Post on 25-Dec-2015
HCCA HIPAA HCCA HIPAA Readiness Survey Readiness Survey
ResultsResultsJody NoonJody Noon
PrincipalPrincipalDeloitte & ToucheDeloitte & Touche
Portland, ORPortland, OR
November, November, 20022002
John Steiner Esq.John Steiner Esq.Chief Compliance OfficerChief Compliance Officer
Cleveland Clinic Cleveland Clinic FoundationFoundation
Cleveland, OHCleveland, OH
Debbie Troklus CHCDebbie Troklus CHCAsst. VP for ComplianceAsst. VP for ComplianceUniversity of Louisville University of Louisville
School of MedicineSchool of MedicineLouisville, KYLouisville, KY
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results Survey DemographicsSurvey Demographics
Total Respondents: 289Total Respondents: 289Type of Health Care EntityType of Health Care Entity
7
26
56
7
33
412
Academic Med Center - 7% Health Care System - 26%Physician Practice/Group - 5% Health Plan - 6%Long Term Care - 7% Hospital -33%Clinic - 4% Other - 12%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results Survey Demographics (Cont’d)Survey Demographics (Cont’d)
Corporate StatusCorporate Status
72%
18%
10%
Not for Profit - 72%
For Profit - 18%
N/A - 10%
HCCA HIPPA Readiness Survey ResultsHCCA HIPPA Readiness Survey Results Survey Demographics (cont’d)Survey Demographics (cont’d)
289 Total Respondents289 Total Respondents
Facility LocationFacility Location 37% Urban 29% Suburban 18% Rural 16% N/A or Other
Bed SizeBed Size 1% < 100 34% 101 – 500 11% 501 – 1000 1% 1001 – 5000 53% N/A or Other
Bed Size
0%
10%
20%
30%
40%
1
Percentage
<100 101 to 500 501 to 1000 1001 to 5000
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results EducationEducation
To date, how much classroom time has been spent on HIPAA education for the following?
Board of DirectorsBoard of Directors 60% 1-2 hours 10% 3-5 hours 6% more than 5 hrs 20% None 4% N/A
Executive StaffExecutive Staff 36% 1-2 hours 33% 3-5 hours 26% more than 5 hrs 4% None 1% N/A
Medical StaffMedical Staff 49%1-2 hours 10%3-5 hours 6% more than 5 hrs 25% None 10% N/A
StaffStaff 54% 1-2 hours 14% 3-5 hours 10% more than 5 hrs 20% None 1% N/A
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results
36%33%
26%
4%
54%
14%10%
20%
10%6%
20%
10%6%
25%
60%
49%
0%
10%
20%
30%
40%
50%
60%
70%
1-2 hours 3-5 hours more than 5 None
Executive Staff Staff Board of Directors Medical Staff
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA PlanningHIPAA Planning
20012001 20022002 Established HIPAA Task ForceEstablished HIPAA Task Force 87%87% 96%96% Designated Privacy OfficerDesignated Privacy Officer 73%73% 93%93% Designated Security OfficerDesignated Security Officer 57%57% 70%70% Assigned Privacy and Security responsibilities to Assigned Privacy and Security responsibilities to
one individualone individual 54%54% 43%43% Developed organization structure delineating Developed organization structure delineating
responsibilities for privacy and securityresponsibilities for privacy and security 37%37% 75%75% Developed cost estimates for privacy, security, Developed cost estimates for privacy, security,
and transaction requirementsand transaction requirements 30%30% 57%57%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA AssessmentHIPAA Assessment
Inventories CompletedInventories Completed 20012001 20022002
Contracts and AgreementsContracts and Agreements 41%41%77%77%
Persons/entities that share electronic Persons/entities that share electronic health health information information 44%44% 79%79%
Qualified Business AssociatesQualified Business Associates 55%55%70%70%
Relationships that may require ChainRelationships that may require Chain
of Trust or Trading Partner Agreementsof Trust or Trading Partner Agreements28%28% 51%51%
Consent formsConsent forms 41%41% 61%61%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA ImplementationHIPAA Implementation
20012001 20022002 Established security levels for Employees,Established security levels for Employees,
Medical Staff, and Business AssociatesMedical Staff, and Business Associates 25%25% 46%46% Determined your organization’s designationDetermined your organization’s designation
