HIPAA compliance still a distant goal as deadline looms

Jonathan S. Batchelor
Mar 31, 2005

Three weeks after the publication of this story, the deadline for implementation of the HIPAA Security Rule will occur. According to a survey conducted in January this year, the vast majority of healthcare providers and payors in the U.S. report that they are still far from compliant with HIPAA security regulations.

The U.S. Healthcare Industry HIPAA Compliance Survey, conducted from January 4 through January 20 this year, found that only 30% of the surveyed payors and a mere 18% of the responding providers indicated that they are currently compliant with the HIPAA Security Rule. The survey is a joint venture by consulting firm Phoenix Health Systems of Montgomery Village, MD, and the Healthcare Information and Management Systems Society (HIMSS) of Chicago.

The results are based on responses from 400 healthcare representatives who replied to an e-mail invitation to participate in the survey. Provider organizations (318) accounted for 80% of the respondents, and payors (82) made up the remaining 20% of the cohort. Approximately 84% of the total respondents indicated that they hold an official role within their organization for HIPAA compliance.

"For the first time, our survey focused solely on healthcare provider and payor organizations, requesting feedback to determine compliance status with specific HIPAA Security, Transactions and Code Sets (TCS), and Privacy requirements," the study authors wrote.

The provider organizations were broken down into facility and practice. Approximately 25% of the respondents were from hospitals with 400+ beds, 17% from institutions with 100-400 beds, and facilities with fewer than 100 beds made up 14% of the provider portion of the survey. Medium-size physician practices of 11-29 members comprised 7% of the provider respondents, while smaller practices of 10 or fewer members made up the remaining 17%.

Payors were stratified into those covering more than 1.5 million lives (4%), those covering 501,000 to 1.5 million lives (4%), those with 150,000 to 500,000 lives (4%), and those organizations covering fewer than 150,000 lives (8%), according to the survey data.

According to the results of the 2005 winter survey, much of the healthcare industry is still struggling with HIPAA provisions.

"By all indications, the road to compliance remains difficult," the study authors noted.

TCS -- still a struggle

Although the Centers for Medicare and Medicaid Services (CMS) has extended its October 2003 contingency plan for compliance with HIPAA's TCS standards for more than a year, logistical issues still exist. If TCS compliance today were assigned a letter grade, U.S. healthcare has risen to a C- from the D it earned in the last survey.

Progress with TCS compliance is not overly encouraging; only 73% of providers, and 70% of payors, indicate that they are currently fully compliant, according to the survey. Both groups have risen 8%, respectively, in their TCS compliance since a June 2004 survey.

The survey authors noted that although 73% of the providers said they were fully TCS compliant, only 49% responded that they were actually doing so. On the payor side of the TCS equation, 56% indicated that they are conducting all of the HIPAA standard transactions.

All is not bleak for TCS compliance -- approximately 90% of the surveyed providers are transmitting at least one of the HIPAA standard transactions to payors. In addition, the survey found that 70% of providers are transmitting more than one-half of the transactions and 49% are transmitting all of them.

Logistical issues with information system interfaces between payors and providers continue to bedevil the healthcare industry's capability to implement TCS compliance. More than 60% of the payors and almost half of the providers indicated that there are transactions that their information systems are capable of producing, but that are not being conducted due to the inability of trading partners to accept or transmit them.

"The primary obstacle (to TCS implementation) is that certain provider and payor organizations are still not ready or able to process the standard transactions," the survey authors wrote. "Of equal importance is the assertion that critical vendors have not supplied providers and payors with necessary HIPAA-compliant software."

Privacy -- enforcement on the rise

The deadline for the HIPAA Privacy Rule was April 2003 and despite the risk of complaints and federal penalties, 16% of providers and 8% of payors continue to report that they remain noncompliant with the privacy rule, according to the survey. This represents little to no privacy compliance change since the June 2004 survey.

