Healthcare Information and Management Systems Society HIMSS. U.S. Healthcare Industry Quarterly HIPAA Compliance Survey Results: Summer 2002

Transcription

1 Healthcare Information and Management Systems Society HIMSS U.S. Healthcare Industry Quarterly HIPAA Compliance Survey Results: Summer 2002

2 HIMSS / Phoenix Health Systems Healthcare Industry Quarterly HIPAA Survey Results: Summer 2002 Executive Overview Healthcare industry organizations appear to be absorbing the impact of key HIPAA Privacy rule modifications that were proposed in March by the Department of Health and Human Services (DHHS), and which were for the most part finalized on August 14, Summer survey results offer what is likely a more realistic reflection of this impact than the Spring survey, conducted almost immediately after the proposed Rule changes. A significant overall trend: we no longer have to ask respondents if they have begun HIPAA initiatives; now we are able to focus on how much work has been completed within the HIPAA compliance cycle. At this juncture, very few respondents have finished HIPAA remediation projects, but respondents in all industry segments are making significant progress through the gap assessment phase and beyond, into planning and implementation initiatives. The largest roadblock to compliance comes not from budget constraints or other internal circumstances, but from difficulties in understanding and interpreting changing legal requirements. Trends: Despite continued delays in publication of a final Security Rule, survey respondents reported an upsurge in Security compliance activities. For the first time, potential changes in regulations/deadlines and interpretation of the regulations were ranked as the biggest roadblocks to HIPAA compliance. Many will take advantage of new deadline extensions provided for achieving Business Associate agreements. One result: these respondents will slow their efforts to complete agreements with their Business Associates. 84% of all respondents are taking advantage of the Transactions deadline extension from October 2002 to October Unlike past survey results, new indications are that compliance efforts are moving well beyond gap assessment initiatives into planning, implementation and training. However, for many organizations, completion of gap assessments is taking longer than projected. Virtually all payers and vendors reported that they will complete required Transactions remediation before the extended October 2003 deadline; less than half will finish by the original October 2002 deadline. About 85% of clearinghouses indicated they will be ready to transmit all HIPAArequired transactions before the testing deadline of April 2003; the remainder will be ready by October Copyright Phoenix Health Systems, Inc All rights reserved

3 THE SURVEY Phoenix Health Systems and HIMSS conducted the Summer 2002 Quarterly Healthcare Industry HIPAA Compliance Survey early in July. Following appeals to HIMSS 12,000+ members and to Phoenix 18,000 HIPAAlert newsletter subscribers, a total of 687 healthcare industry representatives responded. The online survey was completed anonymously via Phoenix website HIPAAdvisory.com. The Organizations Respondents from provider organizations accounted for 70% (478) of participants. The breakout of participants follows: Providers 70% Hospitals of 400+ beds: 18% Hospitals of beds: 23% Hospitals of less than 100 beds: 10% Medium-sized physician practices (11 to 29 physicians)/providers: 6% Small physicians practices (10 or fewer physicians)/providers: 12% Payers 16% Clearinghouses 2% Vendors 12% Within the Organizations Reported support for HIPAA compliance efforts is holding steady among senior management staff and department heads. About 86% of all respondents reported that they have an official role within their organization for HIPAA Compliance. The majority of respondents hold management or executive positions, including 11% who function as Chief Information Officer. An increasing number of respondents (30%) reported holding roles specifically in the compliance/security arena. THE BIG QUESTION Has your organization generally completed HIPAA Transactions and Code Sets remediation AND Privacy remediation? And the answer was No, from 78% of our respondents. More specifically, 80% of providers and 79% of payers said no. Of the 13% of respondents who answered yes, almost all (67 of 89) noted that understanding and interpreting the legal requirements, especially when compounded with Copyright Phoenix Health Systems, Inc All rights reserved

