California HIPAA Privacy Implementation Survey: Appendix A. Stakeholder Interviews Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002
Appendix A. Stakeholder Interviews Prior to developing a finalized HIPAA survey for this project, an independent survey research firm conducted a series of stakeholder interviews. The purpose of these interviews was to obtain a general sense of what the actual and perceived barriers are to implementation of the HIPAA privacy rule from those who are and will be directly affected. The NCQA and The Health Privacy Project at Georgetown University chose the stakeholders judgmentally as those who would be familiar with the issues surrounding implementation of the HIPAA privacy rule. Not all stakeholders that were chosen were interviewed due to the time constraints of the project and stakeholders non-compliance. Using a pre-determined script (Attachment I), developed by the research firm, NCQA and The Health Privacy Project at Georgetown University, a total of seven stakeholders were interviewed. The results of the calls identified some main themes that were included in the generation of the final survey. The main themes are: 1. Training for HIPAA will be costly and time consuming; 2. California state law already has strict regulations regarding privacy so that HIPAA will not drastically change most of the processes; 3. Lack of industry knowledge surrounding technology and its capabilities; 4. Specific Requirements (i.e. consent, minimum necessary, business associate, research) could use clarification. Detailed Summary of Results Potential Implementation Issue General Do you think guidance or modifications are needed with regards to HIPAA? Is guidance/ modification really the issue with HIPAA? If yes, where in the HIPAA regulations do you think more guidance should be given? If not, what is/are the issue(s)? Cost What do you think the cost of implementing the HIPAA regulations will be for your organization? Will there be offsetting financial benefits of implementing other sections of HIPAA, such as the transactions and code sets? Stakeholder Answers Accounting of disclosures. Yes, the privacy rule within larger organizations will be onerous. The solo/small group offices will be affected the most. California state requirements already have legal implications for security breaches. At a minimum the DHHS, should clarify the regulations. The savings are real, but distant. We will not benefit for a couple of years and there will be an ongoing expense associated with this. State law is already so strict, the cost of this implementation should not be prohibitive. Anticipate that it will cost $1,000 - $2,000 per doctor to train. Do not see any cost off-set by the transaction and code set regulation, since they are already submitting electronically. People - What staffing changes do you anticipate having to make to meet the policy requirements by the deadline and then complying with the regulations after the deadline? PMO s have already been established to distribute responsibility. Organizations may have trouble dedicating people to regulate HIPAA compliance. The Chief Medical Officer has the lead on HIPAA implementation. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 2
Potential Implementation Issue Process Do you think you will need to change the processes within your organization (i.e. the way information travels, employee behavior) in order to comply with HIPAA? Why? Is one of the issues time? What are the other process issues? Do you envision any difficulties doing this? Training - Do you think that you will be able to effectively train all of your employees on the regulations? Do you envision any difficulties doing this? Technology Do the regulations provide adequate guidelines for information technology developers? Can the regulations, such as confidential communications, be implemented with available tools and technologies? Do the regulations support current efforts to automate processes and transactions, e.g. electronic signatures on consent forms? Consent - Are the regulation s current consent requirements workable? What are some of the specifics issues/ barriers/problems you see with the consent requirements?? Do you think that the consent requirements may limit the flow of information needed to assess health care quality? Stakeholder Answers For small offices, the doctor will become the privacy official. The Medical Director is taking the lead with at least another FTE and additional data systems staff. California already has strict privacy laws. Most organizations are already in compliance. It is always difficult to change people s behavior. There is a tough state law, so everybody is meeting the requirements already. Have already been doing so much to plan ahead. Thought about manpower, resources, re-evaluating all past policies and procedures. Doctor s offices will have a problem writing/maintaining all of the policies needed for HIPAA. This will be a resource issue. It may be smart to piggy back this type of training off of Sexual Harassment training. The small offices will be looking to the professional organizations to guide them. Already planning the training but this is a large undertaking. Training center accommodates five at a time and there are over 300 doctors in the group. [HIPAA] Regulations will be a reason to delay moving towards technology. The regulations will make technology development less problematic. Believe that current technology can support confidential communications. There is an internet barrier. People think that everything on the internet is wide-open. [They think that] will not be able to use the internet anymore. Doctor s do not have internet security. No upgrades or system changes have to be made. The current consent requirements are workable. That is a good question. It will be interesting to see what people say. Yes, consent requirements may limit the flow of information needed to assess health care quality. The new [Consent] requirements will create confusion for doctors uncertain as to what is required and how you will know if you are in compliance. In time, [Consent] will be workable. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 3
