Ten years have come and gone since the passage of the Health Insurance Portability and Accountability Act (HIPAA), yet U.S. healthcare providers are still wrestling with HIPAA compliance. According to a survey conducted in January this year, a significant number of healthcare providers and payors report that they are noncompliant with segments of the HIPAA regulations.
The U.S. Healthcare Industry HIPAA Compliance Survey, conducted from January 8-23, found that although progress has been made there are still issues with HIPAA security, privacy, and transactions. The survey is a joint venture of consulting firm Phoenix Health Systems of Montgomery Village, MD, and the Healthcare Information and Management Systems Society (HIMSS) of Chicago.
The survey results are based on responses from 294 healthcare representatives who responded to an e-mail invitation to participate. Provider organizations (261) accounted for 81% of the respondents and payors (63) made up the remaining 19% of the cohort.
Providers and payors "varied greatly in their ranking of the roadblocks they have faced in achieving compliance" with the privacy, security, and transactions regulations, the survey authors wrote.
Security -- problematic
Although compliance with the HIPAA Security Rule has been mandated since April 20, 2005, many providers and payors remain noncompliant. Providers are the weakest at compliance, with only 55% reporting that they meet all elements of the Security Rule. Payors are doing a little better, with 72% reporting compliance.
Both payors and providers are optimistic that they will be in compliance with the Security Rule within six months; however, the group made the same prediction in a similar survey conducted in June last year, the study authors noted.
Data security breaches continue to plague survey respondents: 24% of the provider respondents experienced between one and five incidents, while 28% of the payors reported between one and five breaches. More troubling is that 13% of the providers and 7% of the payors reported between six and 11 security breaches, both up from the 4% reported for each in the June 2005 survey.
Privacy -- porous
The deadline for the HIPAA Privacy Rule was April 2003 and despite the risk of complaints and federal penalties, 20% of providers and 14% of payors report that they remain noncompliant with the Privacy Rule, according to the survey results.
"It can be inferred that core group of about 20% of covered entities is either unable or unwilling to implement federal privacy requirements," the authors wrote.
Among the providers, hospitals with more than 400 beds were the most compliant (85%), while hospitals with fewer than 100 beds and large physician practices indicated the most trouble with adopting the Privacy Rule, with only 80% reporting compliance, according to the survey results. Payor compliance ranged between 80% and 90% with the exception of those payors responsible for between 500,000 and 1.5 million lives, who reported 100% privacy compliance.
As in past surveys since 2004, the noncompliant group indicated that it expected full Privacy Rule compliance within six months.
Privacy breaches are commonplace among both segments of privacy-compliant respondents: 60% of providers and 66% of payors reported privacy breaches between July 2005 and January 2006. Interestingly, formal privacy complaints against providers decreased during this time period, compared with the prior six months, from 27% to 24% of respondents. Payors, however, saw an increase in formal privacy complaints, from 17% to 26%.
TCS -- improving
Compliance with HIPAA's Transactions and Code Sets (TCS) Rule has shown slight improvement over the past year, according to the survey authors. A robust 84% of providers, up 4% over the June 2005 survey, indicate TCS compliance. Payors, on the other hand, slipped 7% since the previous survey with only 73% indicating full compliance.
TCS compliance and conduct vary widely: only 46% of the compliant providers were actually conducting all required transactions, while 67% of the compliant payors provided a similar response. According to both groups, the inability to conduct more TCS-compliant transactions is because their trading partners are not able to process them.
According to the survey respondents, below are the top three obstacles to TCS compliance:
- Insufficient management support and budget/resource
- Installation of critical software is not complete
- Ambiguities in information released by the U.S. Centers for Medicare and Medicaid Services (CMS) regarding standard transactions requirements
NPI
The next HIPAA requirement on the horizon for healthcare providers is compliance with the National Provider Identifier (NPI) Rule. Healthcare providers have until May 23, 2007, to obtain and use a unique identifier when filing electronic claims to help streamline electronic processes.
According to the survey results, 39% of providers have applied for an NPI, 36% have not yet applied, and 25% did not know their organization's status. Obtaining an NPI is the first step in implementation; systems, software, and process changes will also be required from providers. Approximately 18% of the provider participants have begun these implementation steps, while 8% reported that they have begun related internal testing.
Overall, although HIPAA compliance is inconsistent, payor and provider respondents reported benefits from implementation.
Both provider and payor survey participants "agree that HIPAA implementation has resulted in greater attention to patient privacy and data security by their workforces, as well as increased consumer confidence," the survey authors wrote.
By Jonathan S. Batchelor
AuntMinnie.com contributing writer
April 12, 2006
Related Reading
Dealing with HIPAA changes in 2006, April 6, 2006
HIPAA enforcement Final Rule published, February 17, 2006
Hitting the ceiling over HIPAA-required walls, December 6, 2005
HIPAA compliance efforts wilt in summer survey, August 24, 2005
CMS sets final date for HIPAA TCS compliance, August 5, 2005
Copyright © 2006 AuntMinnie.com