Among the providers, medium-size physician practices were the most compliant (95%), while smaller physician practices indicated the most trouble with adopting the privacy rule, with only 67% reporting compliance. The respondents from hospitals with 400+ beds reported 82% compliance, hospitals with 100-400 beds said they were 81% compliant, and facilities with fewer than 100 beds claimed 72% compliance.

Although almost two years have elapsed since the privacy rule was implemented, gaps remain in certain areas, such as the establishment of business associate agreements and the monitoring of internal privacy compliance, the survey noted. Even more troubling, 73% of the providers and 56% of the payors reported that their organizations had experienced one or more privacy breaches over the last six months of 2004.

Enforcement of the privacy rule is starting to rear its head among the survey respondents. According to the report, approximately 27% of the providers and 31% of the payors have had at least one formal complaint of privacy violation filed against them, either with the U.S. government or in a civil proceeding, since the privacy compliance deadline.

Security -- a long way to go

Although compliance with the HIPAA Security Rule is breathing down the necks of U.S. healthcare providers -- April 20 this year -- there has been essentially no progress in adopting its provisions (18% report compliance) within this survey group in the past six months. Hospitals are even more unprepared, according to the survey. Only 9% of 400+ bed facilities reported being compliant, and 18% of institutions with fewer than 400 beds said they were compliant with the security regulations.

Payors have demonstrated a 17% improvement in security compliance since the June 2004 survey was taken, with 30% stating compliance, up from 13% last year.

Four elements of security rule implementation were deemed the most difficult to implement by both payors and providers. These were audit controls, risk management/risk analysis, information system activity review, and data backup plan/disaster recovery plan/emergency mode operation plan.

Both payors and providers are optimistic that they will be in compliance with the security rule by this month, with 74% of the providers and 80% of the payors indicating a belief that they will meet the CMS deadline. Perhaps recognizing that compliance is not an easy effort, this represents a 13% decline in expected readiness among providers and an 11% drop-off by payors from the June 2004 survey.

The respondents were asked to indicate the number of security breaches their organizations had experienced in the past six months. Of concern is the finding that nearly half of the group had experienced at least one data security breach, with 40% of providers (up from 28% in the summer 2004 survey) and 26% of payors (up from 17%) reporting that they had experienced a data-security breach.

The survey authors noted that the continuing lack of security rule compliance may be compromising overall HIPAA objectives.

"Until healthcare providers and payors can confirm that their systems are secure -- that patient data is not vulnerable to inaccessibility or loss, damage or alteration, and/or theft or intrusion -- the ever increasing use of HIPAA standard electronic transitions that has been encouraged by the federal government threatens to turn into patient privacy and security breaches waiting to happen," they wrote.

By Jonathan S. Batchelor
AuntMinnie.com staff writer
April 1, 2005

Related Reading

Evolving information threats make HIPAA Security Rule necessary, February 18, 2005

HIPAA TCS standards provide business intelligence opportunities, February 17, 2005

