Health Information Compliance Alert

Compliance Survey HOSPITALS' COMPLIANCE ILL BUT RECOVERING, SURVEY SHOWS

A recently released survey gives low marks to the health care industry when it comes to preparedness with the Health Insurance Portability and Accountability Act’s privacy rule — so why the optimism from  one of the study’s administrators?

The survey — undertaken in July and made public Nov. 8 by Deloitte & Touche — records the responses of over 600 hospital CEOs and shows a disconcerting trend among some covered entities relating to their readiness to tackle the HIPAA privacy and security rules.

The survey, titled “The Future of Health Care: An Outlook from the Perspective of Hospital CEOs,” aims at covering many of the current practical challenges that face the health care industry.

Thomas Hochhausler, director of the survey and a partner with Deloitte & Touche, said the survey’s goal is to aid industry leaders as they plan for the future, with the hope that the data proves to be useful to health care executives, legislators, employers, and the public as they strive to understand where the health care industry is heading.

At the time the survey was undertaken in late July, most hospitals did not expect to meet the October 2002 deadline for compliance with the HIPAA transactions and code set standards, the
survey showed.

The participants reported that funding was the major obstacle impeding HIPAA compliance, and nearly one in three hospitals has not yet estimated the costs of compliance, according to the survey.

Other obstacles included an organization’s culture with respect to the sharing of information, inadequate project management infrastructure, and lacking the appropriate staff to undertake the necessary changes.

Perhaps more alarming, though, were the survey’s results regarding hospitals’ current state of protecting identifiable health information. Only 20 percent of those surveyed said their current status level was  “high.” Eleven percent of respondents noted they were already compliant with HIPAA.

But there is a positive side to the survey results. Eighty-six percent of the CEOs surveyed said they expected to meet the requirements of the privacy rule by April 2003.

Also, the majority expressed optimism about the likelihood that they’ll be able to comply with the October 2003 date for compliance with the transactions and code set requirements for entities that submitted a compliance plan to the Department of Health and Human Services.

Scott Taylor, a partner with the Chicago office of Deloitte & Touche, says there is one big problem with the study relating to HIPAA compliance: The study was undertaken prior to the August advent of the final privacy rule.

“What we have found was, basically, folks went into hibernation. [Covered entities] were sick and tired of the regulations changing, and weren’t going to expend time, effort and money when they had a thousand-and-one other things on their plate,” Taylor notes.

Taylor says the summer months — May, June and July — didn’t see much compliance activity, but “there was a noticeable change once the final privacy regulations were issued.” And Taylor says he likes the compliance efforts he’s seen since the August modifications.

He says CEs are realizing that HIPAA compliance isn’t going to be “that big of a deal, and many don’t think it’s going to be a big financial burden,” a pleasant change from the two years ago when “everyone  was saying the sky is falling,” he states.

The study revealed that a mere 5 percent of those surveyed said they had not initiated a compliance program. Taylor tells Eli those numbers are likely to have changed, and admonishes those in the 5  percent to get their ducks in a row. He claims many covered entities in his neck of the woods still haven’t begun their compliance strategies.

So get to work, CEs. After all, “April 14 is coming up pretty quick,” warns Taylor.

Editor’s Note: To see the results of the survey, go to www.deloitte.com/dtt/cda/doc/content/hc2002Final(5).pdf