Healthcare Information and Management Systems Society. U.S. Healthcare Industry HIPAA Compliance Survey Results: Summer 2006

Transcription

1 Healthcare Information and Management Systems Society U.S. Healthcare Industry HIPAA Compliance Survey Results: Summer 2006

2 U.S. Healthcare Industry HIPAA Survey Results: Summer 2006 EXECUTIVE OVERVIEW In some quarters, HIPAA, as a compliance issue, is old news. Congress passed the legislation ten years ago, and the compliance deadlines for HIPAA s central regulations have come and gone. Most covered entities have complied to some extent with most of the regulations and those who haven t, as we will report, often don t have HIPAA compliance on their top priority lists. Some non-compliant organizations remain challenged by roadblocks such as budget constraints, and the complexities of integrating HIPAA into existing systems and processes. It is also arguable that HIPAA inaction, particularly in the area of Privacy, is related to the fact that over 19,000 formal Privacy-related grievances have been registered with the Federal government, and none have resulted in HIPAA s promised enforcement fines. When HIPAA news was in the press every day, many predicted that it would have a cataclysmic impact on healthcare Providers, including putting some out of business. In over six years of conducting this Survey, we have yet to learn of any Providers felled by the expenditures and operational jolts generated by HIPAA implementation. Similarly, many said that adopting HIPAA s Privacy, Security, and Transactions and Code Sets standards would be impossible or next to it for most organizations. However, those who committed to implementing HIPAA have done so, frequently with a new organizational mindset that embraces security, privacy, and process improvements. If HIPAA compliance is not news per se, the need for security and streamlined healthcare communications definitely is. In fact, any hospital director of information systems, medical records or the business office will tell us today that HIPAA, as a facilitator of information security and efficient electronic transactions, is an increasingly significant factor in everyday healthcare. Despite the Privacy provisions, which remain a thorn in the sides of many healthcare workers and some patients many healthcare leaders agree that implementation of HIPAA standards is making a difference that is undeniably positive. Where implemented, HIPAA Security provisions are providing a strong framework for protecting sensitive information against ever-increasing data security threats, including disasters. HIPAA Transactions and Code Sets standards have substantially increased the electronic flow of healthcare business transactions, thereby providing for time savings, clarity in transaction conventions, simplification of manual processes, and decreases in paper and postage use. As unwelcome as its forms and processes have been to some, even the Privacy Rule has increased public confidence in healthcare and provided a conduit for registering privacy concerns and seeing them resolved. Further, the emergence of health information networks such as regional health information organizations (RHIOs) designed to enable collaboration of hospitals, physicians, payers and other healthcare organizations to streamline processes and information sharing relies on HIPAA standards as a building block. As we have done for the last six years, this semi-annual Survey continues to follow through on our mission to monitor and report on industry HIPAA compliance, as an informational and educational service. Also, reflecting the spirit of a growing industry culture that is not as anxious about compliance as it is committed to safe, secure healthcare communications and transactions, we have expanded our focus to explore the direct and indirect impacts of HIPAA, post-implementation. Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

