Close Server: KOPWWW05 | Not logged in


Survey Shows HIPAA Security Compliance Remains Low

Most covered entities have complied with most of HIPAA, but compliance with the Security Rule remains low among health care providers.

Though the deadline for compliance with the HIPAA Security Rule passed more than a year ago, 80 percent of payers and only 56 percent of providers who responded to the U.S. Healthcare Industry HIPAA Summer 2006 Survey have implemented the security standards. Of the respondents claiming full compliance with the Security Rule, gaps still remain; many compliant providers and payers could not say whether they had implemented key security standards.

Sponsored by Phoenix Health Systems and the Healthcare Information and Management Systems Society (HIMSS), the twice-yearly survey is in its seventh consecutive year of tracking and reporting on the status of HIPAA compliance within the health care industry. Given the poor results among providers, the survey drilled down into individual provider groups to identify the most obvious trouble spots.  

"Our findings from the summer 2006, and the previous HIPAA surveys, have provided strategic insight into both the benefits and challenges of compliance," said Lisa Gallagher, HIMSS director of privacy and security.  "Many of the HIPAA-required standards have been met, but this recent research identified what respondents consider as the 'red flags' of compliance -- especially in the Security and Privacy Rules."

On a positive note, health care providers are taking the necessary steps to convert to the National Provider Identifier (NPI), a move required by May 23, 2007. Almost 67 percent of participating providers have already applied for their NPI, and 77 percent have identified the internal changes needed for the conversion.

Other findings from survey:

HIPAA Transactions Implementation Stalled

  1. Implementation of the Transactions and Code Sets (TCS) standards across the industry appears to be stalled. Providers reporting full compliance with TCS actually dropped from 84 percent in January 2006 to 72 percent. Seventy-three percent of payers reported compliance both in this survey and in the January 2006 survey.
  2. About 42 percent of providers and 45 percent of payers are conducting all HIPAA-required transactions. Both groups cite the other's lack of readiness as the primary reason for not conducting more standard transactions.

HIPAA Privacy Still an Issue

  1. A substantial percentage of providers (22 percent) and payers (13 percent) remain non-compliant with the privacy regulations. These results are consistent with findings in all preceding surveys since 2004, suggesting that a core group of covered entities either cannot or will not implement the privacy rules.
  2. Even among compliant organizations, there are significant implementation gaps in some common areas, including establishing business associate agreements, monitoring internal privacy compliance and maintaining "minimum necessary" information disclosure restrictions.
  3. The percentage of compliant provider organizations that have experienced privacy breaches decreased from January 2006, from 60 percent to 52 percent. Reportedly non-compliant providers experienced more privacy breaches (64 percent) than compliant providers, consistent with January 2006 survey findings.

HIPAA Impacts and Opportunities Positive

  1. Less than half of participants have measured direct return on investment (ROI) from their investment in standard TCS, but 4 percent of both providers and payers indicated that they have achieved "significant" ROI.
  2. Provider and payer participants agree that HIPAA implementation has resulted in greater attention to patient privacy and data security by their respective workforces, as well as increased consumer confidence.
  3. Close to 30 percent of provider and payer participants are participating in health information networks, such as a regional health information organization, and about 20 percent are planning to do so. The majority of participants said that HIPAA standards have facilitated the execution of such regional networks.

The survey was conducted between July 15 and Aug. 9, 2006, and included 220 health care industry representatives. Among the participants, 81 percent were from provider organizations and 19 percent were from payer organizations.

Source: U.S. Healthcare Industry HIPAA Summer 2006 Survey, sponsored by Phoenix Health Systems and HIMSS.


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company