[Med-privacy] more HIPAA survey results
Peter Marshall
pwm@comcast.net
Wed, 16 Feb 2005 13:10:43 -0800
--Apple-Mail-34--715458556
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=WINDOWS-1252;
format=flowed
PRIVACY COMPLIANCE
Compliance with the HIPAA Privacy Rule was required by April 2003. This=20=
survey continues to track the healthcare industry=92s Privacy compliance=20=
progress to identify any remaining compliance gaps. Results for Winter=20=
2005 are almost identical to Summer 2004 =96 90% of Payer respondents=20
indicated they were now compliant with the HIPAA Privacy Regulations.=20
Providers continue to lag behind with only 78% reporting their=20
organizations were in full compliance.
Within the group of respondents from the Provider sector, medium-sized=20=
physician practices were the "most compliant" (95%), while smaller=20
physician practices were the "least compliant" (67%). Hospital=20
respondents fell within these two markers =96 72% of hospitals with less=20=
than 100 beds, 81% of hospitals with 100 to 400 beds, and 82% of=20
hospitals with more than 400 beds indicated that they were currently=20
compliant with the Privacy Regulations. Within the Payer sector, Health=20=
Plans covering 501,000 to 1,500,000 lives were the most compliant =96=20
100%.
As in past surveys, Privacy "compliant" organizations were asked to=20
clarify whether gaps remained between their actual privacy practices=20
and the requirements of the Privacy standards. Responses to questions=20
about specific Provider and Payer privacy practices indicated that the=20=
majority of organizations have been diligent in addressing the=20
regulations, although gaps remain. Winter 2005 responses indicated that=20=
the only area in which there are no "gaps" =96 for Providers or Payers =96=
=20
is "obtaining patient authorizations for use and disclosure of=20
protected health information." (See table.)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Summary of Privacy Practices Implemented
for "Compliant" Organizations
--------------------------------------------------------------
|--Providers--|----Payers---
Areas of Privacy Compliance | 2004 | 2005 | 2004 | 2005
--------------------------------------------------------------
Obtain Patient Authorizations | | | |
for use and disclosure of PHI | 99% | 100% | 97% | 100%
--------------------------------------------------------------
Enable mandated patients' rights | | | |
(review, amend, restrict records) | 99% | 100% | 99% | 96%
--------------------------------------------------------------
Post and distribute Notice of | | | |
Privacy Practices | 98% | 97% | 93% | 98%
--------------------------------------------------------------
Provide ongoing Privacy training | 95% | 97% | 100% | 96%
--------------------------------------------------------------
Obtain acknowledgement of receipt | | | |
of Notice of Privacy Practices | 98% | 96% | N/A | N/A
--------------------------------------------------------------
Maintain Accounting of | | | |
Disclosures | 93% | 96% | 96% | 98%
--------------------------------------------------------------
Train workforce on reporting vio- | | | |
lations w/out risk of retaliation | N/A | 96% | N/A | N/A
--------------------------------------------------------------
Use "Minimum Necessary" | | | |
restrictions | 94% | 89% | N/A | N/A
--------------------------------------------------------------
Monitor organizational compliance | | | |
with Privacy Regulations | 76% | 88% | 87% | 96%
--------------------------------------------------------------
Have obtained all required | | | |
Business Associate Agreements | 73% | 88% | 93% | 94%
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Even with slight gaps remaining in compliance with specific Privacy=20
Rule requirements, the information provided in the preceding table=20
shows that overall Provider and Payer compliance has improved over the=20=
past year. In the area of "monitoring organizational compliance with=20
the Privacy Regulations," Providers have moved from 76% last January=20
(Winter 2004 Survey) to 88% this January (Winter 2005 Survey).=20
Providers also improved in the area of required Business Associate=20
Agreements =96 up to 88% this year from 73% last January (Winter 2004=20
Survey) =96 although these two areas remain the focus of greatest=20
non-compliance.
When Providers were asked which areas of privacy compliance presented=20
the greatest challenge, they ranked "managing the organizational=20
process for accounting of disclosures" as the number one challenge and=20=
"maintaining appropriate patient privacy and confidentiality within=20
clinical settings" as the second most challenging. The top three=20
challenges for Payers were: "maintaining 'minimum necessary' when=20
handling requests for disclosure of PHI from third parties,"=20
"maintaining Business Associates' contracts," and "managing the=20
organizational process for accounting of disclosures."
----------------------------
Patient Privacy Breaches and Formal Complaints
The Winter 2005 Survey questioned "compliant" participants about=20
reported incidents of patient privacy breaches from June to December of=20=
2004. Almost three-quarters (73%) of Providers reported occurrences of=20=
privacy breaches. For Provider respondents: 45% indicated that they had=20=
five or fewer privacy breaches, 12% had six to ten breaches, 10% had=20
eleven or more breaches, and 6% had an unknown number. Fifty-seven=20
percent (57%) of Payers reported privacy breaches: 37% indicated that=20
they had five or fewer privacy breaches, 6% had six to ten breaches, 8%=20=
had eleven or more breaches, and 6% had an unknown number.
The majority of both "compliant" Providers (62%) and Payers (58%) have=20=
had no formal complaint of privacy violation brought against them.=20
Twenty-seven percent (27%) of Providers and 31% of Payers have had at=20
least one formal complaint of privacy violation filed against them,=20
either with the Federal government or in a civil proceeding, since the=20=
Privacy compliance deadline.
