Summary of Gartner COMPARE Survey of HIPAA Readiness Conducted Feb-March 2003

Similar documents
Healthcare Information and Management Systems Society HIMSS. U.S. Healthcare Industry Quarterly HIPAA Compliance Survey Results: Summer 2002

HIPAA Implementation: Steps to Creating a Budget for HIPAA Compliance

Projecting and Budgeting Costs and Savings of HIPAA Compliance

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Statement of HIPAA Readiness February 2003

Healthcare Information and Management Systems Society. U.S. Healthcare Industry HIPAA Compliance Survey Results: Summer 2005

HIPAA: State of the Industry

Early Intervention Indiana First Steps Indiana First Steps HIPAA Testing Plan

HIPAA X12 Transactions Testing and Certification. 2 nd National HIPAA Summit Washington DC, March 2, 2001 Kepa Zubeldia, M.D.

CORE Voluntary Certification: Certification from the Testing Vendor s Perspective. February 18, :00 3:00pm ET

Compliance With HIPAA Privacy Rule Before Security & Enforcement Rules are Final: Challenges in Practice

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Member of the County or municipal emergency management organization

HIPAA--The Medicare Experience September, Kathy Simmons Technical Advisor OIS/Division of Data Interchange Standards

Response to CMS. WEDI Attachment Forum Questions. August 9th Attachment Standard

HIPAA Case Study. Long Term Care (LTC) Industry. October 26, Presented by: James Pfeiffer Brian Zoeller

Phase IV CAQH CORE Certification and Testing Policies v4.0.0

DFARS Cyber Rule Considerations For Contractors In 2018

HIPAA Transactions Testing Update. Kepa Zubeldia, M.D. September 13, 2004

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

2013, Healthcare Intelligence Network

Information Technology (CCHIT): Report on Activities and Progress

ROI. ROI: Economics of Certification May 9, 2002 Peter T Barry. Benefits of 3rd Party Transaction Certification

12 Approval of a New PRESTO Agreement Between York Region and Metrolinx

VI. CLAIMS EDI PROCESSING PROCEDURES A. General Information

Subcontracted Delivery Policy

Healthcare Information and Management Systems Society. U.S. Healthcare Industry HIPAA Compliance Survey Results: Summer 2006

Integrating HIPAA into Your Managed Care Compliance Program

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Living with HIPAA: Compendium of Next steps from Rural Hospitals to Large Health Systems to Physician Practices

Summary Analysis: The Final HIPAA Security Rule

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

WASHINGTON UNIVERSITY HIPAA Privacy Policy # 7. Appropriate Methods of Communicating Protected Health Information

NE HIMSS Vendor Risk. October 9, 2015 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

HEALTH CARE AND CYBER SECURITY:

The New England Approach to HIPAA. John D. Halamka MD Chairman, New England Health EDI Network CIO, CareGroup Healthcare System

Emdeon Office ICD-10 Testing Guide. Published Q2 2014

Phase II CAQH CORE 202 Certification Policy version March 2011 CAQH 2011

HIPAA Compliance Strategies for IPAs and Medical Groups

4350 E. Cotton Center Boulevard Building D Phoenix, AZ / Fax

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

A Working Paper of the EastWest Institute Breakthrough Group. Increasing the Global Availability and Use of Secure ICT Products and Services

Data Type and Format (Not all data elements require a format specification)

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

The Monetisation of Portability and Verification in an A2P SMS World

Cyber Security Strategy

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

Mid-Market Data Center Purchasing Drivers, Priorities and Barriers

Entergy Arkansas, Inc. Transition Plan Technical Conference #1

Update for the Workgroup for Electronic Data Interchange (WEDI) July 31, 2018

Instructions for Electronic Remittance Advice (ERA) Enrollment/Change/Cancellation

Request for Proposal HIPAA Security Risk and Vulnerability Assessment. May 1, First Choice Community Healthcare

Summary of Benefits and Coverage Disclosure Requirements

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

Postal Inspection Service Mail Covers Program

HPH SCC CYBERSECURITY WORKING GROUP

CORE-required Maximum EFT Enrollment Data Set

TRADING PARTNER ID ENROLLMENT

Village Software. Security Assessment Report

A Global Look at IT Audit Best Practices

at Kaiser Permanente Mary Henderson HIPAA Program Director Kaiser Permanente

6. CLAIMS EDI PROCESSING PROCEDURES A. General Information

Canadian Anti-Spam Legislation (CASL) Campaign and Database Compliance Checklist

Phase III CAQH CORE 305 Enforcement Policy version January Table of Contents

USA HEAD OFFICE 1818 N Street, NW Suite 200 Washington, DC 20036

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

Hospital Council of Western Pennsylvania. June 21, 2012

Meaningful Use Audit, Is Your Organization Ready!