Potential Implementation Issue Minimum Necessary Does the minimum necessary rule achieve its intended purpose? Are there unintended consequences? What are they? Do you think Minimum Necessary may limit the flow of information needed to deliver, pay for, and assess health care quality? Research Does the regulation adequately distinguish research and health care operations? Are the guidelines clear for what process providers should follow when determining whether they can or cannot participate in quality measurement activities under HIPAA? Does the rule create significant barriers to researcher access to patient data, or does the rule impose needed procedural safeguards? Stakeholder Answers This will be a nightmare for referring physicians. Its onerous and I do not see the point. The unintended consequence is that this will drive up cost of compliance. It is too reliant on personal judgment Creates tendency to develop overkill and can create unnecessary complexity. This is the easiest part of it. Doctors already do this. Now, it is a documentation process but it won t hurt much. My concern is that research will be cut off. This will thwart clinical research. Local doctors will not participate in studies, like breast cancer studies. Regulations must be simplified and made more logical. Don t deal much with research but it will be increasingly difficult to enroll patients in disease management programs. It is not so good now but HIPAA will make things worse. Additional Comments: Fear that health plans will no longer contract with disease management organizations because they will think that transmitting PHI will be breaking the law. More education is needed on consent and disease management entities need to be defined under HIPAA. Transaction rule is the best aspect of HIPAA. HIPAA is more of an administrative exercise then an exercise of value. The strategy should be made simpler. Please rank the top barriers of implementation: Minimum Necessary; Business Associates; Intersect between state and federal regulations. Perception that you will be unable to use the internet; Research; Training; Compliance / Quality Assurance; Doctor education around the issues. Policy and procedure development; Resource use and cost. Design of office plan; Training requirements; Was not a collaborative approach between legislation and delivery system. Information exchange between doctors, patients and research; Technology; Training; Quality Assurance; Implementation of the rest of the regulations. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 4
Stakeholder Interview Script Preliminary Stakeholder Interviews Draft Agenda Date: Time: Our firm was hired by the National Committee for Quality Assurance (NCQA) in order to assist in the development and execution of a survey for the California HealthCare Foundation. The survey s goal is to identify actual and perceived barriers to the implementation of the HIPAA privacy regulation. The president of the NCQA, and the project director of the Georgetown University Health Privacy Project, have identified you as an individual who might be able to give us some insight into the actual and perceived barriers so that we can develop a focused survey. We are looking to you to help identify key survey topics and also assist in identifying potential survey respondents. Your participation will be kept confidential and only those participating in the development of the survey will have access to your responses. I know that this is a busy time of the year so; I would like to thank you in advance for your time. I anticipate that this interview will take between 30 and 40 minutes. The meeting agenda will be as follows: Background / Roles Key Issues surrounding HIPAA Survey Respondent Identification Wrap-Up Background / Roles We were was chosen to aid the NCQA in developing a survey that would identify areas of the HIPAA privacy regulation where guidance or modifications may be needed to clarify and interpret sections of the rule. The results of this survey will be shared with the Department of Health and Human Services in order to help them understand any issues identified The survey will be a telephone survey that will take under California HIPAA Privacy Implementation Survey/California HealthCare Foundation 5
an hour and consist of 20 to 25 closed-ended questions with one or two open ended questions. The survey respondents will be healthcare entities of various types that operate (in some fashion) in the state of California. Our next step will be to ask you some open-ended questions to get some of your thoughts with regard to HIPAA. Please excuse me if there are pauses after you respond to our questions, as I will be attempting to take detailed notes. Key Issues surrounding HIPAA Do you think guidance or modifications are needed with regards to HIPAA? Is guidance/ modification really the issue with HIPAA? If yes, where in the HIPAA regulations do you think more guidance should be given? If not, what is/are the issue(s)? The following issues are those that the development team thinks may be perceived as barriers to HIPAA implementation; Cost, People, Process Redesign, Training, Technology Constraints, Unclear Regulations. As we review these, please provide feedback as to whether you think that these may also be real barriers to the healthcare community: Cost What do you think the cost of implementing the HIPAA regulations will be for your organization? Will there be offsetting financial benefits of implementing other sections of HIPAA, such as the transactions and code sets? People - What staffing changes do you anticipate having to make to meet the policy requirements by the deadline and then complying with the regulations after the deadline? California HIPAA Privacy Implementation Survey/California HealthCare Foundation 6