4 regulatory changes, has been the most difficult aspect of the HIPAA remediation process. The following is a sampling of comments from individual respondents. Providers: The most troublesome area is attempting to keep current on the government s changing standards and the meaning of those standards. HIPAA planning has been chasing a moving target! It is difficult to write policies and train staff when the regs and dates may or may not change. Few Administrators are attorneys, [and are] therefore unable to interpret the massive quantity of information contained in these regulations. Payers: Changing requirements and difficulty in finding definitive answers can both be problematic. Vendors: Lack of clarifications to the final rules and continued changes has posed issues. Privacy and TCS Remediation Completion 90% 80% 70% 60% 50% 40% Providers Clearinghouses Payers Vendors 30% 20% 10% 0% Yes No Don't Know Copyright Phoenix Health Systems, Inc All rights reserved

5 IMPACT OF PROPOSED PRIVACY RULE MODIFICATIONS This survey was conducted several months after DHHS proposed modifications to the Privacy Rule; many of these modifications have since been finalized (August 14, 2002). Respondents were asked to report on the impact of these modifications to ongoing compliance efforts within their organizations. Patient Consent Requirement Approximately 70% of all respondents reported moderate or strong support for the elimination of the patient consent requirement, with only a small percentage in opposition. Business Associate Contracts With regard to DHHS 1-year extension for completing Business Associate contracts, numbers have shifted from Spring to Summer 2002, possibly to a more realistic outlook. In the Summer survey, 64% (down from 92% in Spring) of responding participants indicated that contract initiatives would remain unaffected, or would continue on target, with the extension simply providing adequate time for completion. Approximately 27% (up from 9% in Spring) indicated that efforts would slow following the proposed extension. TRANSACTIONS The Transactions Extension With regard to the Transactions deadline extension option offered in the Administrative Simplification Compliance Act, 84% of respondents indicated that they have applied (27%) or will apply (57%) for the extension before the October 2002 deadline. Only 7% of respondents indicated that they would be in compliance by October 2002 (the original compliance deadline). [Note that some organizations extension applications are being made simply because critical business partners such as payers and vendors need the additional time for testing and implementation.] Which Transactions Version? Across the industry, the majority of participants have elected to implement the HIPAA transactions version published in May 2000, as opposed to those published in the Transactions NPRM of May Over 60% are reported working with the May 2000 versions, while only 37% are working with the proposed version. Respondents noted that when the final legislation is published, they will switch over as necessary. Employer Identification Standard Publication of the final Employer Identification Standard in May 2002 has not greatly impacted current compliance efforts, but that may be because 41% of respondents are not far Copyright Phoenix Health Systems, Inc All rights reserved

6 enough along in the implementation process to be affected. About 28% of respondents had already implemented the Employer Identification Standard. FOCUS OF ENTERPRISE HIPAA EFFORTS Implementation Approach Across all industry segments, the majority of organizations favored using either a strategic approach (34%) or a basic approach (37%). The overall response for the basic compliance approach is up 10% from the Spring 2002 survey, perhaps because fastapproaching deadlines are necessitating more expedient tactics. On the other hand, 24% of all participants planned to use the more rigorous best practices approach. Participants who were undecided made up 4% of the responses, and only 2 individual respondents have chosen to do nothing and see what happens. About 60% of participants from the payer/health plan industry segment reported they are working on their own rather than in coordination with providers. Also, more payers (66 of 119) are focusing on the remediation of existing software rather than on the development of new software, with some working on both. Few respondents plan to use the clearinghouse option to provide front-end remediation. Clearinghouse representatives, with some overlap, indicated that they are relying more on internal software remediation then on internal new software development. Current Compliance Activity HIPAA AWARENESS -- Across all industry segments, HIPAA awareness and education continue to be a primary focus of ongoing compliance activity. What may have seemed like a preliminary step to many organizations has remained an important component in achieving HIPAA compliance. Among all industry segments, 2/3 of organizations are involved in HIPAA awareness and education activities as follows: Transactions - 63%, Security - 67%, Privacy - 67% and Unique Identifiers - 65%. TRANSACTIONS AND CODE SETS -- Compliance activities focusing on Transactions and Code Sets continue to move from the assessment phase into the project planning phase, and increasingly to the implementation phase. With some overlap, 58% of respondents reported that they are involved in project planning (slightly less than the 60% reporting in Spring), while 48% have moved into the implementation phase (up from 40% in the Spring Survey). By industry segment, percentages involved in the transactions implementation phase are as follows: 41% of Providers, 60% of Vendors, 67% of Payers, and 71% of Clearinghouses. PRIVACY Compliance activities focusing on Privacy drew the largest numbers of total respondents. Survey participants reported steady progress in the assessment and project planning phases, with a much higher percentage now involved in the implementation phase 53% of all participants (up from 39% in Spring). Privacy also drew the largest percentage in the category of training 37% of all respondents are involved in Privacy training. Copyright Phoenix Health Systems, Inc All rights reserved

