Providers Are HIPAA Privacy Compliant

May 7, 2003 ( - Compliance for the recently enacted privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) is much greater at health care providers than other entities.

A greater proportion of providers surveyed (78%) said they were compliant with the rule, compared to payers (68%) and clearinghouses (47%). April’s data represents a significant improvement over January where only 9% of providers, 5% of payers, and 14% of clearinghouses reported that they were compliant in the earlier study, according to Phoenix Health Systems and HIMSS Spring 2003 US Healthcare Industry Quarterly HIPAA Compliance Survey.

Provider level of compliance is high in most areas of the privacy requirements. Tops among these is the near totality of providers (98%) who reported being privacy-compliant after posting and distributing Notices of Privacy Practices. Other high marks were noted in:

  • obtaining acknowledgement of receipt of Notice of Privacy Practices (97%)
  • obtaining patient authorizations for use and disclosure of Protected Health Information (PHI) (97%)
  • enabling mandated patients’ rights (96%)
  • documenting privacy policies and practices (91%)
  • maintaining accounting of disclosures (89%)
  • using “minimum necessary” restrictions (88%)
  • implementing security protections (82%)
  • monitoring organizational compliance (71%)
  • obtaining all required Business Associate agreements (60%).

TCS Too?

The strong progress of privacy compliance since January suggests that on-time implementation of the highly visible privacy regulations may have dominated the focus of healthcare HIPAA compliance efforts in recent months, the survey said. The emphasis on implementation of privacy regulations along with the technical complexities inherent in nationwide adoption of HIPAA standardized transactions may have delayed Transactions and Code Sets (TCS) compliance efforts in many health care enterprises, especially provider organizations.

These regulations stipulated covered entities that asked for a one-year extension for compliance with the TCS regulations were to begin testing their systems by April 16. However, the study found only one-half of participants reporting completion of TCS implementation activities and just 53% began internal testing by the HHS-stipulated April 16 testing deadline.

On a more positive note, the majority of organizations had completed TCS HIPAA awareness/education (78%), assessment (73%), and implementation project planning (67%). Further, almost 40% of respondents had already begun external testing with business partners.

Also, 80% of clearinghouses, 62% of payers, 55% of vendors and 49% of providers stated they were conducting internal transactions testing as of the TCS April 16 testing deadline. Some 53% of clearinghouses, 39% of providers, 39% of vendors and 37% of payers were conducting external testing with their trading partners, as of the testing deadline.

A total of 697 health care industry representatives responded to e-mail appeals of members of the two organizations. Providers comprised 70% of respondents, payers equaled 19%, vendors 9%, and clearinghouses 2%.The survey is available at .