Process Do you think you will need to change the processes within your organization (i.e., the way information travels, employee behavior) in order to comply with HIPAA? Why? Is one of the issues time? What are the other process issues? Do you envision any difficulties doing this? Training - Do you think that you will be able to effectively train all of your employees on the regulations? Do you envision any difficulties doing this? Technology Do the regulations provide adequate guidelines for information technology developers? Can the regulations, such as confidential communications, be implemented with available tools and technologies? Do the regulations support current efforts to automate processes and transactions; e.g., electronic signatures on consent forms? Unclear Regulations - CHCF has identified the following three categories as key issues where the language may need clarification within the HIPAA regulation. Please provide feedback as to whether you also think that these topics may need some clarification or modification: Consent - Are the regulation s current consent requirements workable? What are some of the specifics issues/ barriers/problems you see with the consent requirements?? Do you think that the consent requirements may limit the flow of information needed to assess health care quality? Minimum Necessary Does the minimum necessary rule achieve its intended purpose? Are there unintended consequences? What are they? Do you think Minimum Necessary may limit the flow of information needed to deliver, pay for, and assess health care quality? Research Does the regulation adequately distinguish research and health care operations? Are the guidelines clear for what process providers should follow when determining whether they can or cannot participate in quality measurement activities under HIPAA? Does the rule create significant barriers to researcher access to patient data, or does the rule impose needed procedural safeguards? Of the barriers / key issues identified above, what do you think are the most significant? Please rank the top five. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 7
Respondent Identification Our goal is to survey between 75 and 100 healthcare organizations. We are limiting our survey to respondents representing hospitals, health plans, physician organizations, disease management companies, and researchers. After having spoken with us to gain an understanding of the survey objective, who do you feel would be appropriate to respond to the survey? One of the most challenging parts of this survey is to identify whom the correct person to respond within an organization. Identifying the correct individual would help us get more meaningful data therefore, as much detail on the respondents you give us would be appreciated (i.e. name, title, telephone number). Wrap-Up I would like to thank you for taking the time to help us develop our survey topics and questions. The information that you have provided us is central in helping us to achieve our goal. Once we have finished conducting our survey, NCQA will compile and analyze the information and send it to the California Healthcare Foundation for their publication. Once again, I would like to ensure you that your responses will not be tied to you or your organization in the final survey results. If you think of additional information after the call that may be useful to us, please feel free to call me at. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 8
California HIPAA Privacy Implementation Survey: Appendix B. Questionnaire Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002
Appendix B. California HIPAA Implementation Survey Questionnaire Hello, my name is. Our research group was hired by the National Committee for Quality Assurance (NCQA) and the Georgetown University Health Privacy Project to conduct a survey for the California HealthCare Foundation. The survey s goal is to obtain feedback on the impact of the HIPAA privacy regulation on your organization. Once we have finished conducting the survey, NCQA and Georgetown University Health Privacy Project will compile and analyze the results and prepare a report for publication by the California HealthCare Foundation. The results of this survey will be shared with the Department of Health and Human Services. In addition, as a participant in this survey, you will receive a copy of the final report. You have been identified as the individual within your organization who will be able to answer the survey questions on behalf of your organization. Your responses will be kept confidential. Only those administering the survey will have access to your responses. There will be a total of 20 closedended and 9 open-ended questions. I anticipate that this interview will take between 30 and 40 minutes, so thank you in advance for your time. What questions do you have at this time? These questions are scripted, so if at any time you need me to repeat a question or answer, please feel free to interrupt. Also, please excuse any pauses, as I will be taking detailed notes during this survey. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 2
First, I would like to verify some demographic information. Please remember that your name will be kept confidential and your organization will not be publicly associated with its specific responses. Background Participant: Name: Position: Phone #: Name of Facility/Organization: Type of Facility/Organization: Hospital: Rural, Community, Academic Size: < 50 bed, 50 99, 100 299, > 300 Physician: Single Specialty Multi-specialty Size: < 30 31 100 > 100 Payor: Type: Commercial Medicaid Medicare (Check all that apply) Researcher Disease Management Address of Facility/Organization Street 1: Street 2: City: State: Zip: California HIPAA Privacy Implementation Survey/California HealthCare Foundation 3
