Add to collection(s) Add to saved
  1. Business
  2. Management

HIMSS U.S. Healthcare Industry Quarterly HIPAA Compliance Survey Results:

advertisement 
Healthcare Information and Management Systems Society
HIMSS
U.S. Healthcare Industry
Quarterly HIPAA Compliance Survey Results:
Winter 2001-2002
HIMSS / Phoenix Health Systems
Healthcare Industry Quarterly HIPAA Survey Results:
Winter 2001-2002
The Industry’s HIPAA MO: Slow, Gradual Progress
The recent enactment of the Administrative Simplification Compliance Act appears to have
been a timely, even necessary move by the federal government in light of the latest
HIMSS/Phoenix Health Systems HIPAA Survey results. Conducted in early January 2002,
the survey confirms Fall 2001 Survey indicators that covered entities will not be ready to
transmit HIPAA standard transactions by the original compliance deadline of October 16,
2002. The vast majority of survey participants reported that their organizations are continuing
to build HIPAA awareness, and have initiatives well underway on HIPAA assessments,
project planning and implementation. However, industry-wide readiness to conduct HIPAA
transactions testing by April, 2003 (as required in the new Compliance Act) will be tough to
accomplish, judging from survey reports of generally slowed progress towards transaction
standardization. In fact, though 50% of participants noted that their organizations still plan to
comply with transactions standards by October 2002, the rest predicted that compliance
efforts would continue well past then, and for some, right up to the new 2003 deadline.
In our Fall Survey, a surprising 11% of participants said that their organizations would “do
nothing (towards compliance) and see what happens.” Industry HIPAA momentum (and
perhaps the Compliance Act) seems to have convinced HIPAA nay-sayers to rethink their
position; virtually all Winter Survey respondents now have HIPAA initiatives underway.
Other Indicated Trends:





Most provider organizations are moving forward through the phases of HIPAA
compliance. The data suggests that as much emphasis now is being placed on
assessment and project planning as on initial awareness programs. More entities than
ever before reported that their current primary focus is on remedial implementation.
The largest hospital organizations continue to make the most progress towards overall
HIPAA compliance. In general, smaller organizations appear to be having the greatest
difficulty moving forward through necessary compliance phases.
The security crisis stemming from the September 11 terrorism events has, according
to 65% of participants, significantly heightened their attentions to contingency and
disaster planning, and other security initiatives.
Reported provider budgets for 2002 are significantly higher than 2001 spending on
HIPAA compliance.
According to 75% of vendor representatives, the quality of their products will be
improved as a result of HIPAA-related changes.
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
-2-
THE SURVEY
During the first two weeks of 2002, Phoenix Health Systems and HIMSS conducted the
Winter 2001-2002 Healthcare Industry HIPAA Compliance Survey -- the eighth survey in its
quarterly series. Following e-mail appeals to HIMSS 12,000+ members and to Phoenix’
16,000 HIPAAlert newsletter subscribers, 774 healthcare industry representatives responded.
The online survey was completed anonymously via Phoenix’ website HIPAAdvisory.com. *
Respondents from provider organizations accounted for 63% (491) of participants. The
breakout of participants follows:




Hospitals – 50%
 400+ beds: 21%
 100-400 beds: 23%
 Less than 100 beds: 5%
 Other providers, including physician practices of 30+ physicians: 9%
 Small physician practices of less than 30 physicians: 5%
Payers – 21%
Vendors – 13%
Clearinghouses – 2%
Just over 25% of all respondents were IT management staff, 23% were compliance
managers, 22% were department managers, and 16% were senior managers. About 80% of
all respondents reported that they have official HIPAA roles within their organizations.
Impact of the Administrative Simplification Compliance Act
The Administrative Simplification Compliance Act was signed by President Bush early in our
survey period, effectively extending the compliance deadline for the Transactions and Code
Sets Standards from October 2002 until October 2003, for covered entities that submit a plan
for compliance by October 2002. Despite this development, about 50% of survey participants
indicated that their organizations intended to be compliant by the original October 2002 date.
Another 20% predicted that their organizations’ compliance would be extended 3 to 6 months
past October 2002, and 11% more stated that they would be compliant 6 to 9 months later,
between March and June of 2003. 20% reported that their compliance with the Transactions
and Code Sets standards would extend as late as the October 2003 deadline date.
Survey participants were asked if they expected that the extension to the Transactions
compliance date would slow their organizations’ compliance with the Privacy Rule, as feared
by some industry watchers. Nearly 85% reported that the Transactions compliance extension
would have no effect on their compliance with privacy provisions. About 10% indicated that
the Transactions extension would slow down their compliance with the Privacy Rule, but not
past the April 2003 Privacy deadline.
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
-3-
FOCUS OF ENTERPRISE HIPAA EFFORTS
Implementation Approach
Participants were asked to describe their organizations' HIPAA approach: "basic compliance",
"incorporate HIPAA in strategic plans to achieve HIPAA's benefits," "best practices approach
to exceed requirements," "undecided" or “do nothing and see what happens.”
45% of all respondents (in a range of 40% to 50% for each group) reported that their
organizations favor using a “strategic” approach. Vendors were most strongly focused in this
direction: 53% of them expected to take strategic advantage of HIPAA. Another 20% of all
participants planned to exceed HIPAA requirements using a “best practices” approach. 27%
of participants planned a “basic” compliance approach, with hospitals in the 100 or fewer bed
category ranking the highest at 36%. More respondents from payer organizations (35%) and
<100 bed hospitals (also 35%) reported using a “basic compliance” approach than any other
group.
Significantly, while 11% of all contributors to the Fall 2001 Survey indicated that their
organizations were on a “do nothing and see what happens” path, less than 1% reported this
intention in the Winter Survey.
Provider Implementation Approach
60
50
40
100 - 400
400+
<100
Other Pro
Small Physician
30
20
10
0
Just plan to meet
basic HIPAA
compliance
Incorporate HIPAA
Best practices
Do nothing and see
in strategic plans, to approach, to exceed
what happens
achieve HIPAAs HIPAA requirements
benefits
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
Haven't decided
-4-
Areas of Current Compliance Activity
AWARENESS – In past surveys, we have seen that most participants’ organizations were
generally more focused on providing internal HIPAA awareness education than on other
HIPAA compliance activities. The Winter Survey results indicate that most organizations are
now spending as much or more time on assessment and implementation as on awareness.
A range of 25% to 30% of respondents reported doing HIPAA awareness training in January,
primarily in the areas of Transactions and Privacy. A range of 30% to 40% of respondents
indicated that awareness programs in HIPAA Security and Identifiers are underway.
ASSESSMENTS and PROJECT PLANNING – According to survey respondents, it appears
that many organizations are working on, or have completed, HIPAA assessments and are
moving into implementation planning. A range of 25% to 32% of respondents is currently
working on assessments, in all major compliance areas (Transactions, Security, Privacy and
Individual Identifiers). A range of 20% to 25% of respondents, excluding small practices,
reported that they are conducting HIPAA project planning in all major compliance areas.
About 25% of small practices are working on Transactions project plans, but just 17%
reported doing project planning in Privacy, Security, and Identifiers.
IMPLEMENTATION and TRAINING
In general, implementation efforts across the industry appear to be most heavily focused on
Transactions. A range of 15% to 20% of all respondents reported working on Transactions
implementation; 10% to 13% on Privacy; and 6% to 13% on Security and Identifiers. A range
of 5% to 10% of participants reported that their organizations have begun HIPAA training.
Hospital respondents reported the following break-out in current compliance efforts:
Hospitals over 400 beds
40%
35%
30%
25%
20%
T&CS
Unique Ids
Security
Privacy
15%
10%
5%
0%
Awareness/General
HIPAA Education
Assessment
Project Planning
Implementation
Training
Area of concentration
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
-5-
Hospitals with 100 to 400 Beds
45%
40%
35%
30%
T&CS
Unique Ids
Security
Privacy
25%
20%
15%
10%
5%
0%
Awareness/General
HIPAA Education
Assessment
Project Planning
Implementation
Training
Area of concentration
Hospitals less than 100 beds
45%
40%
35%
30%
T&CS
Unique Ids
Security
Privacy
25%
20%
15%
10%
5%
0%
Awareness/General
HIPAA Education
Assessment
Project Planning
Implementation
Training
Area of concentration
SENIOR MANAGEMENT SUPPORT
About 60% of all participants noted that their management is providing moderately high or
high support of HIPAA compliance efforts, in high contrast to the October 2001 survey
results, when 45% claimed strong management support. Only 10% of Winter Survey
respondents felt that management was offering little or no HIPAA support. This response was
consistent across all reporting industry segments.
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
-6-
IMPACT OF NATIONAL SECURITY CRISIS
In October 2001, our analysts were concerned that few participants (less than 10%) observed
that their organizations’ sense of urgency regarding HIPAA security had increased as a result
of the September 11- based national security crisis. It appears that security consciousness
has been raised in the intervening months; results of this survey indicate that 65% of all
participants and 40% of providers have moderately to greatly increased their attention on
overall security, including contingency and disaster planning.
USE OF OUTSIDE CONSULTANTS
Just over 50% of participants reported that their organizations are hiring outside consultants
to support HIPAA initiatives. Biggest users of consultants are all hospital segments (52-56%),
other providers (53%), and vendors (58%). Small practices reported using outside
consultants least (41%). Surprisingly, payers reported lower use of consultants (46%) than in
prior surveys, when 2/3 of payer respondents indicated they would use consulting support.
Respondents noted that consulting support is being used primarily for assessment and
planning. 33% of organizations hiring consultants will use their help in HIPAA assessments,
22% for project planning, and 14% to support implementation efforts.
PROVIDER BUDGETS
Provider respondents were asked how much their organizations spent on HIPAA in 2001, and
have budgeted for 2002. About 20% of respondents reported not knowing budget figures for
2001, and 28% did not have 2002 figures. The following results exclude their responses:
Budget Highlights: Not surprisingly, the biggest spending on HIPAA in both 2001 and 2002
was reported by representatives of the largest hospitals – those in the 400+ bed segment.
However, it is clear that large hospitals plan to spend significantly more in 2002 on HIPAA
than in 2001. For example, about 6% of 400+ bed hospitals spent over $1 million in 2001; in
2002, 21% expect to spend over $1 million. In 2001, 50% of 400+ bed hospitals spent less
than $100K, and in 2002 only 10% anticipate spending less than $100K.
Similarly, in hospitals of 100 to 400 beds, 79% of respondents indicated their organizations
had spent less than $100K in 2001 on HIPAA, but 48% expect to spend less than $100K in
2002. About 32% expect their organizations to spend between $100K and $300 K in 2002,
and another 14% plan to spend between $300K and $600 K.
About 90% of hospitals with less than 100 beds reportedly spent under $100K on HIPAA in
2001, and 79% plan to spend no more than $100 K in 2002. The remainder expects to spend
between $100 K and $300 K in 2002.
Slightly over 50% of other providers, including large physician practices, will spend under
$100K in 2002, and another 25% will spend between $100K and $300K. About 20% will
spend between $300K and $1 million in 2002. About 90% of small practices will spend less
than $100 K in 2002, with the remainder budgeting between $100 K and $300 K.
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
-7-
2001 HIPAA Budgets
100%
Hospitals (100 - 400 beds)
Hospitals (400+ beds)
Hospitals <100 beds
Other Pro
Small Physician
Total
90%
80%
70%
60%
50%
40%
30%
20%
10%
0%
< $100,000
$100,000 - $300,000
$300,000 - $600,000
$600,000 - $1,000,000
> $1,000,000
2002 HIPAA Budgets
100%
Hospitals (100 - 400 beds)
Hospitals (<100 beds)
Small Physician
90%
Hospitals (400+ beds)
Other Pro
80%
70%
60%
50%
40%
30%
20%
10%
0%
< $100,000
$100,000 - $300,000 $300,000 - $600,000
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
$600,000 $1,000,000
> $1,000,000
-8-
PROVIDERS -- HIPAA ASSESSMENT COMPLETION
Fewer than 30% of all provider respondents reported that they have completed their HIPAA
impact/gap assessments, twice the number reporting assessment completion in the Fall 2001
Survey. Another 50% expect to be done in 3 to 6 months, and 9% in 7 to 12 months. About
10% of provider participants did not know when their organizations’ assessments would be
complete. Hospitals with over 400 beds appear farthest ahead: a total of 40% of their
representatives stated that assessments have been completed and another 43% expect to be
done in 3 to 6 months. Hospitals with fewer than 100 beds and small practices are reportedly
the farthest behind, with about 10% of both groups having completed assessments. However,
58% of hospitals with less than 100 beds and 45% of small practices anticipate completion of
their HIPAA assessment in 3 to 6 months.
Provider Gap Analysis
70%
60%
50%
40%
Hospitals (100 - 400 beds)
Hospitals (400+ beds)
Hospitals (<100 beds)
Other Pro
Small Physician
30%
20%
10%
0%
Completed
3-6 months
7-12 months
12-16 months
17-24 months
Don't Know or
N/A
E-HEALTH AND HIPAA COMPLIANCE
Fewer than 60% of all provider respondents agreed that their organizations would need to be
HIPAA-compliant in order to execute their E-health strategies. Considering the expense of Ehealth initiatives, it is not surprising that E-health strategies were reported most often by
representatives of 400+ bed hospitals (70%) and 100-400 bed hospitals (57%).
COORDINATION EFFORTS WITHIN INDUSTRY
A range of 50% to 75% of all provider respondents indicated that they are actively
coordinating compliance activities with their vendors; and a range of 35% to 50% are similarly
working with payers (excluding small practices, of which less than 20% reported coordinating
compliance with payers).
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
-9-
ROADBLOCKS TO COMPLIANCE
Provider representatives were asked to rank-order several factors as impediments to their
organizations' achieving HIPAA compliance. These factors were: “not enough time”, “budget
constraints’”, “potential changes in the regulations”, “vendor compliance”, “senior
management buy-in”, and “interpretation of the regulations.” Unlike our Fall 2001 Survey
results when "not enough time" was ranked highest, budget constraints and difficulty
interpreting the regulations vied for top billing in January 2002, with about 45% ranking each
as the first or second most significant roadblock. Not enough time was ranked as the third
greatest roadblock. More hospitals with 100 beds or less ranked budget constraint #1 than
other provider segments (29%, as opposed to about 20-23% of other providers). For larger
hospitals (100-400 beds and over 400 beds), not having enough time remained the greatest
constraint (as it was in the Fall 2001 Survey). The roadblock of least concern to respondents
was “senior management buy-in.”
READINESS TO DO HIPAA-COMPLIANT BUSINESS
The survey questioned representatives of payers, clearinghouses and vendors about their
organizations’ progress in HIPAA remediation, including whether they had begun
coordinating with their clients, and when they would be ready to use HIPAA transactions.

Clearinghouses: Of the small sample of clearinghouse representatives, 16
participants, 75% reported that they have begun coordinating remediation with clients.
Just 2% indicated that they are ready to transmit all HIPAA transactions, and 6%
expected to be ready within 3 months. About 13 % expected to be ready in 4 to 6
months, and 44% in 7 to 10 months. Slightly fewer than 40% indicated they will be
ready to transmit all HIPAA transactions in 11 to 22 months.