3 Key Findings of the Summer 2006 Survey include: HIPAA Security Both Providers and Payers have made little progress in Security initiatives since our Winter 2006 Survey conducted in January. Of particular concern is Providers: only 56% have implemented the Security standards, as compared to 55% in January Eighty percent (8) of Payers, up from 72% in January 2006, reported compliance. Despite claims of full compliance with the Security Rule, gaps remain; many compliant Providers and Payers could not confirm that they had implemented all key Security standards. Data security breaches remain a serious reality for Providers and Payers. Thirty-nine percent (39%) of Providers and 33% of Payers reported having experienced security incidents in the last six months. These percentages are consistent with those reported in our January 2006 Survey. HIPAA Transactions and National Provider Identifier Implementation of the Transactions and Code Sets (TCS) standards across the industry appears to be stalled. Providers reporting full compliance with TCS actually dropped from 84% in January 2006 to 72%. Seventy-three percent (73%) of Payers reported compliance both in this Survey and in the January 2006 Survey. About 42% of Providers and 45% of Payers are conducting all HIPAA-required transactions. Both groups cite the other s lack of readiness as the primary reason for not conducting more standard transactions. Healthcare Providers are taking the necessary steps to convert to the National Provider Identifier (NPI), a move required by May 23, Almost 67% of participating Providers have already applied for their NPI, and 77% have identified the internal changes needed for the conversion. HIPAA Privacy A substantial percentage of Providers (22%) and Payers (13%) remain non-compliant with the Privacy regulations. These results are consistent with findings in all preceding Surveys since 2004, suggesting that a core group of covered entities either cannot or will not implement the Privacy standards. Even among compliant organizations, significant implementation gaps remain in certain areas, including establishing Business Associate Agreements, monitoring internal Privacy compliance, and maintaining minimum necessary information disclosure restrictions. The percentage of reportedly compliant Provider organizations that has experienced privacy breaches decreased from January 2006, from 6 to 52%. Reportedly non-compliant Providers experienced more privacy breaches (64%) than compliant Providers, consistent with January 2006 Survey findings. HIPAA Impacts and Opportunities Less than half of participants have measured direct return on investment (ROI) from their investment in standard Transactions and Code Sets, but 4% of both Providers and Payers indicated that they have achieved significant ROI. Both Provider and Payer Survey participants agree that HIPAA implementation has resulted in greater attention to patient privacy and data security by their workforces, as well as increased consumer confidence. Close to 3 of Provider and Payer participants are currently participating in health information networks, such as a Regional Health Information Organization (RHIO), and about Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

4 2 are planning to do so. The majority of participants agreed that HIPAA standards have facilitated the execution of such networks. Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

5 THE SURVEY Phoenix Health Systems and HIMSS conducted the Summer 2006 US Healthcare Industry HIPAA Compliance Survey from July 15 to August 9, A total of 220 healthcare industry representatives (Providers and Payers) responded to notices about the Survey that were sent to HIMSS members and to Phoenix HIPAAlert newsletter subscribers. The online Survey was anonymously completed via Phoenix HIPAA-focused web resource, HIPAAdvisory.com. The Participants Provider organizations accounted for 81% (178) of participants, and Payers for 19% (42). The distribution of Survey participants follows: Providers 81% Hospitals with 400+ beds: 31% of Providers Hospitals with beds: 21% Hospitals with less than 100 beds, or other similarly-sized Providers: 19% Medium-sized physician practices (11 to 29 physicians) / other providers: 1 Small physician practices (10 or fewer physicians) / other providers: 19% Payers 19% Covering fewer than 150,000 lives: 29% of Payers Covering 150, ,000 lives: 22% Covering 501,000-1,500,000 lives: 32% Covering more than 1,500,000 lives: 17% Eighty-seven percent (87%) of Provider respondents and 78% of Payer respondents hold an official role within their organization for HIPAA compliance, and have such positions as Senior / Department Manager (including CIO), Security Officer, and Privacy Officer. Note: The percentages provided in this report are based on the total number of respondents for each question, unless noted otherwise. Some participants did not complete all questions. SECURITY COMPLIANCE Concerns about information security have grown steadily across most industries, including healthcare, as a result of ever-changing technologies and increasing incidence of security breaches. To manage these issues, as well as in response to the HIPAA Security Rule (which became effective April 20, 2005), 56% of Providers participating in this Survey reported that they have achieved compliance with Security Rule provisions. From a more negative perspective, the percentage of Providers who had implemented all required Security provisions by January 2006 (as reported in our Winter 2006 Survey) increased only one point by July 2006, from 55%. (See table below.) Eighty percent (8) of Payers (up from 72% in January 2006) reported compliance. Given the significantly poor results among Providers, we drilled down into individual Provider groups to identify the most obvious trouble spots. Forty-nine percent (49%) of hospitals with 400 or more beds were in compliance with the Security Rule, along with just 44% of hospitals with 100 to 400 beds representing the two least compliant groups. Neither group showed significant improvement since January 2006, when average compliance levels were approximately 4. Hospitals with less than 100 beds and large physician practices were the most compliant Provider groups (7), reflecting a significant increase from 48% in January Fifty-four (54%) percent of medium-sized practices reported compliance (up from 33% in January 2006) and 68% of small practices (compared to 4 in January 2006) also reported compliance. Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