Questions 1. On a scale of 1 5, with 1 being Low and 5 being High, how would you rate your overall knowledge of the HIPAA privacy regulation? 1 = Low (only cursory awareness) 2 = 3 = Medium Have attended a HIPAA awareness seminar 4 = 5 = High Have read the HIPAA Regulations and Notice of Proposed Rule Making and attended training 1 2 3 4 5 2. On a scale of 1 5, with 1 being least workable and 5 being most workable, how do you view the workability of the HIPAA Privacy Regulation s current consent requirements? 1 = Consent requirements are not workable 2 = 3 = Consent requirements are somewhat workable 4 = 5 = Consent requirements are very workable 1 2 3 4 5 Don t Know 3. On a scale of 1 5, with 1 being will greatly limit and 5 being will greatly enhance how do you think the consent requirements will affect the flow of information needed to assess health care quality? 1 = Consent requirements will greatly limit the flow of information 2 = Consent requirements will somewhat limit the flow of information 3 = Consent requirements will have no affect on the flow of information 4 = Consent requirements will somewhat enhance the flow of information 5 = Consent requirements will greatly enhance the flow of information 1 2 3 4 5 Don t Know California HIPAA Privacy Implementation Survey/California HealthCare Foundation 4
3a. (If answered 1 or 2 to question 3) In what way do you think that the consent requirement will limit the flow of information? 4. What do you deem useful and what are your concerns with the consent requirements? 5. On a scale of 1 5, with 1 being least workable and 5 being most workable, how do you view the workability of the HIPAA Privacy Regulation s current Minimum Necessary requirements? 1 = Minimum Necessary requirements are not workable 2 = 3 = Minimum Necessary requirements are somewhat workable 4 = 5 = Minimum Necessary requirements are very workable 1 2 3 4 5 Don t Know California HIPAA Privacy Implementation Survey/California HealthCare Foundation 5
6. This will be a three-part question. On a scale of 1 5, with 1 being will greatly limit and 5 being will greatly enhance, how do you think the Minimum Necessary rule will affect the flow of information needed for each of the following: delivery, payment, and assessment of health care quality? Please use these choices for each of the following categories; delivery, payment and assessment: 1 = Minimum Necessary will greatly limit the flow of information 2 = Minimum Necessary will somewhat limit the flow of information 3 = Minimum Necessary will have no affect on the flow of information 4 = Minimum Necessary will somewhat enhance the flow of information 5 = Minimum Necessary will greatly enhance the flow of information 1 2 3 4 5 Don t Know Delivery Payment Assessment 7. On a scale of 1-5, with 1 being No Impact and 5 being Significant Impact, to what degree will the regulations have an impact on whether or not providers can or cannot participate in quality measurement activities under HIPAA? 1 = No impact 2 = 3 = Minimal impact 4 = 5 = Significant impact 1 2 3 4 5 Don t Know 8. This will be a three-part question. Do you believe that the regulations clearly define who your business associates are, what their responsibilities are and what provisions need to be included in the agreement? Yes No Don t Know Business Associates Responsibilities Agreement Provisions California HIPAA Privacy Implementation Survey/California HealthCare Foundation 6
8a. (If No to any part of question 8) Where do additional clarifications or modifications need to be given? 9. On a scale of 1 5, with 1 being small and 5 being large, what is the magnitude of the burden of implementing the Business Associate Agreement in terms of cost and time? 1 = Small burden 2 = 3 = Burden is neither small nor large 4 = 5 = Large burden 1 2 3 4 5 Don t Know Cost Time 10. On a scale of 1 5, with 1 being regulations are unclear and 5 being regulations are very clear, does the regulation adequately distinguish between research and health care operations? 1 = The regulations are unclear between research and operations 2 = 3 = The regulations are neither clear nor unclear 4 = 5 = The regulations are clear between research and operations 1 2 3 4 5 Don t Know 10a. (If answered 1 or 2 to question 10) Where do additional clarifications or modifications need to be given? California HIPAA Privacy Implementation Survey/California HealthCare Foundation 7
11. Are there additional areas in the HIPAA Privacy Regulation where you would like to see the Department of Health and Human Services provide additional clarification and/or modification? Yes No Don t Know 11a. (If Yes to question 11) Which component(s) of the Privacy Regulation would you like to see the Department of Health and Human Services provide additional clarification and/or modification? 12. Has your organization developed a strategy for HIPAA Privacy Regulation compliance? Yes No Don t Know 13. We are now ten months into a two-year compliance period. Which of the following has your organization completed toward the implementation of the HIPAA Privacy Regulation? (Check all that apply) Yes No Don t Know Developed a strategic plan Conducted Gap Assessment Developed Readiness Initiatives Completed Implementing Readiness Initiatives 14. Has your organization designated a Privacy Official as defined by HIPAA? Yes No Don t Know California HIPAA Privacy Implementation Survey/California HealthCare Foundation 8