7 SECURITY Over 60% of respondents noted that they are engaged in Security assessment activities. This upsurge in Security compliance activity was also reflected in their implementation efforts: almost 30 % (up from 24% in Spring) are working on implementation. UNIQUE IDENTIFIERS Aside from general awareness, compliance activities in this area remain focused on the assessment and project planning phases, with some overlap. INDUSTRY HIPAA COMPLIANCE PROGRESS The survey questioned representatives of providers, payers, clearinghouses and vendors about their organizations overall progress in HIPAA remediation, and when they would be ready to use HIPAA transactions. Across all industry segments, results indicated that 41% had completed gap assessments, and another 30% plan to complete their assessment in the next 3 months. These numbers, which are fairly consistent with Spring 2002 survey reports, suggest that this phase is either taking longer than many expected, or that some initiatives have been delayed. Payers have made the most progress in this category, with 62% (up from 52% with Spring) having completed gap assessments. Other industry segments are making steady progress reporting between 21% and 38% completed. Gap Assessment Completion 70% 60% 50% 40% 30% Providers Payers Clearinghouses Vendors 20% 10% 0% Done now 1-3 months 4-6 months 7-9 months months months 18+ months Copyright Phoenix Health Systems, Inc All rights reserved

8 When asked about plans to finalize a HIPAA remediation implementation plan, the majority of respondents said that their plans would be finished within 6 months, again, not unlike the expectations reported last Spring. Payers lead progress in this category as well, with 31% done (up from 20% in Spring). Only 10% of Providers indicated that they had already finalized a plan, although larger hospitals are gaining ground. Remediation Plan Completion 40% 35% 30% 25% 20% 15% Providers Payers Clearinghouses Vendors 10% 5% 0% Completed 1-3 months 4-6 months 7-9 months months months 18+ Months Very few survey participants reported actually completing transactions/code sets remediation: only 4% of payers and 5% of providers. Most respondents plan to complete efforts within the year, with nearly all estimating completion by the transactions deadline in Survey results were similar for completion of HIPAA Privacy remediation, with plans to complete efforts within the next 9 months (again consistent with projections from Spring). Respondents indicated that Security remediation efforts are progressing slowly, and most estimate completion within 9 to 12 months. Copyright Phoenix Health Systems, Inc All rights reserved

9 Transaction Remediation Completion and Expected Completion Percentages Done Now 1-3 Months 4-6 Months 7-9 Months Months Months 18+ Months Providers Payers Clearinghouses Vendors Privacy Remediation Completion and Expected Completion Percentages Done Now 1-3 Months 4-6 Months 7-9 Months Months Months 18+ Months Providers Payers Clearinghouses Vendors Security Remediation Completion and Expected Completion Percentages Done Now 1-3 Months 4-6 Months 7-9 Months Months Months 18+ Months Providers Payers Clearinghouses Vendors Copyright Phoenix Health Systems, Inc All rights reserved