-------------------------=
--Apple-Mail-34--715458556
Content-Transfer-Encoding: quoted-printable
Content-Type: text/enriched;
charset=WINDOWS-1252
<fixed>PRIVACY COMPLIANCE
Compliance with the HIPAA Privacy Rule was required by April 2003.
This survey continues to track the healthcare industry=92s Privacy
compliance progress to identify any remaining compliance gaps. Results
for Winter 2005 are almost identical to Summer 2004
</fixed><fontfamily><param>Monaco</param>=96</fontfamily><fixed> 90% of
Payer respondents indicated they were now compliant with the HIPAA
Privacy Regulations. Providers continue to lag behind with only 78%
reporting their organizations were in full compliance.
Within the group of respondents from the Provider sector, medium-sized
physician practices were the "most compliant" (95%), while smaller
physician practices were the "least compliant" (67%). Hospital
respondents fell within these two markers
</fixed><fontfamily><param>Monaco</param>=96</fontfamily><fixed> 72% of
hospitals with less than 100 beds, 81% of hospitals with 100 to 400
beds, and 82% of hospitals with more than 400 beds indicated that they
were currently compliant with the Privacy Regulations. Within the
Payer sector, Health Plans covering 501,000 to 1,500,000 lives were
the most compliant
</fixed><fontfamily><param>Monaco</param>=96</fontfamily><fixed> 100%.
As in past surveys, Privacy "compliant" organizations were asked to
clarify whether gaps remained between their actual privacy practices
and the requirements of the Privacy standards. Responses to questions
about specific Provider and Payer privacy practices indicated that the
majority of organizations have been diligent in addressing the
regulations, although gaps remain. Winter 2005 responses indicated
that the only area in which there are no "gaps"
</fixed><fontfamily><param>Monaco</param>=96</fontfamily><fixed> for
Providers or Payers
</fixed><fontfamily><param>Monaco</param>=96</fontfamily><fixed> is
"obtaining patient authorizations for use and disclosure of protected
health information." (See table.)
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Summary of Privacy Practices Implemented
for "Compliant" Organizations
--------------------------------------------------------------
|--Providers--|----Payers---
Areas of Privacy Compliance | 2004 | 2005 | 2004 | 2005
--------------------------------------------------------------
Obtain Patient Authorizations | | | |
for use and disclosure of PHI | 99% | 100% | 97% | 100%
--------------------------------------------------------------
Enable mandated patients' rights | | | |
(review, amend, restrict records) | 99% | 100% | 99% | 96%
--------------------------------------------------------------
Post and distribute Notice of | | | |
Privacy Practices | 98% | 97% | 93% | 98%
--------------------------------------------------------------
Provide ongoing Privacy training | 95% | 97% | 100% | 96%
--------------------------------------------------------------
Obtain acknowledgement of receipt | | | |
of Notice of Privacy Practices | 98% | 96% | N/A | N/A
--------------------------------------------------------------
Maintain Accounting of | | | |
Disclosures | 93% | 96% | 96% | 98%
--------------------------------------------------------------
Train workforce on reporting vio- | | | |
lations w/out risk of retaliation | N/A | 96% | N/A | N/A
--------------------------------------------------------------
Use "Minimum Necessary" | | | |
restrictions | 94% | 89% | N/A | N/A
--------------------------------------------------------------
Monitor organizational compliance | | | |
with Privacy Regulations | 76% | 88% | 87% | 96%
--------------------------------------------------------------
Have obtained all required | | | |
Business Associate Agreements | 73% | 88% | 93% | 94%
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Even with slight gaps remaining in compliance with specific Privacy
Rule requirements, the information provided in the preceding table
shows that overall Provider and Payer compliance has improved over the
past year. In the area of "monitoring organizational compliance with
the Privacy Regulations," Providers have moved from 76% last January
(Winter 2004 Survey) to 88% this January (Winter 2005 Survey).
Providers also improved in the area of required Business Associate
Agreements
</fixed><fontfamily><param>Monaco</param>=96</fontfamily><fixed> up to
88% this year from 73% last January (Winter 2004 Survey)
</fixed><fontfamily><param>Monaco</param>=96</fontfamily><fixed>
although these two areas remain the focus of greatest non-compliance.
When Providers were asked which areas of privacy compliance presented
the greatest challenge, they ranked "managing the organizational
process for accounting of disclosures" as the number one challenge and
"maintaining appropriate patient privacy and confidentiality within
clinical settings" as the second most challenging. The top three
challenges for Payers were: "maintaining 'minimum necessary' when
handling requests for disclosure of PHI from third parties,"
"maintaining Business Associates' contracts," and "managing the
organizational process for accounting of disclosures."
----------------------------
Patient Privacy Breaches and Formal Complaints
The Winter 2005 Survey questioned "compliant" participants about
reported incidents of patient privacy breaches from June to December
of 2004. Almost three-quarters (73%) of Providers reported occurrences
of privacy breaches. For Provider respondents: 45% indicated that they
had five or fewer privacy breaches, 12% had six to ten breaches, 10%
had eleven or more breaches, and 6% had an unknown number. Fifty-seven
percent (57%) of Payers reported privacy breaches: 37% indicated that
they had five or fewer privacy breaches, 6% had six to ten breaches,
8% had eleven or more breaches, and 6% had an unknown number.
The majority of both "compliant" Providers (62%) and Payers (58%) have
had no formal complaint of privacy violation brought against them.
Twenty-seven percent (27%) of Providers and 31% of Payers have had at
least one formal complaint of privacy violation filed against them,
either with the Federal government or in a civil proceeding, since the
Privacy compliance deadline.
-------------------------</fixed>=
--Apple-Mail-34--715458556--