14a. (If Yes to question 14) Has the Privacy Official identified the resources (people) within your organization that are needed to ready your organization for HIPAA compliance? Yes No Don t know 15. Which department in your organization has the lead on the HIPAA privacy implementation? 1 = Medical Records 2 = Information Technology 3 = Legal 4 = Operations 5 = Other, please specify: 1 2 3 4 5 Don t Know 16. If and when do you anticipate the cost to comply with the Privacy regulations will be offset by the savings expected by implementing other components of the regulations (e.g., the Transaction and Code Set regulations)? (Check all that apply). Short Term (<1 year) Medium Term (3 5 years) Long Term (5 + years) No Savings Don t Know 17. Which of the following describes your organization s progress in regards to the budgeting and funding of your HIPAA efforts?(check the option that most applies to your organization). Not Budgeted Budgeted, but not yet funded Partially funded (e.g., cost to upgrade system and develop consent form, privacy notice and disclosure form) Fully Funded Not developing a HIPAA specific budget (e.g. will be included in individual department s budget) Don t Know California HIPAA Privacy Implementation Survey/California HealthCare Foundation 9
18. In which departments or areas of your organization will implementation of the HIPAA Privacy Regulation be most costly? Please provide the top three in descending order highest to lowest. 1. Area: 2. Area: 3. Area: 19. How does your organization plan to monitor compliance after the HIPAA Privacy regulation is in effect? 20. Have you identified those state laws that are preempted by and are not preempted by the HIPAA Privacy Regulation? Yes No Don t Know Preempt Do Not Preempt 20a. (If Yes to question 20) How are you analyzing and tracking state privacy law s interplay with HIPAA? California HIPAA Privacy Implementation Survey/California HealthCare Foundation 10
20b. (If No to question 20) How are you planning to analyze and track state privacy laws interplay with HIPAA? 21. On a scale of 1 5, with 1 being no guidelines and 5 being extensive guidelines, to what extent do the HIPAA Privacy regulations provide guidelines for information technology developers? 1 = No guidelines 2 = Few guidelines 3 = Adequate guidelines 4 = Several guidelines 5 = Extensive guidelines 1 2 3 4 5 Don t Know 22. Can the following requirements be implemented with available tools and technologies? Yes Partially No Don t know Tracking Consent Revocations of Consent Limitations on Consent Accounting of Disclosure California HIPAA Privacy Implementation Survey/California HealthCare Foundation 11
23. What are the greatest benefits and/or challenges for your organization relating to the implementation of the HIPAA Privacy Regulation? This concludes the survey. Thank you for taking the time to participate. Once again, I would like to ensure you that your responses will not be tied to you or your organization in the final survey results. Thank you. Have a good day. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 12
California HIPAA Privacy Implementation Survey: Appendix C. Survey Protocol Outcomes Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002
Appendix C: Survey Protocol Outcomes 1) Response Rates Overall and by Group There were 420 organizations identified for the survey, out of which 416 were still in business at the time of the survey. These organizations were classified as Hospitals, Physician Groups, Payors, and Others (Disease Management Organizations, Researchers, and Other organizations believed to be impacted by HIPAA regulations). One hundred surveys out of the 416 were completed, yielding an overall response rate of 24% for the survey. The highest response rate by group was 70%, among respondents representing Payors (26 completed out of 37 attempted). Respondents representing Others had the second highest response rate at 32% (26 completed out of 81 attempted). Only 22% (29 out of 131 attempted) of the Hospitals in our sample completed the survey, and only 11% (19 out of 167 attempted) of Physician Groups in our sample completed the survey. 2) Reasons given by Non-Respondents Of non-respondents that could be reached, many provided reasons for not participating in the survey when asked. Twenty-four respondents stated that they did not believe their organization would be impacted by HIPAA regulations. Fifty percent of these responses were from Physician Group non-respondents, and 47% of these responses were from Disease Management organization non-respondents. Other common reasons given for non-participation were no time to do the survey or that the respondent doesn t do surveys. 3) Characteristics of Respondents Overall and by Group Despite the low response rates among Hospital respondents in this study, surveys completed by respondents representing Hospitals still constitute 29% of the total number of completed surveys, followed by Payors and Others (each 26% of total). Physician Groups constituted 19% of the total number of completed surveys. Hospitals represented in the sample tended to be large community hospitals. Of the 29 Hospitals, 18 (63%) were Community hospitals, 8 (27%) were Academic hospitals, and 3 (10%) were rural hospitals. Sixty-three percent of the Hospital respondents represented hospitals with 300 or more beds, 27% were from hospitals with 100 to 299 beds, 7% were from hospitals with 50 to 99 beds, and 3% were from hospitals with less than 50 beds. Physician Groups represented in the sample tended to be mostly multiple specialty groups with more than 100 physicians. Multiple specialty physician groups comprise 84% of Physician Group responses, while single specialty groups comprise 16% of Physician Group responses. 74% of Physician Group responses were from groups with a size greater than 100; 10% were from groups of 31 to 100 in size, and 16% of physician responses were from groups with less than 30 physicians. Fifty percent of Payors were either partially or exclusively Medicaid Payors, while 46% were either Commercial or Commercial and Medicare. Fifty percent of Other respondents represented Disease Management Organizations, and 46% were from Other organizations. Only 1 respondent was classified as Researcher. Twelve respondents classified as Other represented organizations such as: clearinghouses, corporate offices for a system of hospitals, employee benefit consulting firms, behavioral health care organizations, medical groups/medical management groups, and online companies. California HIPAA Implementation Survey/California HealthCare Foundation 2
