Health Insurance Portability and Accountability Act (HIPAA) Southeast Survey ResultsBackgroundThe Health Insurance Portability and Accountability Act (HIPAA) affects the entire healthcare industry. The original legislation was introduced to improve health insurance portability and move toward more universal coverage. Congress added measures for administrative simplification aimed at reducing industry costs through greater standardization and greater use of electronic transaction processing. To assure the confidentiality of health-related information, Congress also included significant security and patient privacy requirements. During December 2001 and January 2002, approximately one hundred major hospitals and managed care organizations within the Southeast were contacted to understand the current status of their HIPAA compliance efforts. President Bush signed the Administrative Simplification Compliance Act during the survey period; potential impacts of the extension for Transactions and Code Set Standards on HIPAA privacy or security compliance were not measured. Eighty-five percent (85%) of respondents in the most recent HIMSS / Phoenix Health Systems survey indicated that the extension would have no effect on their compliance with the privacy provisions.1 Meeting the Deadlines
As companies struggle with their compliance efforts, budget constraints, unclear legislation, lack of final rules, and the broad scope of HIPAA requirements have been cited as the top reasons for delays. Strong project management and a methodical process are needed to ensure that HIPAA efforts do not fall behind. In larger organizations, a dedicated HIPAA project manager helps alleviate the dangers of several part-time project managers that must deal with other responsibilities.
Organizations are strongly encouraged to begin immediately to assess their current security and privacy practices and identify areas where additional resources may be needed. According to a recent Gartner survey2, many health care organizations (HCOs) have yet to complete many of the basic assessment steps and do not know whether additional resources (people and/or money) will be required. As with many companies in the Year 2000 crunch, additional resources will be needed as the deadlines approach - Gartner predicts that demand will exceed supply in early 2002.
The dollar amount organizations are expecting to spend on HIPAA compliance efforts varies greatly depending on the size of the organization and the current IT infrastructure. The larger the organization and the more complex its IT environment, the more an organization will have to spend. Out of our respondents, 41% believe the cost of compliance will be 10s of thousands of dollars, another 41% think it will cost 100s of thousands, and the remaining 18% believe millions of dollars will have to be spent to complete their HIPAA projects. The recent national survey1 confirms these trends and adds that most organizations will spend more in 2002 than in 2001 and more than originally estimated for 2002. The majority of survey respondents also noted that most of the capital expenditures will be used to address HIPAA accountability issues, rather than portability. Addressing access control issues, such as authentication and authorization, as well as auditing who has viewed, edited, or deleted information continues to be a problem among those striving for HIPAA compliance. Training
ConclusionThe responses from the participants indicate that HIPAA compliance in the Southeast is underway, but still poses many challenges. The race toward compliance could be stalled due to budgetary issues, overall knowledge of HIPAA, and strains on resources that are critical to the organization's success. Dedicating resources and a budget toward HIPAA, gaining a well-rounded understanding of the issues at hand, and developing a solid training program are key elements to achieving compliance. In addition, dedicated project management of the HIPAA initiatives can prove to be one of the most effective means to reach HIPAA compliance and to minimize the level of chaos that many healthcare organizations are experiencing with their efforts. There are a variety of resources on the Internet that provide useful information to assist you in your compliance efforts. In addition, healthcare organizations provide tools, many free, which can provide significant assistance. Some examples are:
Utilizing these resources, in addition to what you already draw upon, can help you reach a greater level of understanding with the difficult issues associated with HIPAA compliance. These sites, as well as the healthcare information journals and conferences also help to leverage the experiences, pitfalls, and success stories of peers and experts that are dealing with the same issues. [1] HIMSS / Phoenix Health Systems, Healthcare Industry Quarterly HIPAA Survey Results; Winter 2001-2002. [2] Gartner, HIPAA survey 2Q01 results: Spending and consulting use, September 6, 2001. [3] Thibodeau, Patrick, Privacy issues a growing concern for business, Computerworld, January 31,2002. |
|||||||||
|
|
|||||||||
Fortunately,
all survey participants responded that they have made at least some
progress towards HIPAA compliance. Even
better, a majority of survey participants stated they were well underway
to completion. Based on actual
experience and the survey comments, the true meaning of 'well under way'
is a continuum from 'several meetings have been held' to 'gap assessments are
complete, test dates are established, and training has begun'. This is also evident in the recent national
survey1 that indicates that 25%-32% of respondents are currently
working on the impact/gap assessment phase in all major compliance areas with
17% reporting doing project planning in Privacy, Security, and Identifiers.
Logically,
since many survey respondents report being well underway to compliance,
many are also expecting to be compliant with fully 86% believing they will be
compliant by the deadlines currently established. However, one concern is that only half of all respondents
indicate the assignment of both a security and a privacy officer. With the deadline for complying with the
privacy requirements now only 14 months away, many organizations appear to be
waiting on the final security rule before beginning their security efforts. The privacy rule requires that
administrative, technical, and physical safeguards be in place to protect the
privacy of protected health information. HIPAA also calls for security and
privacy protection to be an ongoing effort, i.e., the work doesn't stop on
April 15, 2003! HIPAA's security regulations represent good information systems
management practices with compliance best achieved by creating a solid security
foundation or architecture that enables the protection and privacy of
information. 
Budget
constraints are seen as one of the major obstacles to achieving HIPAA
compliance, especially for smaller organizations. While some organizations indicated in 2001 that they would choose
to "do nothing" toward compliance, hoping that penalties would cost less than
compliance, this approach appears to be losing favor. Many healthcare organizations are now supporting the HIPAA
regulations and are actually discouraging deadline extensions. In addition, enforcement of privacy is on
the rise - "last month, the FTC settled its first security-related privacy case
against Eli Lilly and Co. in Indianapolis, which released nearly 700 customer
addresses collected through its Prozac.com Web site last summer."
Implementation
of HIPAA compliant technologies is a challenge within itself. As noted above,
many companies are making sizable expenditures to ensure that all regulations
are properly addressed with improved processes and the latest technologies,
with accountability being at the top of the list. However, because HIPAA
compliance is an on-going endeavor, training will be increasingly
important. HIPAA requires general
privacy training, security awareness training, and job-specific security
training. In the survey, 82% of the
respondents stated they are developing and providing employee training on HIPAA
requirements. This is in contrast to national survey results which indicate
that only 25%-30% (privacy) / 30%-40% (security) of organizations are providing
HIPAA awareness training and only 5%-10% of organizations are providing HIPAA
training. In addition, over 70% of the respondents still have some questions
regarding the HIPAA regulations - the thoroughness of the training should be reviewed
in light of this uncertainty. Educating
and providing employees with effective and practical training will impact the
effectiveness of not only HIPAA compliance, but the risk level of the
organization going forward. | ©2001-2003 by Itillious, Inc. All
Rights Reserved. |
||||