Phoenix Health Systems & HIMSS: HIPAA Security Rule Compliance Remains Low

Hospitals with 100+ beds least compliant with Security Rule according to the Phoenix Health Systems' and HIMSS' US Healthcare Industry HIPAA Summer 2006 Survey

Montgomery Village, MD – October 12, 2006 – Most "covered entities" have complied to some extent with most of the Health Insurance Portability and Accountability Act (HIPAA) regulations, but Security Rule compliance remains low among healthcare providers. Though the deadline for compliance with the HIPAA Security Rule passed over a year ago, 80% of payers and only 56% of providers who responded to the US Healthcare Industry HIPAA Summer 2006 Survey have implemented the Security standards.  Of those claiming full compliance with the Security Rule, gaps remain; many "compliant" Providers and Payers could not confirm that they had implemented all key Security standards.

Sponsored by Phoenix Health Systems and the Healthcare Information and Management Systems Society (HIMSS), the twice-yearly survey is in its seventh consecutive year of tracking and reporting on the status of HIPAA compliance within the healthcare industry. Given the significantly poor results among Providers, the survey drilled down into individual Provider groups to identify the most obvious trouble spots.

"Though we have no direct data explaining why small hospitals/large practices have made so much progress in the last six months in Security, the fact that larger hospitals have more complex systems/processes infrastructures has been a key factor in their slower compliance," said D’Arcy Guerin Gue, Executive Vice President of Phoenix Health Systems. "By inference, it is possible that the simpler infrastructures of smaller organizations have contributed to their greater compliance levels."

On a positive note, healthcare Providers are taking the necessary steps to convert to the National Provider Identifier (NPI), a move required by May 23, 2007. Almost 67% of participating Providers have already applied for their NPI, and 77% have identified the internal changes needed for the conversion.

"Our findings from the Summer 2006 - and the previous HIPAA surveys - have provided strategic insight into both the benefits and challenges of compliance," said Lisa Gallagher, HIMSS Director of Privacy and Security. "Many of the HIPAA-required standards have been met, but this recent research identified what respondents consider as the 'red flags' of compliance - especially in the Security and Privacy Rules."

Other findings of the Summer 2006 survey:

HIPAA Transactions Implementation Stalled

  1. Implementation of the Transactions and Code Sets (TCS) standards across the industry appears to be stalled. Providers reporting full compliance with TCS actually dropped from 84% in Winter 2006 to 72%. Seventy-three percent (73%) of Payers reported compliance both in this survey and in the Winter 2006 Survey.
  2. About 42% of Providers and 45% of Payers are conducting all HIPAA-required transactions. Both groups cite the other’s lack of readiness as the primary reason for not conducting more standard transactions.

HIPAA Privacy Still an Issue

  1. A substantial percentage of Providers (22%) and Payers (13%) remain non-compliant with the Privacy regulations. These results are consistent with findings in all preceding surveys since 2004, suggesting that a core group of covered entities either cannot or will not implement the Privacy standards.
  2. Even among “compliant” organizations, significant implementation gaps remain in certain areas, including establishing Business Associate Agreements, monitoring internal Privacy compliance, and maintaining ”minimum necessary” information disclosure restrictions.
  3. The percentage of reportedly compliant Provider organizations that has experienced privacy breaches decreased from Winter 2006, from 60% to 52%. Reportedly non-compliant Providers experienced more privacy breaches (64%) than compliant Providers, consistent with Winter 2006 Survey findings.

HIPAA Impacts and Opportunities Undeniably Positive

  1. Less than half of participants have measured direct return on investment (ROI) from their investment in standard Transactions and Code Sets, but 4% of both Providers and Payers indicated that they have achieved “significant” ROI.
  2. Both Provider and Payer Survey participants agree that HIPAA implementation has resulted in greater attention to patient privacy and data security by their workforces, as well as increased consumer confidence.
  3. Close to 30% of Provider and Payer participants are currently participating in health information networks, such as a Regional Health Information Organization (RHIO), and about 20% are planning to do so. The majority of participants agreed that HIPAA standards have facilitated the execution of such networks.

The survey was conducted between July 15 and August 9, 2006, and included a total of 220 healthcare industry representatives. Among the participants, 81 percent were providers and 19 percent were payers.

Visit http://www.hipaadvisory.com/action/surveynew/results/summer2006.htm to access the entire survey report and graphical comparisons.

About Phoenix Health Systems:
Headquartered in Montgomery Village, MD with corporate offices in Dallas, TX and Honolulu, HI, Phoenix Health Systems provides an integrated set of professional, technical and business services that focuses on the business goals of all departments within the healthcare organization. Through strategic consulting, IT outsourcing and revenue cycle management, Phoenix can help any healthcare organization achieve its long-term objectives of administrative cost reduction, increased cash flow, improved patient safety, and regulatory compliance. For additional information, please contact Christopher Madeira at (301) 240-1500, or visit www.phoenixhealth.com.

About HIMSS:
The Healthcare Information and Management Systems Society (HIMSS) is the healthcare industry's membership organization exclusively focused on providing leadership for the optimal use of healthcare information technology (IT) and management systems for the betterment of human health. Founded in 1961 with offices in Chicago, Washington, DC, and other locations across the country, HIMSS represents approximately 17,000 individual members and more than 270 member corporations that employ more than 1 million people. Visit HIMSS.org for more information.