California HIPAA Privacy Implementation Survey: Appendix D. Pie Charts Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002
Appendix D. Pie charts with percentages of total valid responses for each closed-ended question California HIPAA Privacy Implementation Survey/California HealthCare Foundation 2
1. On a scale of 1 5, with 1 being Low and 5 being High, how would you rate your overall knowledge of the HIPAA privacy regulation? Total Response Percentage - By Response 1-Low 1% 2 3% 3-Medium 21% 5-High 37% 4 38% Percentage of Responses by Category Response Response #1 Response #2 Response #3 #4 Response #5 Hospital 0% 0% 10% 34% 55% Physician Group 5% 5% 26% 42% 21% Payor 0% 8% 35% 31% 27% Other 0% 0% 15% 46% 38% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 3
2. On a scale of 1 5, with 1 being least workable and 5 being most workable, how do you view the workability of the HIPAA Privacy Regulation s current consent requirements? Total Response Percentage - By Response 5-High 10% 1-Low 7% 2 13% 4 19% 3-Medium 51% Percentage of Responses by Category Response Response #1 Response #2 Response #3 #4 Response #5 Hospital 3% 7% 66% 14% 10% Physician Group 5% 16% 58% 21% 0% Payor 12% 20% 36% 16% 16% Other 8% 12% 42% 27% 12% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 4
3. On a scale of 1 5, with 1 being will greatly limit and 5 being will greatly enhance how do you think the consent requirements will affect the flow of information needed to assess health care quality? Total Response Percentage - By Response 4 9% 5-High 1% 1-Low 7% 3-Medium 32% 2 51% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 4% 61% 18% 18% 0% Physician Group 5% 42% 42% 5% 5% Payor 4% 48% 44% 4% 0% Other 15% 50% 27% 8% 0% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 5
5. On a scale of 1 5, with 1 being least workable and 5 being most workable, how do you view the workability of the HIPAA Privacy Regulation s current Minimum Necessary requirements? Total Response Percentage - By Response 4 18% 5-High 5% 1-Low 4% 2 15% 3-Medium 58% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 4% 14% 57% 18% 7% Physician Group 5% 11% 68% 11% 5% Payor 0% 22% 52% 22% 4% Other 8% 13% 54% 21% 4% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 6
6. This will be a three-part question. On a scale of 1 5, with 1 being will greatly limit and 5 being will greatly enhance, how do you think the Minimum Necessary rule will affect the flow of information needed for each of the following: delivery, payment, and assessment of health care quality? Delivery Total Response Percentage - By Response 4 9% 5-High 1% 1-Low 4% 2 41% 3-Medium 45% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 7
6. Payment Total Response Percentage - By Response 4 12% 5-High 4% 1-Low 4% 2 35% 3-Medium 45% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 4% 19% 59% 15% 4% Physician Group 0% 56% 33% 6% 6% Payor 0% 58% 25% 13% 4% Other 14% 10% 57% 14% 5% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 8
6. Assessment Total Response Percentage - By Response 4 6% 5-High 2% 1-Low 9% 3-Medium 35% 2 48% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 4% 36% 48% 12% 0% Physician Group 6% 61% 22% 0% 11% Payor 9% 50% 32% 9% 0% Other 17% 48% 35% 0% 0% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 9
7. On a scale of 1-5, with 1 being No Impact and 5 being Significant Impact, to what degree will the regulations have an impact on whether or not providers can or cannot participate in quality measurement activities under HIPAA? Total Response Percentage - By Response 5- High 8% 4 15% 1-Low 29% 3-Medium 26% 2 22% Percentage of Responses by Category Response Response #1 Response #2 Response #3 #4 Response #5 Hospital 50% 15% 27% 8% 0% Physician Group 18% 18% 29% 29% 6% Payor 14% 33% 29% 10% 14% Other 26% 22% 22% 17% 13% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 10
8. This will be a three-part question. Do you believe that the regulations clearly define who your business associates are, what their responsibilities are and what provisions need to be included in the agreement? Business Associates Total Response Percentage - By Response 2-No 35% 1 -Yes 65% Percentage of Responses by Category Response #1 Response #2 Hospital 69% 31% Physician Group 81% 19% Payor 50% 50% Other 64% 36% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 11
8- Responsibilities Total Response Percentage - By Percentage 2-No 37% 1-Yes 63% Percentage of Responses by Category Response #1 Response #2 Hospital 72% 28% Physician Group 78% 22% Payor 44% 56% Other 60% 40% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 12
8- Agreement Provisions Total Repsonse Percentage - By Response 2-No 38% 1 -Yes 62% Percentage of Responses by Category Response #1 Response #2 Hospital 74% 26% Physician Group 71% 29% Payor 50% 50% Other 54% 46% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 13
9. On a scale of 1 5, with 1 being small and 5 being large, what is the magnitude of the burden of implementing the Business Associate Agreement in terms of cost and time? Cost Total Response Percentage - By Response 5-High 25% 1-Low 7% 2 7% 3-Medium 32% 4 28% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 4% 7% 30% 30% 30% Physician Group 5% 0% 26% 42% 26% Payor 12% 4% 32% 20% 32% Other 8% 17% 38% 25% 13% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 14
9-Time Total Response Percentage - By Response 1-Low 6% 2 4% 5-High 39% 3-Medium 18% 4 33% Percentage of Responses by Category Response Response #1 Response #2 Response #3 #4 Response #5 Hospital 4% 4% 7% 30% 56% Physician Group 5% 0% 11% 26% 58% Payor 8% 0% 28% 32% 32% Other 8% 13% 25% 42% 13% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 15