as a covered entity (OHCA, SACE, hybrid)as a covered entity (OHCA, SACE, hybrid) 75%75% 91%91% Developed an applications and data critical Developed an applications and data critical
analysis, a data backup plan, a disasteranalysis, a data backup plan, a disaster
recovery plan, and mode operationsrecovery plan, and mode operations 44%44% 55%55% Reviewed employee screening and backgroundReviewed employee screening and background
checking practiceschecking practices 60%60% 78%78%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA ImplementationHIPAA Implementation
Forms DevelopedForms Developed 20012001 20022002
Business Associate AgreementsBusiness Associate Agreements30%30% 76%76%
Chain of Trust or Trading PartnerChain of Trust or Trading PartnerAgreementsAgreements 16%16% 33%33%
Consent formsConsent forms 32%32% 55%55%
Notice of privacy practicesNotice of privacy practices 29%29% 70%70%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA Policies and ProceduresHIPAA Policies and Procedures
20012001 20022002
Discipline for breaches of privacy principles Discipline for breaches of privacy principles
or securityor security 46%46% 68%68% Grievance policy for complaints and breaches Grievance policy for complaints and breaches
of confidentialityof confidentiality 40%40% 66%66% Patient access to recordsPatient access to records 47%47% 74%74% Access to “minimum necessary” informationAccess to “minimum necessary” information 21%21%
56%56% Disclosure of PHI through viewing, pagingDisclosure of PHI through viewing, paging
or other operational activitiesor other operational activities 19%19% 48%48%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA Policies and Procedures (cont’d)HIPAA Policies and Procedures (cont’d)
20012001 20022002
Verbal discussions of PHI by authorized Verbal discussions of PHI by authorized
personspersons 25%25% 55%55%
Disposal of PHI (paper, electronic, etc.)Disposal of PHI (paper, electronic, etc.)34%34% 65%65%
De-identification of PHIDe-identification of PHI 15%15%42%42%
Encryption of PHIEncryption of PHI 14%14% 28%28%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA Assessment - SecurityHIPAA Assessment - Security
20012001 20022002 Performed a “penetration analysis” to determinePerformed a “penetration analysis” to determine
where and how security breaches may occurwhere and how security breaches may occur24%24% 38%38%
Assessed the physical location and the type of Assessed the physical location and the type of
storage media to be used for all protected storage media to be used for all protected
health informationhealth information 25%25% 52%52% Addressed issue of authentication of users and Addressed issue of authentication of users and
receivers of health information (external and receivers of health information (external and
internal) and audit trailinternal) and audit trail 21%21%36%36%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results HIPAA Standard Transactions and Code SetsHIPAA Standard Transactions and Code Sets
20012001 20022002
Identified all transaction standards and code setsIdentified all transaction standards and code sets56%56% 78%78%
Determined preparedness of trading partnersDetermined preparedness of trading partners 28%28%54%54%
Developed system for ongoing maintenance of Developed system for ongoing maintenance of
standard transactions and code setsstandard transactions and code sets25%25% 46%46%
Educated business office on standard transactionsEducated business office on standard transactions
and code setsand code sets 26%26%49%49%
Identified Electronic Data Interchange partnersIdentified Electronic Data Interchange partners43%43% 67%67%
HCCA HIPAA Readiness Survey ResultsHCCA HIPAA Readiness Survey Results Change in HIPAA Compliance Activities from 2001 to Change in HIPAA Compliance Activities from 2001 to
20022002
0
2
4
6
8
10
12
14
16
18
60% and Above Compliance 20% and Below Compliance
20012002
HCCA HIPAA Readiness HCCA HIPAA Readiness Survey ResultsSurvey Results
Special Thanks To:Special Thanks To:
DeloitteDeloitte
&& ToucTouchehe
HCCA HIPAA HCCA HIPAA Readiness Survey Readiness Survey
ResultsResults
QuestionsQuestions??