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Swedish bank overcomes regulatory hurdles and embraces the cloud to foster innovation

VMware vcloud Air Network Service Providers Ensure Smooth Cloud Deployment

2017 RIMS CYBER SURVEY

Is CAQH CORE Certification Right for Your Organization?

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

FROM TACTIC TO STRATEGY:

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Understanding Cybersecurity Talent Needs Findings From Surveys of Business Executives and College Presidents

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

AETNA BETTER HEALTH OF ILLINOIS 333 W. Wacker Drive Suite 2100, MC F646 Chicago, IL Fax

220 Burnham Street South Windsor, CT Vox Fax

AETNA BETTER HEALTH OF OHIO 7400 W. Campus Rd. New Albany, OH Fax

PAYER ENROLLMENT INSTRUCTIONS FOR

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Implementing HIPAA Security A Real Life Experience

Build confidence in the cloud Best practice frameworks for cloud security

Vulnerability Management Trends In APAC

GEORGIA CYBERSECURITY WORKFORCE ACADEMY. NASCIO 2018 State IT Recognition Awards

Not Just Another Day of HIPAA

Phase I CAQH CORE 102: Eligibility and Benefits Certification Policy version March 2011

Report of the Working Group on mhealth Assessment Guidelines February 2016 March 2017

PULSE TAKING THE PHYSICIAN S

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

DRAFT. HIPAA Impact Determination Questionnaire (Gap Analysis)

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Maryland Health Care Commission

Information Security Risk Strategies. By

ISACA Cincinnati Chapter March Meeting

TRICARE West Region Electronic Data Interchange PO Box Augusta, GA Fax:

Change Healthcare ERA Provider Information Form *This form is to ensure accuracy in updating the appropriate account

Transcription:

Summary of Gartner COMPARE Survey of HIPAA Readiness Conducted Feb-March 2003 Presentation to HIPAA Summit West 6 June 2003 Vice-President, Research Area Director Gartner Page 0

Definition: Gartner s Compliance Progress and Readiness (COMPARE) scale is a methodology that defines the detailed milestones necessary in a comprehensive compliance program. Gartner s HIPAA COMPARE Methodology Education/ Awareness Policies/Procedures Complete; Tools/Applications Installed Cost/Benefit Strategy Complete; Tools Selected Risk Assessment/ Gap Analysis I Testing/Audits Complete; Third-Party Compliance Verified II III IV V Model Sampling Randomly Selected Unbiased Responsible for Compliance Three-Year Commitment to Ongoing Surveys Equal Representation Entire Industry The 166 participants in Gartner s seventh HIPAA survey were selected using a stratified, equivalent sample of providers (composed of integrated delivery systems, stand-alone hospitals with at least 250 beds, and physician groups of at least 30 physicians) and payers (composed of health maintenance organizations with more than 10,000 members, large national preferred provider organizations and private health insurers). At these sample sizes, Gartner s provider and payer data is statistically valid to a 10 percent margin of error. Using random selection in representative numbers avoids the bias that comes with surveys that solicit volunteers. The panelists agreed to continue participating in three years of surveys. This will minimize the introduction of variability into ongoing results and allow accurate reporting of the industry s true progress. Our COMPARE scale for HIPAA groups questions into levels that represent the phases of a HIPAA project: Level I (getting oriented), Level II (a formal assessment of its vulnerabilities and activities needed to achieve compliance), Level III (quantifying costs and benefits, creating a strategy and plans), Level IV (completing and communicating policies and procedures, remediating or replacing applications, and negotiating with business associates) and Level V (implementing and testing all tools and applications, benchmarking the industry on privacy and security, implementing all compliance measures, and establishing a formal process to address evolving requirements and pursue absolute compliance. Page 1

