HIPAA survey reveals potential land mines
HIPAA survey reveals potential land mines
Ninety-three percent of health care providers responding to a Health Insurance Portability and Accountability Act (HIPAA) readiness survey released earlier this month by the Philadelphia-based Health Care Compliance Association (HCCA) have established a HIPAA task force, and 77% have designated a privacy officer. But behind those numbers are some ominous findings, warn several privacy experts.
One area of concern is readiness, says Eileen Boyd, managing partner at KPMG in Washington, DC.
She notes that 67% of respondents report they have not developed cost estimates for privacy, security, and transaction requirements. "That surprised me," she says. "Especially since we are entering a new year of budgeting."
Anthony Boswell, chief compliance officer for Laidlaw in Arlington, TX, finds that less surprising, however. "We have not done that yet either, because we are doing assessments at a few key locations," he reports. "You really have to assess what you are going to do before you can figure out what it is going to cost you."
Boyd says the other finding that concerned her was that 73% had not established security levels for employees, medical staff, and business associates. "I can’t imagine that in any hospital where there is a computer that you would leave that computer open or give somebody your password," she says.
According to the survey, only 26% of respondents reporting on security aspects of HIPAA indicate that they had performed a "penetration analysis" to determine where and how security breaches may occur, and only 19% of respondendents have determined how system security will certify compliance.
When it comes to planning issues, there is a fairly high degree of compliance, says health care attorney Brenda Strama of the law firm Vinson & Elkins in Houston, which helped conduct the study. But when it comes to implementation, most providers are not very far along on many of the more difficult issues, she adds.
Boswell says that providers are largely in the assessment phase. But he adds that part of that assessment should include "pre-implementation" steps. "Actual implementation is a bit premature with certain aspects, such as privacy, but not with transaction and code sets," he says.
Strama says her other major concern is that nobody seems very prepared for standards, transactions, and code sets. While that area currently is scheduled to be implemented first in October 2002, Strama says it is the area where providers are lagging the most. It now appears that Congress may delay this implementation date for one year, however.
Fifty-nine percent of those responding to the survey have identified all transaction standards and code sets, but only 32% have gauged the preparedness of trading partners, and only 28% have developed a system for ongoing maintenance of standards transactions and code sets.
While the provider community is split over whether to support further delays, Boswell says he likes the idea of pushing everything back and letting providers focus on privacy. "That is a big piece and the one that is the most important in gaining patient and customer trust," he says. "They all go hand-in-hand, but privacy is the linchpin."
Like Boyd, Strama says she also is concerned providers are holding back on the security portion. On one hand, she says that is understandable since the final regulation is not expected until next month.
On the other hand, that requirement is going to take a long time to comply with, and there is a lot that providers can do to become compliant, she argues.
Here are some of the survey’s other findings:
- 64% of respondents have reviewed employee screening and background checking practices;
- 81% have determined the organization’s designation as a covered entity;
- 60% report that a security officer has been designated;
- 54% report that the privacy and security responsibilities have been assigned to one individual;
- 40% have developed organizational structures that delineate responsibilities for privacy and security;
- 33% have developed cost estimates for privacy, security, and transaction requirements;
- 49% note policies have been developed related to discipline for breach-of-privacy principles and breaches of security;
- 41% have developed a grievance policy to address complaints about privacy and breaches of confidentiality;
- 53% have developed policies related to patient access to records.
However, 78% indicate they have not developed access to "minimum necessary" information policies, and 80% have yet to develop policies addressing the potential exposure of protected health information through viewing, paging, or other operational activities.
The complete survey is available at www.hcca-info.org.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.