6 Forty-three percent (43%) of non-compliant Providers predicted that they will complete HIPAA Security implementation within six months, but the remainder anticipates a longer timeline. Among non-compliant Payers, 6 expect to take seven months or longer to complete implementation. It must be noted that these groups have made like predictions in all three semi-annual Surveys published since the April 2005 Security Rule deadline. In response to our questions regarding the reasons behind their incomplete Security Rule compliance, both Providers (15%) and Payers (17%) cited, among the top three obstacles, the fact that their organizations are placing higher priority on other projects. Providers greatest roadblocks, however, were reported to be budgeting constraints (2) and difficulties in achieving successful integration of new systems and procedures across their organizations (also 2). The latter issue is of particular significance relative to the low Security Rule performance of large hospitals, which typically have the most complex systems infrastructures. Anecdotal data indicates that infrastructural complexities, in fact, may be the larger problem: for example, one participant noted that dealing with a mix of legacy systems, new systems and technology backbone issues requires strong strategic direction, in addition to time and money. Another noted that physicians maintenance of independently managed databases on desktops and portable devices presents an additional infrastructure-related complication. As a double check, reportedly compliant Survey participants were asked to list the specific Security standards their organizations had implemented. While most participating organizations had implemented most Security Rule provisions, numerous gaps remain. For example, only 61% of Providers reported they had implemented emergency access procedures, and 68% had implemented required audit controls. Just 75% of Providers had completed contingency planning and programs for security incident response and reporting. While Payers have made more progress in implementing security protections than Providers, at least 2 of participants reported that their organizations had not yet implemented audit controls, person/entity authentication procedures, or media disposal/reuse procedures. No reportedly compliant Provider or Payer was able to demonstrate compliance with every requirement. Industry Security Compliance Comparison: Summer 2006 with Winter Summer 2006 Winter 2006 Providers Payers Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

7 Incidents of Data Security Breaches Survey results indicate that security incidents and breaches are a continuing problem within the healthcare industry. Providers and Payers were asked how many data security breaches their organizations had experienced in the six-month period since the Winter 2006 Survey. Thirty-two percent (32%) of Providers (up from 24% reported in January 2006) experienced between one and five incidents, and another 7% reported six to eleven incidents (down from 13%). Generally consistent with our January 2006 data, 29% of Payers experienced between one and five security incidents, and another 4% experienced between six and eleven breaches. Drivers of Security Rule Compliance Among both Providers and Payers, the strongest single driver behind their implementation of security protections was reported to be an organizational mindset that embraces the concepts of information security and regulatory compliance. Other major drivers include the influence of accrediting bodies, such as the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) and National Committee for Quality Assurance (NCQA), and the increasing occurrence of security threats and incidents. TRANSACTIONS AND CODE SETS COMPLIANCE The original deadline for compliance with the HIPAA Transactions and Code Sets (TCS) Rule was October 16, 2003, but the Centers for Medicare and Medicaid Services (CMS) implemented a temporary Contingency Plan that essentially allowed non-compliance until July Compliance includes implementation of all necessary policies, procedures, processes, and systems in order to test and then conduct the standard HIPAA transactions required for healthcare business functions. Overall TCS compliance including actual conversion to HIPAA standardized transactions has shown little, if any, improvement over the past year, and appears to be stalled. Unlike implementation of the Privacy and Security Rules, the successful conducting of standardized transactions between entities can only be achieved by an individual organization if its internal actions are coordinated with complementary actions of other entities. Unfortunately, as our data below shows, inadequate collaboration among Providers, Payers, software vendors, and clearinghouses remains a major stumbling block in compliance efforts. Though 84% of Providers indicated they were fully compliant with the TCS Rule in January 2006, and 8 in July 2005, only 72% reported full compliance in July Further, only 42% of Providers are actually conducting all HIPAA standard transactions (down from 46% in January 2006), and 65% indicated they were conducting approximately half of the standard transactions. Demonstrating the significance of industry collaboration in this effort, Providers cited such issues as not having received compliant software from vendors, and many Payers lack of readiness, (as well as perceived ambiguities in HIPAA transaction requirements) as the major roadblocks preventing more progress. Seventy-three percent (73%) of Payers reported full compliance with the TCS Rule in this Survey the same percentage reporting compliance in January 2006, but down from the 8 that reported compliance in July However, only 45% of Payers are currently conducting all standard transactions. Again, reflecting collaborative difficulties, over 9 of Payers cited Providers lack of readiness as the key reason for not conducting more standard transactions, and noted that lack of readiness among clearinghouses and software vendors was also a significant roadblock. Of those Providers who reported non-compliance with the TCS Rule, about 4 anticipate compliance within four to seven months, or, in some cases, even longer. However, another 41% do Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

