California HIPAA Privacy Implementation Survey

Similar documents
California HIPAA Privacy Implementation Survey: Appendix A. Stakeholder Interviews

Module: Research and HIPAA Privacy Protections ( )

Are physicians ready for macra/qpp?

Independent Medical Review Experiences in California, Phase II: Cases Including Medical Necessity

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Results of the Clatsop County Economic Development Survey

An Introduction to the HIPAA Privacy Rule. Prepared for

PEONIES Member Interviews. State Fiscal Year 2012 FINAL REPORT

HIPAA in DPH. HIPAA in the Division of Public Health. February 19, February 19, 2003 Division of Public Health 1

The HIPAA Privacy Rule and Research: An Overview

2015 TRENDS STUDY Results of the First National Benchmark Survey of Family Foundations

AAHRPP Accreditation Procedures Approved April 22, Copyright AAHRPP. All rights reserved.

North Carolina Local Health Department Accreditation. July 2011-June 2012 Stakeholder Evaluation Report

REQUEST FOR PROPOSALS. For: As needed Plan Check and Building Inspection Services

DEPARTMENT OF HEALTH AND MENTAL HYGIENE MENTAL HYGIENE ADMINISTRATION MARYLAND S PUBLIC MENTAL HEALTH SYSTEM 2011 PROVIDER SURVEY EXECUTIVE SUMMARY

Integrated Offender Management Participant Exit Survey Report

The HIPAA privacy rule and long-term care : a quick guide for researchers

Pennsylvania Office of Developmental Programs (ODP) Independent Monitoring for Quality (IM4Q) Manual. January 2016

s n a p s h o t The State of Health Information Technology in California: Use Among Hospitals and Long Term Care Facilities

Overview of the EHR Incentive Program Stage 2 Final Rule published August, 2012

Compliance Program And Code of Conduct. United Regional Health Care System

HCAHPS Quality Assurance Guidelines V6.0 Summary of Updates and Emphasis

ACCF Diabetes Collaborative Registry Program Requirements v1.2 Posted on 9/14/2015

Oklahoma Health Care Authority. ECHO Adult Behavioral Health Survey For SoonerCare Choice

National Patient Safety Foundation at the AMA

NC Division of Mental Health, Developmental Disabilities, and Substance Abuse Services (DMH/DD/SAS)

TRICARE Management Activity s Human Research Protection Program, Data Sharing Agreement Program, and the TMA Privacy Board

(a) The provider's submitted charge; or

Employers are essential partners in monitoring the practice

GAO DEFENSE CONTRACTING. Improved Policies and Tools Could Help Increase Competition on DOD s National Security Exception Procurements

National Survey on Consumers Experiences With Patient Safety and Quality Information

Required Public Disclosure for the Pioneer ACO Participation Waiver BRONX ACCOUNTABLE HEALTHCARE NETWORK IPA, INC. DBA MONTEFIORE ACO IPA

Humana At Home-Star Member Talking Points

2015 Lasting Change. Organizational Effectiveness Program. Outcomes and impact of organizational effectiveness grants one year after completion

2006 DirectEmployers Association Recruiting Trends Survey. Washington, D.C. February, 2006

More staff in country/remote areas had attended one training session only compared to their metropolitan counterparts (58% versus 45%).

New York Notice Form Notice of Psychologists Policies and Practices to Protect the Privacy of Your Health Information

MACRA Quality Payment Program

NOTICE OF PRIVACY PRACTICES Mid-Atlantic Women s Care, PLC Effective Date: September 23, 2013 Last Revised: February 15, 2018

Offshoring of Audit Work in Australia

North Carolina. CAHPS 3.0 Adult Medicaid ECHO Report. December Research Park Drive Ann Arbor, MI 48108

The 2012 Texas Rural Survey: Economic Development Strategies and Efforts

July 21, General Conditions and Instructions to Offerors for. Consumer Assessment of Health Providers and Systems ( CAHPS ) Surveys

MEDICARE-MEDICAID CAPITATED FINANCIAL ALIGNMENT MODEL REPORTING REQUIREMENTS: CALIFORNIA-SPECIFIC REPORTING REQUIREMENTS

MDS 3.0 Section Q Implementation Questions and Answers from Informing LTC Choice conference and s June 7, 2010

REPORT OF THE BOARD OF TRUSTEES. Protection of Clinician-Patient Privilege (Resolution 237-A-17)

HIPAA Privacy Regulations Governing Research

September 25, Via Regulations.gov

Application of Proposals in Emergency Situations

Agenda Item 6.7. Future PROGRAM. Proposed QA Program Models

Overview of Key Policies and CMS Statements of Intent Regarding the Medicaid State Plan HCBS Benefits and HCBS Waiver Final Rule

Request for Proposals: Improving Care Transitions

White House Parity Task Force Provides Guidance on Mental Health and Substance Use Disorder Parity Law

WELCOME. Payment will be expected at the time of service. Please remember our 24 hour cancellation notice.