Seven-step approach offers help for HIPAA integration, February 14, 2005

A practical approach to HIPAA security compliance, February 10, 2005

HIPAA security: IHE guidelines help ensure compliance, November 26, 2004

Copyright © 2005 AuntMinnie.com

Latest in IS
2017 03 30 15 16 56 745 Mammogram Calendar 400
Can self-scheduling and referral close breast cancer screening gaps?
July 31, 2023
2018 11 19 17 20 4754 Back Pain 400
Simple EHR intervention reduces unnecessary lower-back x-rays
July 30, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Amazon Web Services releases imaging data platform
July 25, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
Online course teaches students about appropriate imaging use
July 19, 2023
Related Stories
Merge
IS
Merge eFilm
Ris
IS
Clinical specialization, connectivity keep RIS vital
Witt
IS
Witt Biomedical
Netris
IS
net-RIS
More in IS
Can self-scheduling and referral close breast cancer screening gaps?
By Amerigo Allegretto
Online patient portal self-scheduling and self-referral methods can help mitigate health disparities in breast cancer screening, according to research published July 26 in the Journal of the American College of Radiology.
July 31, 2023
2017 03 30 15 16 56 745 Mammogram Calendar 400
Simple EHR intervention reduces unnecessary lower-back x-rays
By Kate Madden Yee
A relatively simple electronic health record (EHR) intervention reduces the incidence of unnecessary x-rays for patients presenting with low back pain, a study published July 28 in the Journal of the American College of Radiology has found.
July 30, 2023
2018 11 19 17 20 4754 Back Pain 400
Amazon Web Services releases imaging data platform
By AuntMinnie.com staff writers
Amazon Web Services has launched an imaging data platform for storing, accessing, and analyzing medical images at petabyte scale.
July 25, 2023
2020 01 28 20 45 5229 Cloud Computing Laptop 400
Online course teaches students about appropriate imaging use
By Amerigo Allegretto
An online elective course can effectively educate radiology students on the concept of appropriateness in medical imaging, according to an Israeli study published July 18 in Academic Radiology.
July 19, 2023
2021 06 16 23 10 5735 Student Doctor Laptop Test 400
CMS proposes radiology reimbursement cuts, AUC pause for 2024 MPFS
By Erik L. Ridley
In what has seemingly become an annual event, the U.S. Centers for Medicare and Medicaid Services (CMS) has once again included radiology reimbursement cuts in its Medicare Physician Fee Schedule (MPFS) Proposed Rule.
July 13, 2023
2019 07 31 17 01 7432 Medicare Puzzle 400
Summary reports improve CT planning for ovarian cancer surgery
By Kate Madden Yee
A synoptic, or summary radiology report, improves pretreatment CT planning for patients with advanced ovarian cancer compared to a simple structured report, according to a study published on July 12 in the American Journal of Roentgenology.
July 12, 2023
2023 07 12 19 50 6142 2023 07 12 Ajr Ct Ovarian 400
PET/CT shows value in patients with portal vein thrombosis
By Will Morton
PET/CT could be a valuable new imaging technique for distinguishing benign from malignant portal vein thrombosis in liver cirrhosis patients, according to a group in Egypt.
June 26, 2023
2023 06 22 23 04 9721 2023 06 23 Pet Pvt 20230622231003
Ransomware affects emergency radiology workflows
By Amerigo Allegretto
Ransomware attacks have a significant effect on emergency radiology workflows, as well as on acute care delivery and the personal well-being of healthcare providers, according to a study published June 15 in the Annals of Emergency Medicine.
June 19, 2023
2021 08 10 16 10 2928 Cybersecurity Lock V2 400
SIIM: Can Microsoft Teams lessen radiologist interruptions?
By Erik L. Ridley
AUSTIN, TX - Asynchronous forms of communication such as Microsoft Teams are much less disruptive to radiologists than phone calls or in-person visits, according to a talk delivered at the annual Society for Imaging Informatics in Medicine (SIIM) meeting.
June 18, 2023
2020 04 16 18 17 3383 Radiologist Ct Scan Brain Tumor 400
Turing debuts MRI visual feedback module at ISMRM 2023
By AuntMinnie.com staff writers
Neuroimaging software company Turing Medical Technologies (formerly Nous Imaging) used the venue of ISMRM 2023 in Toronto to launch FIRMM-pix, an in-bore visual feedback module designed to actively reduce head motion during brain MRI scans.
June 8, 2023
2023 01 30 21 50 9506 Computer Display Monitor Lab Mri V2 400
ImagineSoftware acquires Within Health
By AuntMinnie.com staff writers
Radiology billing and RIS developer ImagineSoftware has acquired artificial intelligence software developer Within Health. Terms of the deal were not disclosed.
May 23, 2023
2020 08 20 17 37 8876 Business Handshake Man 400
DetectedX touts learning platform success
By AuntMinnie.com staff writers
DetectedX is highlighting that the user base for its Radiology Online Learning Centre has exceeded 4,500 users, which the company says range from large radiology groups to individuals around the world.
May 3, 2023
2020 06 16 22 09 9134 Doctor Virtual Meeting Laptop Computer 400
Page 1 of 603
Next Page