Market: Many payers have simply abandoned taking a strategic approach toward HIPAA transactions in favor of tactical compliance approaches. COMPARE Level III: Some Progress, But... 0% 10 20 30 40 50 60 70 80 90 100 Executive Mechanism for Monitoring Progress Detailed Remediation Implementation Plan Set Course of Action for Each Application Assigned Priv. and Security Officers to Specialty Centers Get All Vendor Contractual Commitments Security, Privacy Champions Assigned Common Terminology for Bus. Associate Agreements Cost-Accounting Model Cost/Benefit Analysis Done Aug Feb 2002 2003 Payers Providers Doing Feb 2003 For Level I (not shown), most HCOs have completed all items except for education. Clearly some organizations decided to perform assessments without widespread education. For Level II (also not shown), approximately 70 percent of health plans had completed all activities except assessing the security status. This is not surprising, since the final security regulation was just published in February 2003. Providers were about the same, except that they were only at the 50 percent level for inventorying software vendor contracts and business partners. Of those HCOs that had not completed activities, 90-95 percent of them were currently doing them. (80 percent indicated they were now doing security assessments.) We note that about twice as many HCOs have completed Level III tasks when compared to August 2002. On average, responding payers have started 82 percent of the Level III tasks, and providers have started 78 percent. The average percentages of Level III tasks completed by payers and providers, however, are only 34 percent and 32 percent, respectively. The milestones that have shown the greatest progress are the planning steps for Level IV. Perhaps the most disappointing finding of this survey iteration is that few HCOs have completed cost/benefit analyses. In fact, many providers appear to have abandoned treating HIPAA as a strategic opportunity with return on investment (ROI) potential; now, one-half of payers and two-thirds of providers report having no plans to analyze potential benefits. Indeed, there was substantial regression on the completed statistic for the providers. Gartner attributes this to a reassessment of costs and plans. The fact that 48 percent of the payers are doing one is encouraging. Page 2

Market: Employee training is the most rapidly advancing progress indicator. This is a consequence of the privacy deadline being the earliest HIPAA requirement. COMPARE Levels IV and V 0% 10 20 30 40 50 60 70 80 90 100 Identified Employee Training Methodology Reassigned Need-to- Know Classifications Implemented System Mods., Interfaces and Conversions Changes to Limit Patient Information Disclosure Implemented Chain of Trust Agreements Implemented Security Policies and Procedures Implemented Privacy Policies and Procedures IV V Done Aug Feb 2002 2003 Payers Providers Doing Feb 2003 The greatest progress since August 2002 appears in Level IV. Most providers and payers have embarked on most tasks (excluding security). A majority of HCOs are beginning their implementation tasks concurrently with their Level III Detailed Planning tasks. Indeed the averages for initiating and concluding Level III and Level IV tasks are very similar. Many HCOs tell Gartner that they have procured or are seeking off-the-shelf solutions to expedite much of their privacy and security implementation work. The situation with TCS appears promising based only on the answers to respondents questions. About 94 percent of payers and 77 percent of providers report having begun implementing system modifications, interfaces and data conversions. Providers, however, are largely at the mercy of their software vendors, most of which are still working on their compliance upgrades. Level V tasks are also well on the way, with a few of the most aggressive HCOs showing completion on many Level V tasks (other than security). In this survey, Gartner asked about Chain of Trust agreements. During the survey period, the final security rule was published, which changed the name of these agreements to Business Associate agreements to be consistent with the privacy regulation. Page 3

Market: As of 16 April 2003, which was the testing deadline stipulated by the AS Compliance Act, less than 60 percent of providers were ready for formal testing of claims and remittance advice transactions with their trading partners. Level V: Transaction Testing Internal and External 0% 10 20 30 40 50 60 70 80 90 100 837 Claim 835 Remittance Advice 270/271 Eligibility 277/276 Claim Status 278 Referrals 820 Premium Payment February 2003 Payers Internal Payers External Providers Internal Providers External 834 Enrollment/ Disenrollment The 80-80 rule applies very well to EDI projects: design and programming take 80 percent of the project time and testing takes the other 80 percent. February 2003 was the first time Gartner asked specific questions about HIPAA transaction testing. The overall pattern of progress across the transactions is generally consistent with the industry need to minimize disruption in claims processing and payment streams. Claims and remittance advice show the most progress, with 78 percent of payers testing claims internally and 66 percent externally. Eligibility follows closely behind, in part because there is a substantial volume of pre-hipaa electronic eligibility transactions. This is an encouraging sign because this transaction will generate ROI through improved claims clearance. Gartner was surprised to find that progress on enrollment/disenrollment outpaced eligibility for payers and more surprised to see substantial progress on the provider side. This is good because of the potential to improve payer ROI and to engender more accurate eligibility data. Although these results are encouraging, the absolute progress is troublesome in the light of the 80-80 rule. Low rates of external testing of providers, and the number of providers that need to test with a clearinghouse or payer, indicate trouble ahead. Action Item: The industry needs to develop a contingency plan to deal with less-than-complete readiness for claims and remittance advice. Page 4