10. On a scale of 1 5, with 1 being regulations are unclear and 5 being regulations are very clear, does the regulation adequately distinguish between research and health care operations? Total Response Percentage - By Response 5-High 17% 1-Low 8% 2 10% 4 33% 3-Medium 32% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 8% 17% 33% 33% 8% Physician Group 0% 15% 46% 15% 23% Payor 10% 5% 33% 38% 14% Other 10% 5% 20% 40% 25% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 16
11. Are there additional areas in the HIPAA Privacy Regulation where you would like to see the Department of Health and Human Services provide additional clarification and/or modification? Total Response Percentage - By Response 2-No 22% 1-Yes 78% Percentage of Responses by Category Response #1 Response #2 Hospital 96% 4% Physician Group 42% 58% Payor 79% 21% Other 76% 24% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 17
12. Has your organization developed a strategy for HIPAA Privacy Regulation compliance? Total Repsonse Percentage - By Response 2-No 14% 1-Yes 86% Percentage of Responses by Category Response #1 Response #2 Hospital 93% 7% Physician 78% 22% Payor 77% 23% Other 92% 8% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 18
13. We are now ten months into a two-year compliance period. Which of the following has your organization completed toward the implementation of the HIPAA Privacy Regulation? (Check all that apply) Developed a strategic plan Total Response Percentage - By Response 2-No 19% 1-Yes 81% Percentage of Responses by Category Response #1 Response #2 Hospital 96% 4% Physician Group 65% 35% Payor 77% 23% Other 80% 20% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 19
13-Conducted Gap Assessment Total Response Percentage - By Response 2-No 33% 1-Yes 67% Percentage of Responses by Category Response #1 Response #2 Hospital 75% 25% Physician Group 53% 47% Payor 69% 31% Other 65% 35% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 20
13-Developed Readiness Initiatives Total Response Percentage - By Response 2-No 48% 1-Yes 52% Percentage of Responses by Category Response #1 Response #2 Hospital 67% 33% Physician Group 35% 65% Payor 48% 52% Other 52% 48% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 21
13-Completed Implementing Readiness Initiatives Total Response Percentage - By Response 1-Yes 12% 2-No 83% Percentage of Responses by Category Response #1 Response #2 Hospital 4% 96% Physician Group 12% 88% Payor 8% 92% Other 24% 76% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 22
14. Has your organization designated a Privacy Official as defined by HIPAA? Total Response Percentage - By Response 2-No 23% 1-Yes 77% Percentage of Responses by Category Response #1 Response #2 Hospital 76% 24% Physician Group 65% 35% Payor 75% 25% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 23
14a. (If Yes to question 14) Has the Privacy Official identified the resources (people) within your organization that are needed to ready your organization for HIPAA compliance? Total Response Percentage - By Response 2 No 13% 1-Yes 87% Percentage of Responses by Category Response #1 Response #2 Hospital 100% 0% Physician Group 75% 25% Payor 79% 21% Other 86% 14% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 24
15. Which department in your organization has the lead on the HIPAA privacy implementation? Total Response Percentage - By Response 6-Other 28% 1-Compliance 27% 2-Medical Records 9% 5-Operations 13% 4-Legal 10% 3-Information Technology 13% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Response #6 Hospital 46% 25% 4% 0% 11% 14% Physician Group 16% 11% 21% 5% 21% 26% Payor 23% 0% 8% 23% 15% 31% Other 16% 0% 24% 12% 8% 40% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 25
16. If and when do you anticipate the cost to comply with the Privacy regulations will be offset by the savings expected by implementing other components of the regulations (e.g., the Transaction and Code Set regulations)? (Check all that apply). Total Response Percentage - By Response 1-Short Term 4% 2-Medium Term 26% 4-No Savings 48% 3-Long Term 22% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Hospital 11% 26% 37% 26% Physician Group 6% 25% 6% 63% Payor 0% 31% 23% 46% Other 0% 25% 20% 55% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 26
17. Which of the following describes your organization s progress in regards to the budgeting and funding of your HIPAA efforts? (Check the option that most applies to your organization). Total Response Percentage - By Response 5-Not Developing 28% 1-Not Budgeted 18% 2-Bugeted Not Funded 6% 4-Fully Funded 21% 3-Partially Funded 27% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 17% 14% 24% 24% 21% Physician Group 42% 11% 21% 5% 21% Payor 4% 0% 42% 29% 25% Other 13% 0% 21% 21% 46% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 27
20. Have you identified those state laws that are preempted by and are not preempted by the HIPAA Privacy Regulation? Preempt Total Response Percentage - By Response 2-No 56% 1-Yes 44% Percentage of Responses by Category Response #1 Response #2 Hospital 52% 48% Physician Group 38% 62% Payor 42% 58% Other 41% 59% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 28
20. Do Not Preempt Total Response Percentage - By Response 2-No 54% 1-Yes 46% Percentage of Responses by Category Response #1 Response #2 Hospital 56% 44% Physician Group 38% 62% Payor 43% 57% Other 43% 57% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 29
21. On a scale of 1 5, with 1 being no guidelines and 5 being extensive guidelines, to what extent do the HIPAA Privacy regulations provide guidelines for information technology developers? Total Response Percentage - By Response 4-High Guidelines 9% 1-No Guidelines 13% 3-Guidelines 29% 2-Low Guidelines 49% Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Hospital 5% 48% 43% 5% Physician Group 6% 56% 31% 6% Payor 14% 43% 29% 14% Other 23% 55% 14% 9% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 30