2018 HIMSS U.S. Leadership and Workforce Survey

DA: November 29, Centers for Medicare and Medicaid Services National PACE Association

August 15, Dear Mr. Slavitt:

Primary Care Workforce Survey Scotland 2017

SAMPLE CARE COORDINATION AGREEMENT

DELEGATION - MEDICAL GROUP/IPA OPERATIONS

of American Entrepreneurship: A Paychex Small Business Research Report

San Francisco Department of Public Health Policy Title: HIPAA Compliance Privacy and the Conduct of Research Page 1 of 10

CMS-0044-P; Proposed Rule: Medicare and Medicaid Programs; Electronic Health Record Incentive Program Stage 2

s n a p s h o t Medi-Cal at a Crossroads: What Enrollees Say About the Program

Compliance with HIPAA Administrative Simplification

National Survey of Physicians Part III: Doctors Opinions about their Profession

Low-Income Health Program (LIHP) Evaluation Proposal

OVERVIEW OF UNSOLICITED PROPOSALS

OREGON HIPAA NOTICE FORM

MDS 3.0 Section Q Implementation Questions and Answers from Informing LTC Choice conference and s September 22, 2010

MPN PARTICIPATION AGREEMENT FOR MEDICAL GROUP

Overview of the EHR Incentive Program Stage 2 Final Rule

Delegation Oversight 2016 Audit Tool Credentialing and Recredentialing

MEDICARE-MEDICAID CAPITATED FINANCIAL ALIGNMENT MODEL REPORTING REQUIREMENTS: SOUTH CAROLINA-SPECIFIC REPORTING REQUIREMENTS

UNSOLICITED PROPOSALS

2016 Park Assessment

Quality Improvement Work Plan

THE ORGANIZATION AND MANAGEMENT OF INTENSIVE CARE UNITS. School of Public Health University of California, Berkeley

Hospital Safety Net Grant Program

THE JOURNEY FROM PHI TO RHI: USING CLINICAL DATA IN RESEARCH

Office of the District of Columbia Auditor

New HIPAA Privacy Regulations Governing Research. Karen Blackwell, MS Director, HIPAA Compliance

(9) Efforts to enact protections for kidney dialysis patients in California have been stymied in Sacramento by the dialysis corporations, which spent

Low-Income Health Program (LIHP) Evaluation Proposal

SUMMARY OF JOINT NOTICE OF PRIVACY PRACTICES (HOSPITAL AND MEMBERS OF ITS MEDICAL STAFF)

Contracts and Grants between Nonprofits and Government

Use And Disclosure Of Protected Health Information (PHI) For Research

February 18, Re: Draft Trusted Exchange Framework and Common Agreement

Last updated on April 23, 2017 by Chris Krummey - Managing Attorney-Transactions

Long-Term Care in Michigan: A Survey of Voters Age 45+ Report Prepared by Anita Stowell-Ritter and Susan Silberman

Re: CMS Code 3310-P. May 29, 2015

******************************************************************** Policy Expectation:

Managing Privacy Risk in Your Research and Development Enterprise. Sujata Dayal, Abbott Justin McCarthy, Pfizer

Survey of Physicians Utilization of Home Health Services June 2009

HIPAA Policies and Procedures Manual

REQUEST FOR PROPOSALS

CMS-3310-P & CMS-3311-FC,

Assuring Better Child health Development Family Medicine Cohort 2016 Quality Improvement Project: Retrospective Medical Record Review

Privacy Rio Grande Valley HIE Policy: P1. Last date Revised/Updated 02/18/2016

National findings from the 2013 Inpatients survey

Transcription:

California HIPAA Privacy Implementation Survey Prepared for: California HealthCare Foundation Prepared by: National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002

Acknowledgments The authors wish to thank the numerous California stakeholders who contributed their insights and time to this important project. The National Committee for Quality Assurance (NCQA) is a private, not-for-profit organization dedicated to improving the quality of health care delivered to people everywhere. NCQA is best known for its efforts to set standards for the managed care industry, and is also active in other quality improvement and oversight initiatives at all levels of the health care system. The Georgetown University Health Privacy Project (HPP) is dedicated to raising public awareness of the importance of ensuring health privacy in order to improve health care access and quality, both on an individual and a community level. The California HealthCare Foundation (CHCF) is an independent philanthropy committed to improving California s health care delivery and financing systems. Our goal is to ensure that all Californians have access to affordable, quality health care. CHCF s work focuses on informing health policy decisions, advancing efficient business practices, improving the quality and efficiency of care delivery, and promoting informed health care and coverage decisions. The ihealth Reports series focuses on emerging technology trends and applications and related policy and regulatory developments. Additional copies of this report and other publications can be obtained online at www.chcf.org. ISBN 1-929008-99-6 Copyright 2002 California HealthCare Foundation 476 Ninth Street Oakland, CA 94607 Tel: 510.238.1040 Fax: 510.238.1388 www.chcf.org California HIPAA Privacy Implementation Survey/California HealthCare Foundation 2

Background The Health Insurance Portability and Accountability Act (HIPAA) Privacy Implementation Survey was undertaken by NCQA and the Health Privacy Project through a grant from the California HealthCare Foundation (CHCF). The survey sought to ascertain the real and perceived barriers to implementation of the Privacy Rule from the vantage point of health entities affected by the regulations. Specifically, the goals of the study as identified by CHCF were to: Identify and analyze key Privacy Rule implementation issues to educate and inform health entities affected by the regulation and to inform HHS and the policy process; Identify top-level, critical issues, challenges, misinterpretation, and barriers faced by health care entities as they prepare to implement the regulations, including barriers to the appropriate flow of patient data needed for core health care activities; Anticipate the impact on business operations of those entities; and Identify areas of the regulation where modifications, guidance, and/or clarifications from HHS are needed. The National Committee for Quality Assurance spearheaded the management and administration of the survey effort. NCQA partnered with the Georgetown University Health Privacy Project to design and analyze the survey. The survey was conducted by an independent, professional survey organization identified through a competitive bid process. The survey firm helped with the question development and refinement, the development of the protocol for survey administration and they assisted in the analysis and interpretation of results. Methodology Study Design. The survey was conducted in two phases stakeholder interviews and respondent surveys. The project was conducted on a very aggressive timeline three and a half months from its inception to finish, December 2001 to March 2002. The timeline was aggressive so that HHS could use the survey results as it develops and finalizes modifications, guidelines, and clarifications to the Privacy Rule. Description of the Study. In phase one of the survey process stakeholders who represented national health care organizations and health care organizations in California were identified and interviewed to get their input on the survey scope and content. Potential respondents for the HIPAA privacy implementation survey were also identified during these interviews. Stakeholders were identified by NCQA and the Health Privacy Project and represented groups that were knowledgeable about the HIPAA Privacy Rule and the issues surrounding implementation. A list of nineteen stakeholders was identified but only seven stakeholders were successfully contacted and interviewed due to the tight timeframe of the project. Interviews were conducted by telephone. (See Appendix J). Using information from the stakeholder interviews, a draft survey was prepared by the survey research firm and was reviewed and edited by NCQA and Health Privacy Project staff. A draft final survey was pre-tested, then revised again, before the final survey was completed. Phase two of the survey process consisted of interviewing respondents who were doing business in California using the survey tool developed through the stakeholder interviews. The survey was intended to be a phone survey. As respondents were contracted to see if they wanted to participate, many requested that the survey California HIPAA Privacy Implementation Survey/California HealthCare Foundation 3

be sent to them for review before they agreed to participate. Of these, about half returned the survey by fax or by mail already filled out. The remainder were called and interviewed by phone. Sampling. Respondents were identified from four representative groups that are directly affected by the Privacy Rule implementation Hospitals, Payors, Physician Groups, and Others (mainly business associates and researchers). 1 The 100 completed surveys represent 29 Hospitals, 19 Physician Groups, 26 Payors, and 26 Others (largely business associates and some researchers). 2 Data Collection. 3 The survey tool consisted of twenty-three questions. 4 Ten of the twenty-three questions were open-ended with verbatim responses recorded by the interview staff. The interview took 30 to 40 minutes on average to be completed by phone. One hundred completed cases were collected over the course of six weeks. Presentation of Results. Survey results were organized by topic areas as follows: Implementation Progress Workability of the Consent Requirements Flow of Information for Quality Assessment Implementing the Business Associate Requirements Preemptions Issues Funding Issues Areas suggested by Respondents for Modifications and/or Clarification Impact on Research Aggregated results are first discussed as percentages of total respondents answering a question in particular ways. Question response categories are grouped to facilitate interpretation of results, and the groupings are described in the text. Responses of don t know are not counted toward the total valid responses for a question, and where the percentage of don t know responses for a question is large, it is mentioned in the discussion of the results. When results seem to vary by the type of organization the respondent is representing (Hospital, Physician Groups, Payors, and Others), these differences by organization type are discussed in the survey results section. Responses to open-ended questions are summarized into major themes for which rough percentages were calculated. These are discussed in the relevant topical sections, and whenever organizations seemed more likely to mention certain themes than did others, these are noted in the results. Detailed results for total responses and responses by organization type for each open-ended question, and verbatim responses to open-ended questions by organization type, are available in the Appendices of this report. Additional analyses were conducted for certain closed-ended questions believed to be influenced by overall level of knowledge about HIPAA (measured by question 1), whether or not the Payor had a Medicaid 1 Potential respondents were identified through a variety of means. Stakeholder interviews identified some respondents, mostly in the Payor and Other categories. Hospitals were identified from a list of licensed hospitals in California published by the California Hospital Association. General care hospitals of varying size and location (rural, urban, and suburban) were chosen. A list of physician groups came from a grantee of the California HealthCare Foundation. NCQA supplied a list of disease management organizations to approach for the Other category. 2 Four hundred and twenty organizations were approached about participating in the survey. 3 The survey research firm trained three interviewers in the administration of the survey. They were charged with identifying potential respondents at targeted institutions. This identification took a lot of phone time by the interview staff. The interview staff were instructed to try to interview the person at the organization with the most knowledge about HIPAA compliance. Initially they contacted potential respondents to describe the survey and to get their consent to participate. Then they set up a time to interview them. 4 Survey questionnaire is available at www.chcf.org. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 4

product line or not, whether or not organizations had developed a strategic plan for compliance, conducted a gap assessment, developed readiness initiatives, or completed readiness initiatives (measured by Question 13). Questions regarding implementation and funding issues were stratified by Medicaid vs. non-medicaid Payor types. Of the 26 surveyed respondents representing Payors, 12 (46%) had Medicaid products, while 14 respondents (54%) did not. Questions regarding perceptions of the clarity and impact of various requirements were stratified by whether the respondent rated his/her level of knowledge regarding the HIPAA Privacy Rule as low to medium (1, 2, or 3 on a five point scale) or high (4 or 5 on a five point scale). Seventy-five of 100 total respondents surveyed (75%) rated themselves as having High knowledge of HIPAA Privacy Rule, while 25 of 100 respondents (25%) rated themselves as having low to medium knowledge of the HIPAA Privacy Rule. Additional stratification of results was performed on whether or not the organization the respondent represented had at the time of the survey 1) developed a strategic plan for implementation (Yes = 81%; No = 19%), 2) conducted a gap assessment (Yes = 67%; No = 33%), 3) started developing readiness initiatives (Yes = 52%; No = 48%), and 4) completed readiness initiatives (Yes = 12%; No = 88%). It was thought that some relationship may exist between how far along organizations are with regard to implementation, and issues related to funding and perceptions of the various requirements of the regulation. Key findings for these groups are presented in the results for individual questions as organized by topic area. Tables of results for each of the groupings are included in Appendices to this report, which are available on the CHCF Web site at www.chcf.org. Limitations of the Survey. 5 There are two survey limitations that warrant discussion. The first one relates to sampling. While the organizations that took part in the survey are not a true random sample, they are fairly representative of entities impacted by the HIPAA Privacy Rule. In essence, this survey utilized a convenience sample. The second survey limitation is that the survey interviewed only entities operating in California. Survey results reflect the fact that these entities are operating in a state with strong privacy laws already in place. It can be argued that the survey respondents are more experienced in operationalizing privacy protections than most of the rest of the nation. 5 Due to the small sample sizes and convenience sampling approach this study should be considered exploratory in nature. Consequently, statistical tests of significance were not used. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 5

Results The survey identified the following key findings: 1. Planning is proceeding; implementation progress varies 2. The consent requirements are somewhat workable 3. Minimum necessary requirements are somewhat workable 4. Information needed for quality assessment thought to be limited by consent and minimum necessary requirements 5. The business associate requirements are viewed as burdensome 6. Resources are needed to assist preemption analysis 7. Compliance efforts are not fully funded 8. There is a general need for modifications and/or clarifications 1. Planning Is Proceeding; Implementation Progress Varies With fourteen months until the implementation deadline of the HIPAA Privacy Rule, 81% of respondents have developed a strategic plan, 67% have indicated they have conducted a gap assessment, and 52% have started to develop and implement readiness initiatives. Twelve percent of respondents reported completion of their readiness initiatives. Hospitals are farther along in implementation than are all Others. Payors with a Medicaid product were less likely than Payors with commercial products to have developed a strategic plan (64% to 92%), conducted a gap assessment (50% to 92%), or developed a readiness initiative. Question 1. When asked to rate their level of knowledge regarding the HIPAA Privacy Rule on a scale from 1 to 5 with 1 being only cursory awareness, and 5 being a high level of knowledge, 75% of total respondents answering the question rated their knowledge as either a 4 or a 5 (Figure 1). However, Physician Groups and Payors were more likely than other types of respondents to rate their knowledge of the HIPAA Privacy Rule as being in the middle to low range. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 6

Figure 1: Total responses to Question 1 (Overall knowledge of HIPAA Privacy Rule) 1-Low 1% 2 3% 5-High 37% 3-Medium 21% 4 38% Question 12. Overall, 86% of respondents reported that their organization has developed a strategy for compliance with the HIPAA Privacy Rule. Respondents representing Hospitals and Others disease management organizations and researchers were more likely to respond that their organization had developed a HIPAA compliance strategy (92 to 93%) than respondents representing Physician Groups or Payors (77 to 78%). The 26 Payors with a Medicaid product were less likely to have developed a HIPAA compliance strategy (64% vs. 92%). Question 13. When asked about specific actions taken toward implementation of the HIPAA Privacy Rule, overall 81% of indicated they had developed a strategic plan, 67% indicated they had conducted a gap assessment, 52% reported having started to develop and implement readiness initiatives, and only 12% indicated having completed implementing readiness initiatives. Physician Groups and Payors were less likely to report having taken these specific actions than the Hospitals and Others (see Table 1). This was also the case when comparing Payors with a Medicaid product to Commercial only or Commercial and Medicare Payors. Table 1: Affirmative responses for Question 13 sub-parts, total sample and by organization type Question 13 sub-part TOTAL Hospitals Phys. Grp Payors Others Developed Strategic Plan 81% 96% 65% 77% 80% Conducted Gap Assessment 67% 75% 53% 69% 65% Developed Readiness Initiatives 52% 67% 35% 48% 52% Completed Readiness Initiatives 12% 4% 12% 8% 24% Question 14. Seventy-seven percent of total respondents reported that their organizations had designated a privacy official as defined by HIPAA regulations. This number varied slightly by the type of organization represented. Slightly fewer Physician Groups (65%) had designated privacy officials, while a slightly larger proportion of Others (88%) had designated privacy officials. For Payors, disparities were seen between Medicaid and non-medicaid representatives. Only 54% of Medicaid representatives reported that their organization had designated a privacy official, compared with 92% of non-medicaid Payors. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 7

Question 14A. Of organizations that had designated a privacy official, 87% reported that the privacy official had identified the necessary resources to prepare for HIPAA compliance within the organization. However, nearly a quarter of Physician Groups and Payors with designated privacy officials had not yet identified the resources within the organization that would be necessary to prepare the organization for HIPAA compliance. Again, for Payors, there were discrepancies between Medicaid and non-medicaid Payors. Of Payors that had designated a privacy official, 92% of non-medicaid payors indicated that resources within the organization had been identified, compared with only 62.5% of Medicaid Payors. Question 15. Respondents were asked to indicate which department in their organization was responsible for leading implementation of the HIPAA Privacy Rule. Twenty-five percent of respondents answering the question responded that they Don t know which department in their organization would have the responsibility for leading implementation. Among the respondents answering the question, most indicated that a compliance department would take the lead in implementation, but several other departments were chosen as well (see Figure 2). Figure 2: Overall responses to Question 15 (department in the organization taking the lead on implementation). 6-Other 28% 1-Compliance 27% 5-Operations 13% 2-Medical Records 9% 4-Legal 10% 3-Information Technology 13% Question 19. When respondents were asked how their organizations planned to monitor compliance after the HIPAA Privacy Rule is in effect, the most common responses were: Privacy Officer/HIPAA Department/Compliance Officer Internal Audits Security Controls on Databases and Monitoring Activities Enhanced Record Keeping Education/Training Internal Committees California HIPAA Privacy Implementation Survey/California HealthCare Foundation 8

Question 23. When asked what were the greatest benefits and/or challenges for their organizations relating to implementation of the HIPAA Privacy Rule, the common themes regarding benefits were: Increased protection of patient interests and confidentiality (18%) Greater organizational awareness of patient privacy (14%) Standardization of code sets and uniformity across entities (9%) Standardization and increased security of electronic data (7%) No benefits (7%) Hospitals were more likely to mention increased organizational awareness of patient interests and confidentiality, while Payors were more likely to mention standardization of code sets and uniformity across entities. Commonly mentioned organizational challenges were: Implementation (25%) Staff education (24%) Cost (23%) Time (15%) Information technology (8%) 2. The Consent Requirements Are Somewhat Workable Overall, 51% of total respondents felt that the consent requirements were somewhat workable. Twenty-nine percent felt they were either workable (19%) or very workable (10%), while 20% felt they were less than workable (13%) or not workable at all (7%). Hospitals, Others, and Physician Groups were more likely to feel the consent requirements were somewhat to very workable (90%, 81%, and 79%, respectively) than Payors (68%). Respondents who had developed/completed a readiness initiative, developed a strategic plan, or conducted a gap assessment were more likely than their counterparts to feel that the consent reuirements were workable. Many respondents expressed concern that the burden of implementing consent would take time and money away from patient care. Respondents also expressed concern that covered entities would err on the side of caution and refuse to release information for fear of violating HIPAA. Question 2. Overall, 51% of total respondents felt that the consent requirements were somewhat workable (see Figure 3). Hospitals and Physician Groups were more likely to feel this way (76% and 79% respectively) than Payors and Others (68% and 62% respectively). Only 29% of total respondents felt that the workability of the consent requirements was high or very high. Payors and Others were more likely to feel this way (32% and 39%) than were Hospitals and Physician Groups (24% and 21%). California HIPAA Privacy Implementation Survey/California HealthCare Foundation 9

Figure 3: Overall responses to Question 2 (workability of consent requirements) 4 19% 5-High 10% 1-Low 7% 2 13% 3-Medium 51% Question 4. All respondents were asked to indicate what they deemed useful about the consent requirements, and what areas of the consent requirements caused them concern (N=90). Regarding aspects of the consent requirements that were useful, a number of respondents did not respond or did not know. Of those that did respond: 30% said that the requirements were useful in assuring patient rights 16% felt the requirements would provide national standards and increase consistency among providers 16% said that there was nothing useful about the requirements. Regarding areas of concern related to the consent requirements: 19% of respondents cited continuity of care 14% cited confusion about consent among patients, employees, and physicians 9% cited cost Payors were more likely to cite confusion about consent as an area of concern. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 10

Question 21. Respondents were asked to what extent they felt the HIPAA Privacy Rule provided guidelines for information technology developers. Twenty percent of respondents answered that they did not know to what extent the regulations provided guidelines to IT developers. Of those that did know, 52% of respondents said that the regulations offered few to no guidelines to IT developers, and only 29% of respondents said that the regulations offered adequate guidelines (see Figure 4). Seventy-eight percent of Others and 62% of Physician Groups felt there were few to no guidelines for IT developers. When examined by level of overall knowledge of HIPAA regulations, 66% of the high knowledge group felt the regulations provided few to no guidelines for IT developers, compared with 55% of the low to medium knowledge group. The percent of Don t know responses was 20% for both groups. Figure 4: Overall responses to Question 21 (whether HIPAA provides clear guidelines to information technology developers) 4-High Guidelines 9% 1-No Guidelines 13% 3-Guidelines 29% 2-Low Guidelines 49% California HIPAA Privacy Implementation Survey/California HealthCare Foundation 11

Question 22. Respondents were asked whether available tools and technologies could be used to implement four areas: 1) initial consent, 2) revocations of consent, 3) limitations on consent, and 4) accounting of disclosures. Results are summarized in Table 2. It should be noted that between 17 and 25% of respondents did not know how to respond and were excluded from the results. Implementing initial consent was thought to be the easiest and tracking limitations to consent as the most difficult. Table 2: valid responses for Question 22 sub-parts, total sample and by organization type Can existing technologies track the TOTAL Hospital Phys. Payor Other following areas: Group A) Initial Consent? Yes 53% 52% 47% 53% 61% Partially 26% 28% 20% 32% 22% No 21% 20% 33% 16% 17% B) Revocations of Consent? Yes 45% 44% 47% 39% 50% Partially 27% 32% 20% 28% 25% No 28% 24% 33% 33% 25% C) Limitations on Consent? Yes 37% 30% 40% 32% 45% Partially 28% 39% 27% 21% 23% No 35% 30% 33% 47% 32% D) Accounting of Disclosure? Yes 43% 44% 33% 43% 48% Partially 28% 32% 33% 24% 24% No 29% 24% 33% 33% 29% Physician Groups were more likely than Hospitals, Payors, and Others to feel that available technologies could not be used for tracking initial consent.. Of those that did know, 53% of respondents felt that initial consent could definitely be tracked. For revocations of consent, more than a quarter (28%) of respondents felt that they could not be tracked with available tools and technologies. However, 45% thought they could be tracked with available tools and technologies. Overall, 37% of respondents thought that limitations on consent could be tracked, while 35% of respondents thought they could not be tracked with existing tools. Only 30% of Hospitals and 32% of Payors felt that limitations on consent could be tracked with existing tools. Twenty-nine percent of respondents thought that accounting of disclosure could not be tracked with existing tools, while 43% thought that they could be tracked. Don t knows accounted for 17% of respondents. Physician Groups (33%) and Payors (33%) were more likely to say that they could not be tracked. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 12