Strategic Planning Assumptions: By October 2003, 90 percent of the specified HIPAA transactions done electronically will conform with the HIPAA standards (0.2 probability). Between October 2003 and October 2005, 90 percent of the specified HIPAA transactions done electronically will begin to conform with the HIPAA standards (0.6 probability). By October 2005, most HCOs will have given up on achieving truly uniform HIPAA transactions and will use nonuniform, payer-dictated transactions (0.1 probability). Overall COMPARE Progress 100% 90 80 Most Progressive HCOs 70 60 50 40 30 20 10 Payers Providers Aug Feb 2002 2003 0 Level I Level II Level III Level IV Percentage of Tasks Started and Completed in Each Level, on Average Start Level IV For Levels I and II, Gartner interprets the start numbers as being as close to 100 percent as the industry will achieve, given varying implementation methodologies in different HCOs. The fact that only 66 percent of payers and 54 percent of providers are showing completion for Level II is a reflection of the deferral of education to later steps and the distant deadline for security compliance. Levels III and IV are interesting in that more HCOs have begun tasks in the Level IV category than have begun tasks in Level III. The tasks in Level III are primarily methodology milestones, and many HCOs have chosen not to do cost benefit analyses and other methodology steps. The tasks in Level IV and V, however, are the actual deliverables of HIPAA compliance. In computing overall progress for Level V, Gartner included the answers to questions about internal and external testing of transactions that had not been asked in August 2002. Had they been asked then, HCO progress for Level V would be numerically lower. Overall, the healthcare industry has made substantial progress with its HIPAA compliance initiatives. This picture would look very good, except that the Level V tasks are time-consuming and the questions were asked two months from the privacy deadline and eight months from the TCS deadline. Overall, Gartner expects compliance efforts to continue for up to a year after the official deadlines. Page 5

Key Issue: How should healthcare organizations that are not on schedule manage their HIPAA compliance work? Getting Started on Testing 100% 90 80 70 60 50 40 30 20 HCOs that believe their trading partners are ready to test transactions (as of February 2003) 9% 10% 13% 27% 25% 23% 18% 20% 20% 27% 30% 27% 24% 19% 19% 24% None have contacted me Only a few leading-edge trading partners Less than 10 percent of my trading partners 10 to 49 percent 10 0 18% 15% 16% 14% $1 billion or more Payer < $ 1 billion Provider $1 billion or more < $ 1 billion 50 percent or more Gartner asked panelists if their trading partners are ready to test. This is an important measure of the ability of the industry to complete the conversion to HIPAA transactions by 16 October 2003. Testing is required both for HCOs that choose to send and receive the standard formats and for HCOs that choose clearinghouses. Claredi, one of the firms that offers HIPAA certification, has observed that test data from clearinghouses varies in HIPAA compliance according to the provider that was the original source of the data. This is because some providers have been more diligent than others in adding the new data elements required by HIPAA to their outbound information streams. The good news is that 14-18 percent of the respondents have heard that more than half of their trading partners are ready to test, and 33-44 percent report that at least 10 percent of their trading partners are ready. This glass is half full, in that the leading-edge trading partners will bear the brunt of an HCO s debugging its HIPAA compliance. When the same HCO tests with other trading partners, errors are more likely to be confined to companion guide or line-of-business variations. It is also possible to find support for a pessimistic view that the glass is half empty. Almost a fourth of providers with less than a billion dollars in revenue have not heard of any trading partners being ready to test. Tactical Guideline: HCOs should test early with a few trading partners to hone their HIPAA compliance before embarking on parallel tests with many trading partners. Page 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback