[Med-privacy] HIPAA Privacy Rule Compliance

[pmarshall]

=================================================================
H I P A A L E R T --
Special Quarterly HIPAA Survey Results Edition --
Monday, August 11, 2003

>>From Phoenix Health Systems

=================================================================

  H I P A A c t i o n: Feature Article

*** US Healthcare Industry Quarterly HIPAA Compliance
     Survey Results: Summer 2003 ***

Executive Overview

Conducted in early July, just three months after the HIPAA Privacy 
compliance deadline and three months before the Transactions and Code 
Sets (TCS) deadline, the Summer 2003 Survey spotlights the healthcare 
industry's progress on Privacy and TCS, currently the most time-critical 
HIPAA compliance issues.... In the Privacy arena, we probed beyond 
reports of overall compliance into degrees of implementation of specific 
keystone requirements, such as Notices of Privacy Practices, Accounting 
of Disclosures, and Business Associate Agreements....

Key results of the Summer 2003 survey include:

* HIPAA Privacy

   - While overall compliance has increased dramatically among Payers, 
Vendors and Clearinghouses, Provider compliance levels remain 
surprisingly unchanged since the Spring 2003 survey: 77% of Providers 
reported compliance in the Summer 2003 Survey, as compared to 78% in the 
Spring Survey. More to the point, 23% of Providers reportedly remained 
non-compliant with the Privacy Rule three months after its compliance 
deadline.

   - Consistent with our Spring 2003 Survey results, up to 20% of the 
Providers and Payers that professed to be Privacy compliant have not, in 
fact, implemented key features of the Privacy regulations....


* Security

  [....]

   - Security initiatives mandated by the Privacy Rule are also a 
lagging effort: over 20% of Providers who claim to be compliant with the 
Rule have not yet met these requirements.

------------------------------------------------------------
[....]
------------------------------
The Organizations

Respondents from Provider organizations accounted for 71% (407) of 
participants. The breakout of participants follows:

* Providers -- 71%

   - Hospitals with 400+ beds: 16%
   - Hospitals with 100-400 beds: 19%
   - Hospitals with less than 100 beds: 12%
   - Medium-sized physician practices (11 to 29 physicians)/other 
providers: 10%
   - Small physicians practices (10 or fewer physicians)/other 
providers: 14%

* Clearinghouses -- 3%

* Payers -- 16%

   - Covering fewer than 150,000 Lives: 6%
   - Covering 150,000 - 500,000 Lives: 3%
   - Covering 501,000 - 1,500,000 Lives: 3%
   - Covering more than 1,500,000 Lives: 4%

* Vendors -- 10%

   - Annual Income less than $50M: 6%
   - Annual Income of $50M-$100M: 2%
   - Annual Income greater than $100M: 2%

------------------------------
[....]

PRIVACY COMPLIANCE

With the notable exception of Providers, Privacy compliance has improved 
dramatically since the Spring 2003 Survey: 88% of clearinghouse 
respondents reported compliance (up from 47% in the Spring 2003 Survey), 
along with 81% of Vendors (up from 39% in the Spring 2003 Survey) and 
85% of Payers (up from 68% in the Spring 2003 Survey). Significantly, 
Providers who historically have led the way in addressing Privacy now 
represent the least Privacy-compliant segment of the healthcare 
community: only 77% of Provider respondents reported that their 
organizations are compliant. Unlike the other industry groups polled, 
Providers have made no progress in Privacy compliance since the Spring 
2003 Survey was conducted in April (when 78% reported compliance). 
Compliance across Provider groups is relatively consistent, with 
compliance levels ranging from 73% of hospitals of 100 to 400 beds, to 
82% of small physician practices.

The Privacy focus of the Summer 2003 Survey emphasized "drilling down" 
into the day-to-day realities of HIPAA Privacy, in order to clarify 
whether gaps remained between "compliant" organizations' actual privacy 
practices and the letter of the law. We asked the 77% of Providers and 
85% of Payer organizations that stated they were compliant with the 
Privacy Rule to identify key remaining areas of non-compliance, if any. 
Consistent with their reports in the Spring 2003 Survey, approximately 
95% of reportedly compliant Providers and Payers have implemented the 
most publicly visible HIPAA Privacy requirements, such as the Notice of 
Privacy Practices, obtaining Patient Authorization, providing workforce 
training, and enabling patients' rights to review, amend, and restrict 
access to medical records.

However, the more difficult and farther-reaching requirements have not 
been implemented as fully. Establishing required Business Associate 
Agreements topped this list: only 74% of "compliant" Payers and 61% of 
"compliant" Providers have completed this work, suggesting that many 
business partners with access to protected health information (PHI) may 
not yet be protecting patient privacy as necessary. Similarly, only 
about two-thirds to three-fourths of "compliant" Provider and Payer 
participants (see table below) have put privacy compliance monitoring 
systems into place. A special area of concern is the security 
protections of PHI that are required by the Privacy regulations: only 
79% of "compliant" Providers have implemented such measures.

------------------------------------------------------------
Detailed Spot Check of "Privacy-Compliant" Providers
------------------------------------------------------------
Areas of Privacy Compliance            | Providers | Payers
------------------------------------------------------------
Post and distribute Notice of Privacy  |           |
   Practices                            |    99%    |   98%
------------------------------------------------------------
Obtain acknowledgement of receipt of   |           |
   Notice of Privacy Practices          |    98%    |   N/A
------------------------------------------------------------
Obtain Patient Authorizations for use  |           |
   and disclosure of PHI                |    98%    |   94%
------------------------------------------------------------
Enable mandated patients' rights       |           |
   (review, amend, restrict records)    |    95%    |   94%
------------------------------------------------------------
Provide ongoing Privacy training       |    95%    |   95%
------------------------------------------------------------
Maintain Accounting of Disclosures     |    88%    |   96%
------------------------------------------------------------
Document Privacy policies and practices|    87%    |   93%
------------------------------------------------------------
Use "Minimum Necessary" Restrictions   |    83%    |   N/A
------------------------------------------------------------
Provide overall workforce Privacy      |           |
   training updates                     |    80%    |   85%
------------------------------------------------------------
Implement security protections as      |           |
   required under the Privacy Rule      |    79%    |   88%
------------------------------------------------------------
Monitor organizational compliance      |           |
   with Privacy regulations             |    65%    |   76%
------------------------------------------------------------
Have obtained all required             |           |
   Business Associate Agreements        |    61%    |   74%
------------------------------------------------------------

Copyright 2003, Phoenix Health Systems, Inc.