Many organizations have not achieved the
basics of HIPAA, according to HIMSS and
CHICAGO –
(August 1, 2005) – With all three deadlines now officially passed for the Health
Insurance Portability and Accountability Act (HIPAA), a large percentage of
covered healthcare organizations have yet to achieve many HIPAA basics,
according to the results of the U.S. Healthcare Industry HIPAA Survey, sponsored
by the Healthcare Information and Management Systems Society (HIMSS) and Phoenix
Health Systems. The summer 2005
survey marks the sixth consecutive year of tracking and reporting on the status
of HIPAA compliance within the healthcare industry.
Some
organizations have implemented HIPAA requirements and are now in the process of
institutionalizing HIPAA practices and desired outcomes. Others have bypassed
the convergent and continuous steps to compliance, many of which rely on a team
effort with senior management and business partners’ buy-in. In addition, for the first time in the
survey’s six-year history, results indicated that many healthcare organizations
have simply chosen not to implement
many, if not all, HIPAA requirements.
The two most reported “roadblocks” to HIPAA compliance in the summer 2005
survey were “no public relations or brand problems anticipated with
noncompliance” and “no anticipated legal consequences for non-compliance.”
“Many
healthcare organizations are to be congratulated for their diligence in working
towards the objectives of HIPAA,” said D’Arcy
Key findings of the summer 2005 survey
include:
HIPAA Security (Deadline passed April
2005)
Security breaches remain a challenge.
Some 74% of Payers (up from 30% in January
2005) indicated that they are currently compliant with the HIPAA security
regulations. Only 43% of Providers (up from 18% in January 2005) have achieved
Security compliance. Even though
organizations experienced fewer security breaches in the past six months, nearly
40% of Providers and 32% of Payers indicated that their organizations had
experienced data security breaches between January and June 2005. As reported in the winter 2005 survey
results, forty percent (40%) of Providers and 26% of Payers indicated that their
organizations had experienced at least one data security breach in the past six
months.
HIPAA Transactions and Code Sets
(TCS)
More Providers and Payers would conduct
HIPAA standard transactions if their trading partners could accept or transmit
them. Progress toward TCS
compliance has improved slowly over the past six months; 80% of Providers and
Payers indicated compliance (up from 73% of Providers and 70% of Payers in
January 2005). Still, an average of
55% of Providers and Payers noted that while their information systems are
capable of producing certain transactions, their trading partners cannot accept
or transmit them.
HIPAA Privacy
Compliance with the HIPAA privacy rule may
have reached a plateau but privacy violations continue. Survey results indicated that 78% of
Providers and 90% of Payers are compliant with the rule. However, 18% of Providers and 6% of
Payers reported that they remain non-compliant, more than two years after the
deadline. Consistent with survey results both in June 2004 and January 2005;
these numbers infer little or no progress with a core group of non-compliant
covered entities. Privacy breaches
have declined, but still continue with 59% of Providers (down from 73% in
January 2005) and 45% of Payers (down from 57% in January 2005) reporting their
organizations had experienced one or more privacy breaches from January to June
2005.
“Long-term compliance with HIPAA across the healthcare industry depends
on many factors, including strong support from hospital leaders, grassroots
support from hospital staff, and pressure from patients as well as dramatic
breaches illustrating the costs of non-compliance,” said Jeff Collmann, chair of
the HIMSS Privacy and Security Task Force and associate professor, Georgetown
University Medical Center, Washington, D.C. “Thus, all parties with an interest in
improving the privacy and security of patients’ health information should
continue their efforts to educate healthcare leaders, enhance the HIPAA
awareness of patients and healthcare workers and publicize breaches. With time and effort, these
‘carrots and sticks’ should gradually meld these new practices into healthcare’s
everyday routine.”
Phoenix
Health Systems and HIMSS conducted the Summer 2005 U.S. Healthcare Industry
HIPAA Compliance Survey from June 1 to June 20. A total of 383 healthcare industry
representatives (Providers and Payers) responded to email invitations to
participate in the survey, sent to HIMSS members and Phoenix HIPAAlert
newsletter subscribers. Provider
organizations made up 80%, or 282, and payers 20%, or 71, of the survey
participants.
Visit http://www.hipaadvisory.com/action/surveynew/results/summer2005.htm
to access the entire survey report and graphics.
About
Founded in
1987, Phoenix Health Systems provides state-of-the-art healthcare information
technology solutions to hospital organizations nationwide. Services include
comprehensive IT department outsourcing, interim IT management, clinical and
business transformation, data security and privacy solutions, and a wide breadth
of strategic and technical IT consulting services. For additional information,
visit http://www.phoenixhealth.com.
About HIMSS
The Healthcare Information and Management Systems Society
(HIMSS) is the healthcare industry's membership organization exclusively focused
on providing leadership for the optimal use of healthcare information technology
(IT) and management systems for the betterment of human health. Founded in 1961
with offices in Chicago, Washington D.C., and other locations across the country
represents approximately 17,000 individual members and more than 270 member corporations
that employ more than 1 million people. Visit www.himss.org for more
information.
###
Joyce
Lofstrom/HIMSS
312-915-9237 – jlofstrom@himss.org
D’Arcy Guerin Gue/Phoenix Health
Systems
301-869-7300 – dgue@phoenixhealth.com