearinghouse)? As shown in the following chart, 67% of Payers reported that ALL OR MOST of their Provider clients were conducting at least one transaction. Half (5) said that ALL OR MOST of their Provider clients were conducting at least one-half of the standard HIPAA transactions. Payer Perceptions: How Many Providers are Transmitting At Least ONE Transaction to You? 11% 19% 3% All of them 36% Most of them About half of them A small number of them 31% None of them Use of Clearinghouses (current or planned) for transmission of HIPAA-compliant transactions has increased significantly over the past six months, to 8 (up from 68% in January 2005). Transactions Currently Being Conducted Providers and Payers were asked to indicate the transactions currently being conducted by their organizations. The table below displays a comparison of results from the Winter and Summer 2005 Surveys. In all cases, the percentages for Payers increased dramatically over the past six months, especially for the 276/277 and 270/271 transactions. Transmission of the standard transactions by Providers showed a slight, but relatively consistent increase over the same period. Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

9 Standard Transactions Winter 2005 Provider Summer 2005 Winter 2005 Payer Summer Claims, COB, Equivalent Encounter 73% 72% 63% 79% 835 Payment, Remittance Advice 61% 66% 5 61% 276/277 Claims Status 3 36% 33% 58% 270/271 Eligibility for Health Plan 31% 36% 33% 61% 834 Enrollment/Disenrollment 16% 19% 43% 71% 820 Premium Payment 11% 13% 33% 47% 278 Referral Certification and Authorization N/A 17% N/A 42% CMS Contingency Plan CMS Contingency Plan took effect in September of 2003, allowing qualifying covered entities to continue to transmit non-compliant Medicare transactions. In late May 2005, CMS announced its intention to discontinue the temporary Contingency Plan, effective July However, when asked if they felt that the Plan should be discontinued, only 41% of Providers and Payers said Yes. The remainder was generally split between having no opinion, or feeling that the Plan should stay in force. When asked how termination of the Plan would affect their organizations, 27% of Providers and 24% of Payers said substantially, or moderately. For those organizations that indicated they were transmitting non-compliant transactions, only a handful reported experiencing delays in reimbursement, and even then, the delay was less than five business days. Sixty-three percent (63%) of Providers and 71% of Payers reported experiencing no delays in reimbursement for non-compliant transactions. Identifying the Obstacles to TCS Implementation The obstacles to TCS implementation being faced today by Providers and Payers are consistent with those reported during the last eighteen months. They are as follows (in ranked order): Providers Payers are not ready to accept standard transactions. Critical Vendors have not provided compliant software. Ambiguities in information released by CMS regarding standard transactions requirements. Payers Providers are not ready to accept standard transactions. Capturing the data required for the standard transactions. Clearinghouse(s) not ready to accept/transmit transactions. Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

10 PRIVACY COMPLIANCE Compliance with the HIPAA Privacy Rule was required by April 2003 but a substantial percentage of Providers, in particular, remain non-compliant. Survey results for Summer 2005 show no variation over the past year an average of 9 of Payer respondents and only 78% of Provider respondents indicated they were compliant with the HIPAA Privacy Regulations as of June Among Providers, hospitals with more than 400 beds were the most compliant (81%), while hospitals with less than 100 beds were the least compliant (74%). Eighty percent (8) of hospitals with 100 to 400 beds and 75% of both small and medium-sized physician practices indicated that they were currently compliant with the Privacy Regulations. Within the Payer sector, compliance averaged 89% to 9 across Health Plans of all sizes. It is not difficult to draw the conclusion that incentives to implement HIPAA-required Privacy practices have been and may remain insufficient to induce 10 compliance by the healthcare industry. As a check on their full compliance, Privacy compliant Provider and Payer organizations were asked to indicate their success in implementing several specific HIPAA requirements (see table below comparing responses from the Summer 2004 Survey to the Summer 2005 Survey). This information confirms that gaps remain between actual privacy practices and the specific requirements of the Privacy standards most significantly in the areas of monitoring internal compliance and obtaining required Business Associate Agreements. Summary of Privacy Practices Implemented for Compliant Organizations Areas of Privacy Compliance: Obtain Patient Authorizations for use and disclosure of PHI Enable mandated patients rights (review, amend, restrict records) Obtain acknowledgement of receipt of Notice of Privacy Practices Providers Payers % 95% 98% 98% 99% 97% 10 99% 98% N/A N/A Post and distribute Notice of Privacy Practices 98% 97% 93% 98% Provide ongoing workforce Privacy training 97% 97% 97% 98% Maintain Accounting of Disclosures 97% 96% 93% 10 Use Minimum Necessary restrictions 95% 94% N/A N/A Monitor organizational compliance with Privacy Regulations Have obtained all required Business Associate Agreements 85% 88% 83% 93% 8 82% 9 9 Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