8 not know when or if their organizations will fully implement the standard transactions. Among the Payers who are reportedly non-compliant, 66% noted that they expect to complete TCS implementation within four to seven months or longer, but another 33% indicated that their organizations have no current plans to complete TCS remediation. (See table below for overall compliance comparison.) Industry TCS Compliance Comparison: Summer 2006 with Winter Summer 2006 Winter 2006 Providers Payers PRIVACY COMPLIANCE Compliance with the HIPAA Privacy Rule was required by April 2003, but, as we have consistently observed in all Survey results since then, a substantial percentage of Providers and Payers remain non-compliant. In our Winter 2006 Survey, 8 of Providers and 86% of Payers indicated they were compliant with the HIPAA Privacy Regulations; as of July 2006 Providers reporting compliance have decreased to 78%, and Payers have increased by just one point to 87%. These results are also generally consistent with Summer 2005 Survey data and our preceding Surveys throughout 2005 and It is reasonable to conclude that a core group of approximately 2 of Providers and 13% of Payers have had insufficient incentive to implement required Privacy practices within their organizations. (See table below for a comparison of Summer 2006 and Winter 2006 Survey results.) Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

9 Industry Privacy Compliance Comparison: Summer 2006 with Winter Summer 2006 Winter 2006 Providers Payers Among Providers, 81% of hospitals with more than 400 beds reported full compliance, down from 85% reporting compliance in January Among hospitals with 100 to 400 beds, the percentage reporting compliance also decreased from 84% in January 2006 to 7 in July Seventy-three percent (73%) of hospitals with less than 100 beds and large physician practices reported compliance in July 2006, as compared to 8 in January For the first time, medium-sized physician practices and other similarly-sized Providers reported 10 compliance, compared to 8 in January (Note: only 17 Providers in this category responded to the current Survey). Finally, 73% of participating small Provider practices said they were currently compliant with the Privacy regulations in July 2006, as compared to 7 in January Within the Payer sector, compliance levels reported in the current Survey ranged from 83% to 92%, with Payers that serve between 500,000 and 1.5 million lives indicating the highest level of compliance (92%). The Summer 2006 Survey Privacy compliance results for Payers are generally comparable to the 8 to 9 range reported in the Winter 2006 Survey. Despite many Providers and Payers reports that they have fully implemented HIPAA Privacy requirements, a more detailed inspection indicates otherwise. In fact, NO participating Provider organization was able to show in this Survey or in past Surveys that it had complied with every key Privacy Rule provision, and Payers performance was only marginally better. As in past Surveys, we asked reportedly compliant Provider and Payer representatives to indicate their success in implementing several specific HIPAA Privacy requirements as a reality check. The table below comparing responses from the Summer 2006 Survey to the Winter 2006 Survey confirms that gaps remain between actual privacy practices and the specific requirements of the Privacy standards most significantly in the areas of completing Business Associate Agreements and monitoring organizational compliance with Privacy regulations. Summary of Key Privacy Practices Implemented by Compliant Organizations Areas of Privacy Compliance: Obtain patient authorizations for use and disclosure of PHI Providers Summer 2006 Winter 2006 Summer 2006 Payers Winter % % Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