3. Minimum Necessary Requirements Are Somewhat Workable Overall, 58% of respondents felt that the minimum necessary requirements are somewhat workable (see Figure 5). Twenty-three percent felt they were workable (18%) or very workable (5%), while 19% felt they were either less than workable (15%) or not workable at all (4%). Hospitals and Physician Groups were slightly more likely to see the minimum necessary requirements as workable, with Payors and Others slightly less likely to see them as workable. As with the consent requirements, respondents who had developed a readiness initiative or strategic plan or had conducted a gap assessment were more likely than their counterparts to feel that the minimum necessary requirements were workable. Figure 5: Overall responses to Question 5 (workability of minimum necessary requirements) 4 18% 5-High 5% 1-Low 4% 2 15% 3-Medium 58% Very Workable 4 Somewhat Workable 2 Not Workable Hospitals 7% 18% 57% 14% 4% Physician 5% 11% 68% 11% 5% Groups Payors 4% 22% 52% 22% 0% Others 4% 21% 54% 13% 8% Question 5. Overall, 77% of respondents felt that the minimum necessary requirements of the HIPAA Privacy Rule were not workable to only somewhat workable. Twenty-three percent of respondents felt that the consent requirements were moderately to very workable. Physician Groups were least likely to see the minimum necessary requirements as workable, with 84% responding with either 1, 2, or 3, and only 16% responding with 4 or 5. Results for this issue of workability of the minimum necessary requirements were not greatly influenced by overall knowledge level regarding HIPAA. However, respondents who had completed readiness initiatives were much more likely than those who had not completed readiness initiatives to feel that the minimum necessary requirements were only somewhat workable at best. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 13

4. Information Needed for Quality Assessment Thought to Be Limited By The Consent and Minimum Necessary Requirements When asked if they thought the consent requirements would enhance or limit the flow of information needed to assess health care quality, 58% of respondents thought that the consent requirements would somewhat limit (51%) or greatly limit (7%) the flow of information needed to assess quality of care. Thirty-two percent of respondents felt the consent requirements would have no affect on the flow of information, while 10% felt the consent requirements would enhance (9%) or greatly enhance (1%) the flow of information. With respect to the minimum necessary requirements, the findings were less clear. While 45% of respondents thought this requirement would greatly limit or somewhat limit the flow information needed to assess the quality of health care, another 45% thought that the minimum necessary requirements would have no impact. Ten percent of respondents thought the requirements would somewhat enhance (9%) or greatly enhance (1%) the flow of information. Physicians and Payors expressed similar concerns that the minimum necessary requirements would negatively affect the flow of information for payment, delivery, and assessment of care. It appears that the belief that quality would be affected is related to the fact that the consent requirements in the final rule would not permit providers to share PHI with health plans for the plans quality assurance activities. There was also generally a lack of clarity about the permissibility of disclosures for quality assessment purposes. Impact of the Consent Requirements Question 3. Overall, 58% of respondents felt that the consent requirements would somewhat or greatly limit the flow of information, while 32% felt the consent requirements would not affect flow of information. Sixtyfour percent of Hospitals and 65% of Others felt that the consent requirements would somewhat or greatly limit the flow of information, while 42% of Physician Groups and 44% of Payors felt that the consent requirements would have no effect on the flow of information. When results for this question were stratified by overall knowledge of HIPAA, results were similar for the low to medium and high knowledge groups. Question 3A. Those respondents who felt the consent requirements would somewhat or greatly impact the flow of information needed to assess health care quality were asked to indicate in what way the consent requirements would impact assessment of health care quality. There were 60 open-ended responses to this question: 30% of respondents answering the questions felt that there would be process complications or additional burden associated with paperwork 17% felt there would be confusion over requirements, 15% felt patient factors, such as revoking consent and continuity of care, would limit the flow of information 6% felt that there would be inadequate transfer/flow of information needed for patient assessment. Inadequate time was a common theme in the responses. Hospitals were more likely to cite process complications, paperwork burden, and patient factors as limiting the flow of information, while Payors tended to cite confusion over requirements as limiting the flow of information. Impact of Minimum Necessary Requirements Question 6. Respondents were asked how the minimum necessary rule would affect the flow of information needed to assess the following: Delivery of Care Payment California HIPAA Privacy Implementation Survey/California HealthCare Foundation 14