22. Can the following requirements be implemented with available tools and technologies? Tracking Consent Total Response Percentage - By Response 3-No 21% 2-Partial 26% 1-Yes 53% Percentage of Responses by Category Response #1 Response #2 Response #3 Hospital 52% 28% 20% Physician Group 47% 20% 33% Payor 53% 32% 16% Other 61% 22% 17% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 31
22. Revocations of Consent Total Response Percentage - By Response 3-No 28% 1- Yes 45% 2-Partially 27% Percentage of Responses by Category Response #1 Response #2 Response #3 Hospital 44% 32% 24% Physician Group 47% 20% 33% Payor 39% 28% 33% Other 50% 25% 25% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 32
22. Limitations of Consent Total Response Percentage - By Response 3-No 35% 1- Yes 37% 2-Partially 28% Percentage of Responses by Category Response #1 Response #2 Response #3 Hospital 30% 39% 30% Physician Group 40% 27% 33% Payor 32% 21% 47% Other 45% 23% 32% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 33
22. Accounting of Disclosure Total Response Percentage - By Response 3-No 29% 1-Yes 43% 2-Partially 28% Percentage of Responses by Category Response #1 Response #2 Response #3 Hospital 44% 32% 24% Physician Group 33% 33% 33% Payor 43% 24% 33% Other 48% 24% 29% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 34
California HIPAA Privacy Implementation Survey: Appendix E. Bar Charts Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002
1. On a scale of 1 5, with 1 being Low and 5 being High, how would you rate your overall knowledge of the HIPAA privacy regulation? Number of Responses by Category 18 16 16 14 Number of Response 12 10 8 6 5 9 10 8 8 12 7 10 Hospital Physician Payor Other 4 3 4 4 2 1 1 2 0 0 0 0 0 0 1 2 3 4 5 Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 2
2. On a scale of 1 5, with 1 being least workable and 5 being most workable, how do you view the workability of the HIPAA Privacy Regulation s current consent requirements? Number of Responses by Category 20 19 18 16 14 Number of Response 12 10 8 11 9 11 7 Hospital Physician Payor Other 6 5 4 3 3 3 4 4 4 4 3 3 2 1 1 2 2 0 0 1 2 3 4 5 Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 3
3. On a scale of 1 5, with 1 being will greatly limit and 5 being will greatly enhance how do you think the consent requirements will affect the flow of information needed to assess health care quality? Number of Responses by Category 18 17 16 14 13 Number of Response 12 10 8 6 12 11 8 8 7 5 5 Hospital Physician Payor Other 4 4 2 1 1 1 2 1 1 1 0 0 0 1 2 3 4 5 Type of Response 0 California HIPAA Privacy Implementation Survey/California HealthCare Foundation 4
5. On a scale of 1 5, with 1 being least workable and 5 being most workable, how do you view the workability of the HIPAA Privacy Regulation s current Minimum Necessary requirements? Number of Responses by Category 18 16 16 Number of Response 14 12 10 8 6 4 2 0 1 13 13 12 5 5 5 5 4 3 2 2 2 2 1 1 1 0 1 2 3 4 5 1 Hospital Physician Payor Other Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 5
6. This will be a three-part question. On a scale of 1 5, with 1 being will greatly limit and 5 being will greatly enhance, how do you think the Minimum Necessary rule will affect the flow of information needed for each of the following: delivery, payment, and assessment of health care quality. Delivery Number of Responses by Category 16 14 14 12 11 12 Number of Response 10 8 6 8 9 10 7 9 5 Hospital Physician Payor Other 4 3 3 2 0 0 1 1 0 0 0 0 0 0 1 2 3 4 5 Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 6
6 Payment Number of Responses by Category 18 16 16 14 14 Number of Response 12 10 8 6 4 2 0 1 12 10 6 6 5 4 3 3 3 2 1 1 1 1 0 0 1 2 3 4 5 1 Hospital Physician Payor Other Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 7
6. Assessment Number of Responses by Category 14 12 11 11 11 12 Number of Response 10 8 6 4 4 9 4 7 8 3 Hospital Physician Payor Other 2 1 1 2 2 2 0 0 0 0 0 0 1 2 3 4 5 Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 8
7. In a scale of 1-5, with 1 being No Impact and 5 being Significant Impact, to what degree will the regulations have an impact on whether or not providers can or cannot participate in quality measurement activities under HIPAA? Number of Responses by Category 14 13 12 10 Number of Response 8 6 4 6 4 3 3 3 7 7 6 5 5 5 5 4 3 3 Hospital Physician Payor Other 2 2 2 1 0 1 2 3 4 5 Type of Response 0 California HIPAA Privacy Implementation Survey/California HealthCare Foundation 9
8. This will be a three-part question. Do you believe that the regulations clearly define who your business associates are, what their responsibilities are and what provisions need to be included in the agreement? Business Associates Number of Responses by Category 25 20 20 Number of Response 15 10 13 16 13 13 9 9 Hospital Physician Payor Other 5 3 0 1 2 Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 10
8- Responsibilities Number of Responses by Category 25 21 20 Number of Response 15 10 14 11 15 8 14 10 Hospital Physician Payor Other 5 4 0 1 2 Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 11
8- Agreement Provisions Number of Responses by Category 25 20 20 Number of Response 15 10 12 13 12 12 7 11 Hospital Physician Payor Other 5 5 0 1 2 Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 12
9. On a scale of 1 5, with 1 being small and 5 being large, what is the magnitude of the burden of implementing the Business Associate Agreement in terms of cost and time? Cost Number of Responses by Category 10 9 8 9 8 8 8 8 8 8 Number of Response 7 6 5 4 3 2 1 0 1 6 5 5 5 4 3 2 2 1 1 0 1 2 3 4 5 3 Hospital Physician Payor Other Type of Response California HIPAA Privacy Implementation Survey/California HealthCare Foundation 13