10 Summary of Key Privacy Practices Implemented by Compliant Organizations Enable mandated patients rights (review, amend, restrict records) Obtain acknowledgement of receipt of Notice of Privacy Practices Providers Payers 96% 98% 94% 97% 92% 97% N/A N/A Post and distribute Notice of Privacy Practices 98% 97% 88% 97% Provide ongoing workforce Privacy training 96% 93% 10 94% Maintain accounting of disclosures 93% 94% 91% 94% Use minimum necessary restrictions 88% 95% N/A N/A Monitor organizational compliance with Privacy regulations Have obtained all required Business Associate Agreements 78% 9 85% 89% 72% 87% 94% 91% The majority of Providers and Payers who have not completed implementation of Privacy requirements indicated that they expect to do so within the next six months. However, at least a third of non-compliant participating organizations anticipate they will need seven months or longer to implement the Privacy regulations, and another third did not know when their organizations would be compliant. Again, it must be noted that similar projections for final implementation have been reported by non-compliant Providers and Payers in every Survey we have undertaken since January Adapting internal systems and processes to the requirements of the HIPAA Privacy Rule has proven difficult for many, if not most, covered entity organizations. We asked Survey participants to rank in order the provisions that have challenged them the most. For Providers, training staff was listed as the most difficult task (23%), followed by managing accounting of disclosures (22%) and maintaining Business Associate Agreements (15%). For Payers, maintaining minimum necessary when handling requests for protected health information by third parties has been the most difficult task (33%). Training staff (23%) and managing accounting of disclosures (13%) also ranked in the top three challenges Payers have experienced. Patient Privacy Breaches and Formal Complaints In order to assess how much, if at all, Privacy Rule implementation has impacted the incidence of privacy breaches, we asked both the participating organizations that were reportedly Privacy compliant and those that were NOT reportedly compliant about their experiences with privacy breaches in the preceding six months since our last Survey. Both Providers and Payers that stated they were Privacy-compliant have experienced numerous incidents of patient privacy breaches since January 2006; non-compliant Providers, in particular, experienced more incidents than compliant Providers. Fifty-two percent (52%) of compliant Providers indicated that they had experienced privacy breaches between January and July 2006, down from 6 during the preceding six-month period. Thirty-one percent (31%) experienced between one and five privacy breaches, down from 41% in January Another 21% experienced six or more breaches, slightly up from the 19% reported in January On the other hand, among reportedly NON-compliant Providers, 64% experienced privacy breaches between January and July 2006, with 31% experiencing six or more breaches. It can be inferred that Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

11 ensuring that HIPAA Privacy practices are in place may very well reduce the number of breaches that occur within a Provider organization. Sixty percent (6) of reportedly compliant Payers (down from 66% in January 2006) reported privacy breaches, and just 6% experienced more than five incidents, down from 12% in January Among NON-compliant Payers, 5 were aware of Privacy incidents that had occurred since January 2006, and half of these participating organizations had experienced six or more incidents. Again, there is some indication from these results that implementation of Privacy Rule protections is reducing the incidence of Privacy breaches. Historically, healthcare organizations have experienced fewer formal privacy complaints than actual privacy breaches; this remained true for the period between January and July Overall, the number of participating organizations that have received formal complaints has decreased significantly since January Providers (both compliant and non-compliant) experiencing formal complaints decreased from 24% in January 2006 to 17% in July Formal privacy complaints against compliant Payers during the period decreased from 26% to 15%, with NON-compliant Payers reporting no complaints. None of our respondents reported more than five formal privacy complaints between July 2005 and January No organization participating in this Survey was assessed any penalties for a Privacy violation either between January and July 2006, or during any of our preceding Survey periods. This finding reflects recent disclosures by the Federal government that it has not yet imposed any fines for HIPAA violations, despite the fact that over 19,000 grievances have been filed since the Privacy regulations became effective in According to the Department of Health and Human Services Office for Civil Rights, its first approach to dealing with any complaint is to work for voluntary compliance, (Washington Post, June 5, 2006). While this approach may be effective with organizations that have received complaints, our Survey results suggest that it may serve as a disincentive to implementing Privacy protections for organizations that have neither complied with the Privacy Rule nor experienced formal complaints. Impact of HIPAA Privacy Now that the HIPAA Privacy Rule has been in place for over three years, with most Providers and Payers compliant in most areas, we asked Survey participants to rate both the benefits and the negative impacts their organizations have experienced. Both Providers (85%) and Payers (83%) strongly indicated that the foremost benefit achieved has been greater attention to patient privacy by their staffs. They also agreed on the second and third greatest benefits increased patient privacy overall (Providers: 75%, Payers: 67%), and more effective systems and processes (Providers: 43%, Payers: 4). Providers in particular (35%) noted that new Privacy practices have increased consumer satisfaction and confidence. Both groups agreed on the biggest negatives of implementing the Privacy regulations excessive work by staff in relation to patient privacy (Providers: 4, Payers: 43%); negative responses by patients towards HIPAA processes and forms (Providers: 38%, Payers: 37%), and negative attitudes by staff in relation to privacy (Providers; 35%, Payers: 4). ROADBLOCKS TO HIPAA COMPLIANCE Covered entities have experienced many obstacles on their roads toward implementation of HIPAA Privacy, Security, and standardized Transactions and Code Sets. In recent years, we have seen the significance of some early roadblocks decrease. For example, lack of organizational support, once considered the toughest roadblock, is a problem for only 4% of Providers and 7% of Payers. Similarly, lack of adequate expertise, formally a major problem for Providers, in particular, was cited by less than 1 of Providers and Payers in this Survey. Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