Vendors: Two-thirds of the 101 vendor respondents said that they are coordinating
remediation with clients, and about 25% said that they have either completed
Transactions-related remediation or product development, or will within 3 months. 18%
will be finished in 4 to 6 months, 20% in 7 to10 months (original Transactions
deadline), and 12% in 10 to 14 months. About one fourth reported they did not know
when they would complete remediation (or that it was not applicable). 56% indicated
that they will finish privacy and security related remediation within 12 months. Vendor
representatives also were asked if the HIPAA-related product changes their firms were
making would improve their product(s). About 73% agreed that product quality would
be higher, 13% said quality would not be improved, and 14% did not know.

Payers: Of the 166 payer respondents, about 52% said they have begun coordinating
remediation with their clients, approximately the same as reported in our Fall and
Summer 2001 Surveys. A total of 72% of payer participants noted that they expect to
coordinate remediation with their clients. Another 37% plan to “go it alone,” despite
the commonly accepted argument that greater efficiencies will be realized through an
industry-coordinated approach. About 2/3 of payer respondents indicated that their
organizations are upgrading software, and 40% are developing new software.
Approximately 30% are also using clearinghouses for support.
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
- 10 -
About 8% of payers said they are ready now to accept/transmit their first HIPAA
transaction. Only 2% (as compared to 10% in the Fall 2001 Survey) reported that they
are currently ready to transmit all HIPAA transactions; 3% expected to be ready within
3 months (15% in last survey), another 4% in 4 to 6 months (30% in last survey), 37%
in 7 to 9 months, and 54% in 10 to 14 months. Even accounting for sample differences
between the current survey and the Fall 2001 results, it appears that payers either
have slowed their Transactions Rule compliance efforts or, in the past, underestimated the time needed to complete Transaction Standards remediation.
Payer Readiness
60%
50%
40%
30%
20%
10%
0%
Done now
3 months or less
4-6 months
First Transaction
7-10 months
11-22 months
All Transactions
* NOTE: Questions on the Transactions deadline extension and covered entitles’ HIPAA
compliance approach and current activities were answered in a 4-day e-mail “make-up”
survey conducted in mid-January, which was completed by 662 participants. Results of all
questions were calculated as a percentage of those completing each respective question.
** To review and compare results of the surveys conducted in previous quarters of 2000 and
2001, go to http://www.hipaadvisory.com .
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
- 11 -
…HIPAA Knowledge…HIPAA Solutions
Healthcare Information and
Management Systems Society
HIMSS
Specialists in Healthcare Information Systems
Consulting and Outsourcing
 HIPAA Compliance
 IT / E-health Strategic Assessment &
Planning
 Systems Procurement & Implementation
 MIS Management & Outsourcing
 Registration Outsourcing
 Project Management
9200 Wightman Road, Suite 400
Montgomery Village, MD 20886
800 649-5225
http://www.phoenixhealth.com
http://www.hipaadvisory.com
Copyright Phoenix Health Systems, Inc. 2002 All rights reserved.
The Healthcare Information and Management
Systems Society provides leadership in healthcare
for the management of technology, information, and
change through publications, educational
opportunities, and member services. HIMSS has
more than 43 chapters and more than 12,000
members working in healthcare organizations
throughout the world.
230 East Ohio Street
Suite 500
Chicago, IL 60611-3269
312 664-HIMSS
312 664-6143
http://www.himss.org
- 12 -
Related documents
This is to certify that I, ______________________________________ (name of
This is to certify that I, ______________________________________ (name of
SCHOOL OF PSYCHOLOGY AND COUNSELING "Academically Excellent, Distinctively Christian"
SCHOOL OF PSYCHOLOGY AND COUNSELING "Academically Excellent, Distinctively Christian"
Download
advertisement