11 Patient Privacy Breaches and Formal Complaints HIMSS / Phoenix Health Systems While the percent of compliant Provider and Payer participants improved from the Winter 2005 Survey to the Summer 2005 Survey, a large proportion of both groups reported incidents of patient privacy breaches since January Fifty-nine percent (59%) of Providers indicated that they had experienced privacy breaches between January and June 2005, compared to 73% during the preceding six-month period. Forty-three percent (43%) experienced between one and five privacy breaches, 7% had six to ten breaches, 7% had eleven or more breaches, and 2% had an unknown number. Less than half (45%) of Payers (down from 57% in Winter 2005) reported privacy breaches: 4 indicated that they had between one and five privacy breaches, 2.5% had six to ten breaches, and 2.5% had eleven or more breaches. Reports of formal privacy complaints filed by patients against reportedly compliant healthcare organizations have somewhat decreased. A majority of compliant Providers (73%, up from 62% in Winter 2005) and Payers (83%, up from 58% in Winter 2005) have had no formal complaint of privacy violation brought against them this year. However, 21% of Providers and 15% of Payers have had between one and five formal complaints of privacy violation filed against them, either with the Federal government or in a civil proceeding. None of our respondents reported more than five formal privacy complaints between January and June HOSPITAL BUDGETS FOR HIPAA 2004 vs Hospital budgets for HIPAA compliance efforts have decreased overall for hospitals in the less than 100 beds category and for hospitals with 100 to 400 beds. However, spending for hospitals with 400 or more beds has remained stable. Please refer to the pie charts below Budgets Hospitals with Less Than 100 Beds 2005 Budgets Hospitals with Less Than 100 Beds 4% 18% 23% < $30,000 $30,001-$50,000 $50,001-$100,000 $100,001-$250,000 $250,001-$500,000 $500,001-$1 Million $1 Million-$2 Million $2 Million + Do Not Know 4% 4% 18% 32% < $30,000 $30,001-$50,000 $50,001-$100,000 $100,001-$250,000 $250,001-$500,000 $500,001-$1 Million $1 Million-$2 Million $2 Million + Do Not Know 9% 14% 27% 5% 14% 14% 14% Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

12 2004 Budgets Hospitals with 100 to 400 Beds 2005 Budgets Hospitals with 100 to 400 Beds 3% 11% 8% 47% < $30,000 $30,001-$50,000 $50,001-$100,000 $100,001-$250,000 $250,001-$500,000 $500,001-$1 Million $1 Million-$2 Million $2 Million + Do Not Know 3% 14% 11% 8% < $30,000 $30,001-$50,000 $50,001-$100,000 $100,001-$250,000 $250,001-$500,000 $500,001-$1 Million $1 Million-$2 Million $2 Million + Do Not Know 17% 14% 3% 61% 2004 Budgets Hospitals with 400 or More Beds 2005 Budgets Hospitals with 400 or More Beds 5% 15% 2% 2% 5% 24% 24% 2 3% < $30,000 $30,001-$50,000 $50,001-$100,000 $100,001-$250,000 $250,001-$500,000 $500,001-$1 Million $1 Million-$2 Million $2 Million + Do Not Know 7% 1 3% 3% 24% 7% 24% 2% 2 < $30,000 $30,001-$50,000 $50,001-$100,000 $100,001-$250,000 $250,001-$500,000 $500,001-$1 Million $1 Million-$2 Million $2 Million + Do Not Know Copyright 2005 Phoenix Health Systems, Inc. All rights reserved

13 HIPAA Knowledge HIPAA Solutions Healthcare Information and Management Systems Society Specialists in Information Systems Consulting and Outsourcing Services for Hospitals Comprehensive IT Department Outsourcing Services IT-Based Clinical and Business Transformation Solutions Strategic IT Planning and Procurement Systems Implementation Information Security HIPAA Compliance Revenue Enhancement / TCS ROI Workforce / Executive Education 9200 Wightman Road, Suite 400 Montgomery Village, MD HIMSS (Healthcare Information and Management Systems Society) is the healthcare industry s membership organization exclusively focused on providing leadership for the optimal use of healthcare information technology and management systems for the betterment of human health. Visit for more information. 230 East Ohio Street Suite 500 Chicago, IL HIMSS Copyright 2005 Phoenix Health Systems, Inc. All rights reserved