12 On the other hand, an early obstacle for many Providers budget constraints tied in the Summer 2006 Survey with difficulties in achieving successful integration of new systems and practices as the second key obstacle encountered (2). The latter issue, in the current Survey, was noted by Payers as the number one obstacle they have faced (2). Conflicts with projects that have had higher priority, and difficulties in interpreting HIPAA regulations were listed by Providers as the third and fourth most challenging issues with Payers ranking these as the second and third most difficult. In the January 2006 Survey, changes/potential changes in regulations ranked among Providers as the greatest obstacle they had faced, and interpretation of regulations ranked highest among Payers. HIPAA COMPLIANCE DRIVERS According to the Centers for Medicare and Medicaid Services (CMS) and the Office for Civil Rights (OCR), enforcement of HIPAA Security and Privacy is complaint-driven. However, Survey participants noted that key drivers of compliance by their organizations are somewhat different. Peers/trading partners (including attorneys), press stories, and internal whistle blowers were ranked as the most significant factors influencing their organizations compliance efforts. Both Providers and Payers rely on a variety of industry resources to support their HIPAA compliance efforts. Phoenix Health Systems HIPAAdvisory.com, the CMS web site, and the Department of Health and Human Services (HHS) were ranked, in order, as the top three most helpful resources used. NATIONAL PROVIDER IDENTIFIER Healthcare Providers are required under HIPAA to obtain and use a unique identifier by May 23, 2007, when filing electronic claims, in order to help streamline related electronic processes. We asked Survey participants what steps they have taken to prepare for conversion to the standard identifier. Almost 67% of Providers, up from 39% in January 2006, reported that their organizations have already applied for their National Provider Identifier (NPI). Seventy-seven percent (77%) of Providers have identified the system and software changes they will need to make, and 32% have already completed related internal testing. Seventy-six percent (76%) of Payers have finished identifying the systems, software, and business process changes they will need to make to enable Providers to convert successfully to the NPI. NATIONAL PATIENT IDENTIFIER SYSTEM The concept of establishing a National Patient Identifier system remains under consideration by HHS, but continues to be controversial. We asked both Providers and Payers if their organizations would find that the value of National Patient Identifiers would outweigh such concerns as potential errors or threats to patient privacy. Forty-two percent (42%) of Providers (up from 3 in January 2006) felt that the benefits would outweigh potential negatives. Thirty-six percent (36%) had no opinion and 22% were opposed to a patient identifier system. Payers were less positive, with only 3 supporting such a system (down from 45% in January 2006), 52% opposing it, and 17% undecided. Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

