Lack of stringent enforcement of privacy rules under the Health Insurance Portability and Accountability Act apparently has spawned a persistent sense of laxity towards privacy compliance by some providers and payers, according to a joint survey report by the Chicago-based Healthcare Information and Management Systems Society and consultant Phoenix Health Systems, Montgomery Village, Md.
The latest report from the semiannual online survey was released Monday. Survey responses were gleaned from 220 healthcare industry representatives from providers and payers between July 15 and Aug. 9 who answered notices sent to HIMSS members and readers of a Phoenix newsletter on HIPAA.
In our winter 2006 survey, 80% of providers and 86% of payers indicated they were compliant with the HIPAA privacy regulations; as of July 2006 providers reporting compliance have decreased to 78% and payers have increased just 1 point to 87%, the report said, noting the latest results were generally consistent with surveys in 2004 and 2005.
It is reasonable to conclude that a core group of approximately 20% of providers and 13% of payers have had insufficient incentive to implement required privacy practices, the report said.
Both providers and payers that reported they were in compliance also experienced fewer privacy breaches than their noncompliant counterparts, but only marginally so.
More than half (52%) of provider representatives who reported they were HIPAA complaint and 64% who reported they were noncompliant indicated they had experienced at least one privacy breach in the past six months, while 21% and 31%, respectively, indicated they experienced six or more privacy breaches during the same period.
Meanwhile 60% of compliant and 64% of noncompliant payers reported at least one privacy breach during the six-month period, with 6% of compliant payers and 25% of noncompliant payers reporting six or more breaches in six months.
Drilling down on the survey data, looking at eight specific privacy practices such as monitoring compliance and having in place all mandated business associate agreements, the report notes that noncompliance is actually worse than overall compliance that self-assessments suggest.
Despite many providers and payers reports that they have fully implemented HIPAA privacy requirements, a more detailed inspection indicates otherwise, the report said. In fact, no participating provider organization was able to show in this survey -- or in past surveys -- that it had complied with every key privacy rule provision, and payers performance was only marginally better. For example, only 78% of providers and 85% of payers who claimed they were HIPAA-compliant said they monitor their organizations compliance with privacy regulations; 72% of providers and 94% of payers indicated they had obtained all required business associate agreements, according to the survey report.
Providers and payers also have made little progress in achieving compliance with HIPAA security provisions, with 56% of providers (up from 50% in the January 2006 survey) and 80% of payers (up from 72%) reporting compliance, according to the report. Implementation of standards under HIPAA provisions covering transactions and code sets also appears to be stalled, at 72% of providers (down from 84% in January) and 73% of payers (no change since January). The compliance deadline for the security rule was April 2005 for most providers and payers; the compliance deadline for transactions and code sets was October 2003.
Budget constraints (20%) and integration issues with new systems and practices (20%) were cited by providers as key barriers to full HIPAA compliance while integration was named by payers (20%) as their No. 1 compliance obstacle.
The survey is available here.