Health Information Compliance Alert

Published on Fri Jan 04, 2013 PDF

A recent survey provides a “snapshot” of the health care industry’s latest HIPAA compliance readiness, but the results are still blurry, according to at least one health care expert.

Performed in November of this year and compared to results from November 2001, a survey undertaken by the Minneapolis-based Health Care Compliance Association shows that covered entities are continuing to plug away at the daunting task of ensuring compliance with the Health Insurance Portability and Accountability Act’s final rule.

The survey, referred to by the HCCA as a “snapshot” of the industry’s HIPAA readiness, was released Dec. 11 at HCCA’s HIPAA Forum in San Diego. The association mailed over 3,200 surveys to CEs across  the nation, which asked a variety of questions about what organizational steps and policies and procedures CEs had implemented to prepare for the April 14 deadline for compliance with the reg.

According to the results, 96 percent of those surveyed had established a HIPAA task force, 93 percent had designated a privacy officer, and 70 percent had created a position for a security officer.

Overall, 68 percent of respondents had developed policies and procedures concerning appropriate disciplinary action for breaches of privacy and security requirements. Sixty-six percent had created a grievance policy for complaints or breaches of confidentiality, 65 percent had developed policies for the disposal of protected health information, and nearly three-quarters of respondents had generated policies related to patient access of medical records.

The survey also collected responses relating to transaction standards and code sets, but here the stats were less promising: Only about half of the respondents had either determined their preparedness of their trading partners, created a system of maintenance for TCS standards, or trained their business offices with regard to TCS standards.

Additional questions included security processes and HIPAA training.

The statistics appear to reflect a growing awareness of the urgency for HIPAA compliance, but there is one inescapable caveat to the results: Less than 300 surveys were completed and returned — a percentage return of less than 9 percent.

“I think the most telling number in the survey is the number of people that didn’t respond,” said Robert Markette with Indianapolisbased Gilliland & Caudill. Markette says that’s the most important stat of the  survey — a percentage of responses of just over 8.5 percent.

And that stat greatly alters the scope of the survey, Markette explains, adding that one would expect the people who take the time to return the surveys also are probably the ones who are aware of HIPAA and are working on compliance. “From what I’ve seen and from what I’ve heard from talking to different people, [the survey stats] are quite high. Generally I think you’re probably a lot closer to the 50 percent level for compliance,” he says.

And others agree that obtaining an accurate view of HIPAA compliance is next to impossible with the survey.

Such a low rate of response cannot truly reflect the state of compliance readiness throughout the nation, notes Michael Roach, an attorney with Michael Best & Friedrich in Chicago, “but for those that did respond, I found [the results] to be a little surprising and discouraging,” he tells Eli.

Roach says he’s particularly troubled by the absence of requisite HIPAA training time revealed in the responses. While the survey showed that most organizations have held one to two hours of privacy  training for the majority of their stakeholders, he suspects that for the majority of covered entities, two hours of training isn’t nearly sufficient. “You’ll spend an hour answering questions among that group if they’re really tuned in,” he declares.

Roach says that while he’s not surprised at the paucity of respondents, he is concerned by the insufficient amount of training many covered entities appear to be receiving. The survey revealed that only half of medical staffers who answered the survey received one to two hours of HIPAA training. That’s just not cutting it, says Roach, especially for front line staff members who deal with protected health  information on a daily basis.

Taken in toto, then, Roach is surprised and discouraged that the statistics for compliance are so low. For example, the survey reveals that 93 percent of respondents have indicated that a privacy officer has been designated. “I would’ve thought that would’ve been 100 percent months ago,” he says, adding, “I would’ve expected entities to be further along [with the privacy rule] than they apparently are.”

Editor’s Note: You can view the survey in its entirety at www.hcca-info.org