13 HIPAA IMPACTS AND OPPORTUNITIES Though HIPAA is often referred to as a compliance responsibility, the achievement of long-term benefits was the original driver of HIPAA in 1996 when it was legislated by Congress. The HIPAA standards for Privacy, Security, and Transactions were intended to work together as an industry-wide foundation for lowering healthcare costs and reducing errors through safe, universal electronic communication of healthcare information. Therefore, we focused one section of this Survey on exploring the impact of HIPAA on participating organizations, post-hipaa implementation; and the opportunities for return on investment. Transactions and Code Sets ROI Survey participants were asked if their organizations have realized any direct return on their investment in the standardization of Transactions and Code Sets. Forty-seven percent (47%) of Providers and 25% of Payers had not measured this. Twenty-one percent (21%) of Providers and 29% of Payers indicated they had measured for ROI, but have realized little or none. About 4% of both Providers and Payers stated that their measurements had indicated they had achieved significant ROI. When asked if their organizations have begun, or plan to begin to implement initiatives intended to achieve ROI on their HIPAA implementations, 15% of Providers and 8% of Payers answered positively, and approximately half responded negatively. The remainder stated that the question was either not applicable to their organization, or they did not know. Reported examples of ROI initiatives that are underway include moving to totally electronic transactions, conversion to electronic medical records, educating employees, performing activities formerly handled by clearinghouses, reducing use of postage and paper, ensuring faster billing and collections, and creating better pre-billing reports to reduce file rejections. Participation in Health Information Networks/RHIOs Many healthcare organizations have made decisions to join the growing number of regional health information organizations (RHIOs) and other health information networks. The adoption of standardized Privacy, Security, and Transactions practices has often been considered an important factor in healthcare organizations ability to make such networks viable and effective. If this is the case, it would be reasonable to believe that the benefits of health information networks are one form of indirect return on an organization s HIPAA investment. We asked our Survey participants if they were involved in health information network initiatives, what benefits they were realizing, and to what extent HIPAA had helped or hindered these initiatives. Approximately 3 of both Providers and Payers reported that they are currently participating in a health information network, and 22% of Providers and 17% of Payers are considering involvement in the next year. About 5 of Providers and 84% of Payers indicated that implementation of HIPAA Privacy and Security standards had facilitated the execution of such networks, and in many cases been essential to their success. Some participants (15% of Providers, of Payers) felt that Privacy and Security requirements had presented unnecessary obstacles. With regard to the Transactions and Code Sets standards, 48% of Providers and 67% of Payers felt TCS adoption had facilitated their information network initiative or been essential to its success. Nine percent (9%) of Providers felt TCS had been a hindrance, but no Payer agreed. When asked what benefits Survey participants were realizing from their involvement in a health information network or RHIO, 35% of Providers and 5 of Payers agreed that streamlined flow of patient information was the most significant benefit thus far. Improvement in overall community health, Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

14 improved quality of patient care, and reduction in redundant processes were also cited as key benefits. HOSPITAL SPENDING FOR HIPAA 2005 Actual Spending vs Budgets See tables below for a comparison of reported spending in 2005 against 2006 budgets, based on hospital size Actual Spending Hospitals (400+ Beds) 2006 Budget Hospitals (400+ Beds) 24% 8% 3% 8% 16% 25% 8% 5% 3% < $30,000 $30,000 - $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million + Do not know 27% 3% 11% 14% 11% 8% 5% 3% 19% < $30,000 $30,000 - $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million + Do not know 2005 Actual Spending Hospitals ( Beds) 2006 Budget Hospitals ( Beds) 27% 15% 4% 19% 19% 15% < $30,000 $30,000 - $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million + Do not know 31% 19% 8% 15% 27% < $30,000 $30,000 - $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million + Do not know 2005 Actual Spending Hospitals (< 100 Beds) 2006 Budget Hospitals (< 100 Beds) 5% 2 2 5% 5% 15% 3 < $30,000 $30,000 - $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million + Do not know 25% 5% 5% % 3 < $30,000 $30,000 - $50,000 $50,000 - $100,000 $100,000 - $250,000 $250,000 - $500,000 $500,000 - $1 million $1 million - $2 million $2 million + Do not know Copyright 2006 Phoenix Health Systems, Inc. All rights reserved

15 Specialists in Healthcare Information Systems Consulting and Outsourcing Services Healthcare Information and Management Systems Society Comprehensive IT Outsourcing Services IT-Based Clinical Transformation Solutions HIMSS (Healthcare Information and Management Revenue Cycle Improvement Systems Society) is the healthcare industry s Strategic IT Planning and Procurement membership organization exclusively Systems Implementation focused on providing leadership for the Information Security optimal use of healthcare information HIPAA Compliance technology and management systems for the betterment of human health. Visit for more information on Phoenix services. Visit for daily updates on HIPAA-related news Wightman Road, Suite 400 Montgomery Village, MD Visit for more information. 230 East Ohio Street Suite 500 Chicago, IL HIMSS Copyright 2006 Phoenix Health Systems, Inc. All rights reserved