10 USE OF OUTSIDE CONSULTANTS Overall survey results for Summer 2002 continued to show a close split among respondents in the decision to use outside consultants to support HIPAA initiatives. However, within the various industry segments, percentages can be evaluated more clearly. Biggest users of consultants are larger hospitals (56%) and payers (66%). Not surprisingly, small organizations, including physician practices, (5%) reported using outside consultants least. Respondents indicated that consulting support is being used primarily for assessment and project planning. Of those organizations using consulting services, 32% are using their help in HIPAA assessments, 22% for project planning, 18% for awareness/education, and 17% to support implementation efforts. Third Party Transaction Compliance Testing A significant number of respondents (57%) have not made a decision regarding the use of a third party transaction compliance testing service as part of the Transaction compliance initiative. Of the remaining respondents, 24% (down from 57% in Spring) will use a third party testing service, and 76% (up from 43% in the Spring) will not. HIPAA BUDGET HIGHLIGHTS Across all industry segments, respondents estimated that HIPAA costs will be at least as much in 2002 as in 2001, and most anticipated higher spending. The majority of smaller Provider organizations (90%) plan to spend at least as much spent in 2001 (less than $30,000) in Half of hospitals under 100 beds will spend less than $30,000; with about 20% spending between $30,000 and $50,000; and about 25% spending up to $500, % of hospitals in the bed category reported 2002 budgets of less than $50,000, with 36% planning to spend between $50,000 and $100,000; 33% spending between $100,000 and $250,000; and 10% up to $1 million. About 23% of the largest hospitals 400 or more beds posted budgets for 2002 of less than $200,000, with 40% planning to spend between $200,000 and $500,000; 23% spending between $500,000 and $1 million; and 14% spending up to $2 million. Payer budgets have seen the steepest increases between 2001 and 2002, especially for the larger payer/health plans. Budget estimates for 2002 exceed $2,000,000, which in some cases is double the budget from The majority of Vendors (70%) posted 2001 budgets of less than $200,000. Only 10% estimate increased spending on HIPAA in Copyright Phoenix Health Systems, Inc All rights reserved

11 2002 Budget Charts 2002 Budgets of Hospitals with Less Than 100 Beds 2002 Budgets of Hospitals with 100 to 400 Beds 11% 0%4% < $30,000 14% 52% 19% $30,000 - $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 $500, % 4% 6% 1% 20% < $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 36% $500,000-$1 million Over $1 Million 2002 Budgets of Hospitals with 400 or More Beds 2002 Budgets for Payers Covering 150,000 or Fewer Lives 8% 6% 23% < $200,000 $200,000 - $500,000 18% 29% <$100,000 2% $100,000 - $250,000 23% 40% $500,000 - $1 million $1 million - $2 million $2 million + 24% 27% $250,000 - $500,000 $500,000 - $1 million $1 million Budgets for Payers Covering 150,000 to 500,000 Lives 2002 Budgets for Payers Covering 500,000 to 1.5 Million Lives 43% 9% 19% 13% 16% <$100,000 $100,000 - $250,000 $250,000 - $500,000 $500,000 - $1 million $1 million + 47% 5% 11% 11% 26% <$250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million Budgets for Payers Covering More Than 1.5 Million Lives 2002 Vendor Budgets 79% 5% 5%0% 11% <$250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million + 23% 10% 4% 3% 60% <$200,000 $200,000-$500,000 $500,000-$1 Million $1 Million-$2 Million $2 Million + Copyright Phoenix Health Systems, Inc All rights reserved

12 ROADBLOCKS TO COMPLIANCE For the first time, potential changes in regulations/deadlines and interpretation of the regulations were ranked by participants as the biggest roadblocks to completing their HIPAA compliance initiatives. Budget constraints, which ranked first most troublesome in prior surveys, was ranked third in the Summer Survey. Written comments accompanying the survey questionnaire support the results reported above. Changing legislation was viewed as a potential problem by respondents. With budget constraints also prevalent, many worried that they have invested time and money which could end up being wasted if the proposed changes to the Privacy Rule were approved as, in fact, they now have been. ** To review and compare results of the surveys conducted in previous quarters of 2000, 2001, and 2002, go to HIPAA Knowledge HIPAA Solutions Specialists in Healthcare Information Systems Consulting and Outsourcing HIPAA Compliance IT / E-health Strategic Assessment & Planning Systems Procurement & Implementation MIS Management & Outsourcing Registration Outsourcing Project Management 9200 Wightman Road, Suite 400 Montgomery Village, MD Healthcare Information and Management Systems Society HIMSS The Healthcare Information and Management Systems Society provides leadership in healthcare for the management of technology, information, and change through publications, educational opportunities, and member services. HIMSS has more than 43 chapters and more than 12,000 members working in healthcare organizations throughout the world. 230 East Ohio Street Suite 500 Chicago, IL HIMSS Copyright Phoenix Health Systems, Inc All rights reserved