Survey: HIPAA Compliance Drops, Patient Concerns Grow
Fewer hospitals and health care facilities are complying with federal laws to protect patient privacy, and more patients are refusing to sign forms to release health information, according to a survey by the American Health Information Management Association. Such trends bode ill for the development of a national electronic exchange of health data, warned Dan Rode, AHIMA's vice president of Policy and Government Relations.

"If patients don't see institutions safeguarding their privacy now, how willing will they be to see information in an electronic form going through a network exchange?" he asked.

For the past three years, AHIMA has surveyed over a thousand hospitals and health care facilities about their compliance with HIPAA (Health Insurance Portability and Accountability Act) rules that protect patient privacy.

Though the proportion of facilities reporting "full compliance" held steady at around 40 percent, the proportion of respondents who said they believed they were less than 85 percent compliant increased from 9 percent in 2005 to 15 percent in 2006. AHIMA said this decrease was "not a significant change" but that the drop "should serve as a warning to the industry that compliance should not be taken for granted."

Respondents said "lack of resources" was the biggest barrier to compliance, particularly to training and educating new staff, and AHIMA concluded that institutions were making privacy less of a priority: "From comments made by the respondents, it appears that many privacy officers are doing their best, but their calls for more support and resources are going unheard."

At the same time, patients seem more concerned. The survey found that patients were asking more questions about the privacy of their health information, and 22 percent of institutions reported that some patients refused to sign release of information forms. Respondents at facilities with 5,000 to 20,000 admissions and discharges a year were most likely to report that patients had refused to sign forms. More than half of respondents at the very largest facilities (more than 50,000 admissions and discharges) said patients were asking more questions.

"Hospitals are not using IT to help with HIPAA compliance," said Roger Wernow, head of RMW Associates, a consultancy for health care practices, based in Indialantic, Fla. Both Wernow and Rode said a shift to electronic-based records would largely eliminate the biggest burden health care facilities face in HIPAA compliance: tracking what patient information is released to what entities.

IT could potentially reassure patients that their information was protected, by releasing only information in, say, certain fields in a database rather than all the information recorded on a paper form. But, Wernow said, "The technology is not yet a state to do that."

Rode blamed confusing language for much of patients' discomfort. Though many hospitals in 2006 reported changing forms to make them more comprehensible, Rode said he'd recently been presented with a form that was 12 pages long. In addition to HIPAA policy, patient release forms often cover additional privacy restrictions set by individual states.

Though not addressed by the survey, state privacy laws are also viewed as a barrier for creating a national health information exchange. In October 2005, a coalition led by the National Governor's Association received $11.5 million in grants to identify and resolve conflicts between state privacy laws. Subcontracts for individual states are expected to be announced this May.

About a third of respondents to AHIMA's survey said they were involved in a health information exchange project. In 2006, 10 percent of respondents reported difficulty obtaining protected health information from other providers.

About 75 percent of respondents to AHIMA's survey said they were fully or mostly compliant with HIPAA's security rules, which went into force in April 2005 and stipulated measures to keep health information safe.

All respondents said their facilities had a designated security officer, usually someone from the IT department. Just over half of respondents reported that they had recently upgraded IT to comply with the security rule: firewalls, anti-virus software and backup technologies were the most likely to be upgraded.

The drop in compliance was distributed across institutions of all sizes and corresponds with a perceived lack of emphasis on HIPAA. On a conference call in 2005, government officials said health care institutions should not expect to be investigated for HIPAA compliance unless a complaint is filed, and that institutions working in good faith toward compliance would likely not be prosecuted.

The survey was based on 1,117 qualified responses to an e-mail invitation. According to the survey, the e-mail targeted "AHIMA members who were considered most likely to have participated significantly in the HIPAA implementation process and others who had participated in various HIPAA-related educational opportunities provided by AHIMA."

<< Back to News