One year after federal regulations took effect on the patient privacy portion of the Health Insurance Portability and Accountability Act of 1996, fewer than one in four healthcare organizations are in full compliance, a report released this week has documented.
But two-thirds of privacy officers and others charged with meeting regulatory requirements said their organization's level of HIPAA privacy compliance was between 85% and 99%, according to a survey by the American Health Information Management Association.
That's good news considering the widespread concern in the months leading up to the HIPAA deadline about the complexities of the privacy regulations and predictions of high costs and confusion, AHIMA said in its report.
The story based on the report, released earlier to Modern Healthcare, was featured on the cover of the magazine this week.
"Despite all the anxiety over this issue, it appears as if healthcare organizations are integrating HIPAA privacy into their culture and are seeing positive results," said Linda Kloss, AHIMA's executive vice president and chief executive officer.
Some 70% of those surveyed agreed that the HIPAA compliance process uncovered privacy problems within their facilities that were subsequently resolved.
Though officials in most healthcare organizations concede they're less than fully compliant after two years spent preparing for the April 14, 2003, effective date and a year's worth of operating under the regulations, "Even the idea of 100% compliance is an illusion anyway," said Jill Callahan Dennis, an adviser to AHIMA on privacy compliance issues. "You're never going to be 100% compliant even if you think you are."
In the survey of 1,192 healthcare privacy professionals, 39% said accounting for release of protected information was their biggest problem area, and 51% said it was the area most in need of modification by the federal government.
Managing the flow of information to and from outside contractors and partners, called business associates, also was a problem area for compliance efforts and an often-cited focus for federal review.
But other difficulties surfaced that providers will have to resolve among themselves. For example, one-third of surveyed professionals said they had a problem getting patient information from other healthcare providers, even though HIPAA restrictions on disclosure expressly exempted information-sharing among medical professionals for treatment purposes.
Another internal struggle, according to 32% of respondents, involved the release of information to a patient's relatives or "significant others."
HIPAA regulations list nearly a dozen types of disclosures that must be included when patients ask for a report detailing where their personal information has been sent. Providers do not have to include disclosures for purposes of treatment, payment or conducting healthcare operations.
Most hospitals don't have a central area for such information-people throughout the organization have a role in releasing it, said Donna Bowers, vice president of Baylor University Medical Center, Dallas. All these employees have to be educated on which disclosures have to be documented and which do not, and those disclosures have to flow to one place where they can be logged, Bowers said.
A significant percentage of those disclosures are beyond the power of patients to control whether they know about them or not, Dennis said. They're already required by governments for public health, law enforcement, Medicare and Medicaid certification, and social service purposes-from births and infectious-disease reports to cancer diagnoses and suspicions of child abuse.
"Even if they wanted to object, they couldn't because it's required by law," she said. "It's really an illusory right."
Providers questioned the expense of nailing down every routine disclosure, which workers sometimes forget to do, and that affects a facility's compliance, said Rita Bowen, chief privacy officer of Erlanger Health System, Chattanooga, Tenn.
"We know if someone's born, they're going to be reported to the state. Is anyone going to look for that? I don't think so. So why should it be reported? It's so labor-intensive."
And very few hospitals have had requests for accounting, Dennis said. In the survey, less than 25% of facilities have had a single request.
"It just seems like an awful lot of work-and it's expensive work," she said.
After excluding disclosures required by law, "There aren't too many things left to account for," said Dan Rode, AHIMA's vice president of policy and government relations.
In testimony before a HIPAA advisory committee to HHS, healthcare representatives described the administrative burden and floated the idea of listing required disclosures in the notice of privacy practices handed out to all patients instead of going through the accounting of those disclosures for each patient, Rode said.
But HHS' Office for Civil Rights, the enforcement arm for privacy and confidentiality provisions of HIPAA, said the accounting requirements have value.
"Many go to the question of disclosures made that a person wouldn't otherwise know are made," said Richard Campanelli, director of the HHS office. "It's a way for an individual to learn whether their information was safeguarded as the rule requires."
Merely listing those disclosures on a notice of privacy practices would not tell someone if his or her information actually was distributed, Campanelli said.
"The rule requires a specific accounting," he said.
The lack of interest so far among patients doesn't mean the requirement should be reassessed already, HHS spokesman Bill Pierce said.
"It's only been around a year, and arguably this is for the long haul," he said.
Besides the education it gives patients, the accounting process also helps them decide whether they need to clarify or correct information on them, Campanelli said.
"It helps to know if the disclosure about them was accurate ... and how it was used."
The National Committee on Vital and Health Statistics, HIPAA's advisory panel, decided it wasn't ready to recommend changes to HHS Secretary Tommy Thompson, said Mark Rothstein, who chairs a subcommittee on privacy and confidentiality. "We're aware of the problems and are calling it to the attention of the secretary," he said. "But for us it's a bit premature and rather sweeping for the policies to be changed entirely."
Under HIPAA law, HHS has the authority to modify or amend privacy standards as it sees fit, but only once in a 12-month period. The vital and health statistics committee is the sole advisory agency to HHS on HIPAA privacy and confidentiality.
Correcting privacy deficiencies
Whatever the current problems, a clear benefit of HIPAA was "identification of deficiencies with existing business practices or procedures that put privacy of patient information at risk," the AHIMA report said. Those problems likely were part of caregivers' drive, "all with good intent," to treat patients--and to do that, they needed access to information, Bowers said.
But after going through the regulations, providers realized that the long-standing single-mindedness of healthcare workers on getting information from and about patients had to give way to other considerations.
"After 100 years, maybe this wasn't the right way," Bowers said. "Maybe (patients) do care that I'm asking all these personal questions in front of all these people."
Two top privacy problems were singled out, identified and corrected during HIPAA implementation, both mentioned by 13% of respondents. One was unauthorized releases of information from areas outside the medical records department. The other was public disclosure of private information-in plain sight on department "whiteboards," computer screens or unattended desks, or overheard in conversation.
At Baylor as well as other hospitals, it was standard practice in surgery waiting areas for a physician to sit down wherever a patient's family was gathered and relate all the details about the completed procedure in a normal tone of voice, Bowers said. Now the family is directed to a private area where no one else can overhear the conversation, she said.
Other measures include privacy screens for all computers in clinical areas of Baylor's 11 facilities. Computer screens cannot be read unless the user is directly in front of the monitor.
About 6% of those surveyed said they had to tighten up their control of disclosures by standardizing practices related to the release of information.
At Erlanger, an internal assessment discovered weak spots that had to be fixed, Bowen said. "By mapping the flow of information we found lots of people really seeing information who shouldn't be," she said.