According to the summer 2004 edition of the U.S. Healthcare Industry HIPAA Survey conducted by the Healthcare Information Management Systems Society (HIMSS) and Phoenix Health Systems, the industry is still struggling to submit standard transactions in compliance with HIPAA. In fact, the survey indicates the healthcare industry is "not even close" to standardizing healthcare business transactions and realizing the promise of a return on investment.
The survey was conducted from June 1-15 and results are based on the responses of 540 healthcare industry representatives. "These most recent findings indicate that many providers and payers may be ready to produce compliant transactions, but their trading partners cannot accept or transmit them," said D'Arcy Guerin Gue, executive vice president of Phoenix Health Systems. "The questions that continue to stump the healthcare industry are how will it join together, as it must, to achieve across-the-board readiness, and when will it do so?"
Key findings of the survey include:
HIPAA Transaction and Code Set Testing: With almost two-thirds of respondents reporting complete TCS compliance, less than half of providers and payers are now conducting all the standard transactions required for their business functions. Of the non-compliant covered entities, or providers, payers and clearinghouses, 68 percent have completed internal testing, but only 27 percent have completed external testing. When asked the reason for their lack of full TCS compliance, most covered entities cited lack of compliance by and cooperation with their trading partners.
With that in mind, survey results also show that 40 percent of providers, 36 percent of payers and 51 percent of vendors feel that the Centers for Medicare and Medicaid Services (CMS) should maintain its contingency plan for another three months, compared with up to six months, as reported in the winter 2004 survey results. Currently, the CMS contingency plan remains in effect and allows acceptance of non-compliant HIPAA transactions. However, on July 1, CMS modified its guidelines so that non-compliant transactions submitted to Medicare require another 13 days for payment.
HIPAA Privacy: The deadline for the HIPAA Privacy Rule was April 2003 and despite the risk of complaints and federal penalties, 22 percent of providers and 9 percent of payers still reported that they remain non-compliant with the Privacy Rule. Even compliant organizations cited gaps in key areas, including establishing business associate agreements and monitoring internal privacy compliance.
Implementation of comprehensive privacy programs remains to be completed, according to the survey results, with 64 percent of provider and 58 percent of payer respondents reporting between one and five privacy breaches in the first six months of 2004.
HIPAA Security: Looking ahead to April 21, 2005, the deadline for HIPAA Security compliance, the majority of respondents, or 87 percent of providers, 91 percent of payers and 90 percent of clearinghouses, reported that their organizations will not be compliant until that date. Thirty-one percent of total providers, payers and clearinghouses also said that their organizations had experienced at least one data security breach in the last six months, from January to June 2004.