Overall, compliance with HIPAA requirements is lackluster, with the number of health care providers saying they are fully compliant with transaction rules actually falling, according to the latest biannual survey from Phoenix Health Systems, a consulting firm, and the Healthcare Information and Management Systems Society.
In terms of the security rule, the least compliant provider groups were hospitals with more than 400 beds and hospitals with between 100 and 400 beds. Neither group has improved since the last HIPAA compliance survey in January. The security rule requires systems to be in place for authenticating health workers identity and for disposing and reusing information-storage media, as well as audit controls and other checks against unauthorized access to information.
In this survey conducted in July and August, only 56 percent of providers and 80 percent of payers said the were compliant with provisions of the security rule. In January, those numbers were 55 percent and 72 percent, respectively.
Even practices that reported themselves as compliant, more than half surveyed said there had been at least one privacy breach in the past month. More than a fifth reported six or more. However, compliant organizations reported only slightly fewer privacy breaches than noncompliant ones, and the report concluded that some organizations that consider themselves compliant actually are not.
Privacy compliance remained largely unchanged since summer 2005. The report indirectly blamed lax enforcement of the rule. "It is reasonable to conclude that a core group of approximately 20% of Providers and 13% of Payers have had insufficient incentive to implement required Privacy practices within their organizations," according to the report. Privacy compliance generally means obtaining a patients consent before sharing health information and sharing only the minimal information required.
In general, the government does not investigate HIPAA violations unless a complaint has been made. In such cases, fines and penalties may be waived or are minimal if an organization can show "good faith" in efforts to become compliant. In fact, the report states that the federal government has not imposed any fines for HIPAA violations, even though 19,000 grievances have been filed.
A fifth of health care payers and practices blamed their noncompliance on integration issues. A fifth of practices also said budget constraints kept them from adhering to HIPAA.
The report dismisses complaints that compliance with HIPAA is impossible, drowning organizations in paperwork and cumbersome administration. "Those who committed to implementing HIPAA have done so, frequently with a new organizational mindset that embraces security, privacy, and process improvements," states the report.
Meanwhile, more information is being exchanged. Nearly 30 percent of both providers and payers said they are part of a regional health information network or similar information-sharing structure. Another fifth said they are planning to join one.
Results came from 42 representatives at health care insurers and other payers and 178 health care providers who responded to notices sent by HIMSS or placed in a newsletter from Phoenix. The majority of respondents held roles within their organizations for HIPAA compliance.
Full survey results are available here.