Table 3: Responses for Question 6 (minimum necessary requirements affect on flow of information for delivery and payment.) How will the minimum necessary rule affect the flow of information TOTAL Hospital Physician Groups Payors Others For Delivery of care 1 = will greatly limit 4% 0% 6% 0% 12% 2 = will somewhat limit 41% 30% 50% 48% 40% 3 = will have no effect 45% 52% 39% 39% 48% 4 = will somewhat enhance 9% 19% 0% 13% 0% 5 = will greatly enhance 1% 0% 6% 0% 0% For Payment 1 = will greatly limit 4% 4% 0% 0% 14% 2 = will somewhat limit 35% 19% 56% 58% 10% 3 = will have no effect 45% 59% 33% 25% 57% 4 = will somewhat enhance 12% 15% 6% 13% 14% 5 = will greatly enhance 4% 4% 6% 4% 5% Overall, 45% of respondents felt that the flow of information for the delivery of care would be somewhat or greatly limited while 45% felt that the minimum necessary requirements would have no effect on the flow of information for delivery of care. Hospitals were more likely (52%) than other groups to think that the minimum necessary requirements would have no effect on the flow of information for delivery of care. There were no substantively meaningful differences by overall level of knowledge of the HIPAA regulations for this issue. Those who had conducted a gap assessment and those who had completed readiness initiatives were much more likely to feel that the minimum necessary requirements would limit the flow of information. Respondents were less likely to feel that payment would be affected by the minimum necessary requirements. Overall, only 39% felt that the minimum necessary requirements would somewhat or greatly limit the flow of information for payment. Again, Hospitals were most likely among the four organization types to think that there would be no effect on the flow of information for payment (59%) while Physicians and Payors were most likely to answer that the flow of information would be somewhat to greatly limited. Slight differences were found when results for this issue were stratified by overall level of knowledge. Respondents were also asked how the minimum necessary rule would affect the flow of information needed for the assessment of quality (see Table 4). Fifty-seven percent of the respondents who thought they knew the answer felt that the flow of information would be somewhat to greatly limited by the minimum necessary requirements, and only 35% felt that there would be no effect on the flow of information for assessment of quality. Hospitals were less likely than other groups (40%) to feel that the flow of information would be somewhat to greatly limited by the minimum necessary requirements, and were more likely than other groups (48%) to feel that there would be no effect on the flow of information for assessment of quality. There were only slight differences regarding this issue when results were stratified by overall knowledge level. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 15

Table 4: Responses for Question 6 (minimum necessary requirements affect on flow of information for assessment of quality). How will the minimum necessary rule affect the flow of information TOTAL Hospital Physician Groups Payors Others For Assessment of Quality 1 = will greatly limit 9% 4% 6% 9% 17% 2 = will somewhat limit 48% 36% 61% 50% 48% 3 = will have no effect 35% 48% 22% 32% 35% 4 = will somewhat enhance 6% 12% 0% 9% 0% 5 = will greatly enhance 2% 0% 11% 0% 0% 5. The Business Associate Requirements Are Burdensome The time and cost associated with contracting with business associates was a significant issue for respondents. Seventy-two percent of respondents felt there would be a substantial to large time burden to implement the business associate requirements; more than half of respondents said the cost burden of implementing these requirements was substantial to large. When asked if they believe that the regulations clearly define who constitutes a business associate, 65% of all respondents thought the regulations were clear. While 81% of Physician Groups thought the regulations were clear, only 50% of Payors agreed. While most respondents likely have existing contractual relations, the initial burden of recontracting is believed to be high. There is also disagreement and lack of understanding about the level of oversight and due diligence required by covered entities over their business associates. Question 8. Respondents were asked whether the regulations clearly define the following areas: who is considered a business associate what are the responsibilities of the various parties what provisions need to be included in agreements with business associates Overall, 65% of respondents felt the regulations clearly defined business associates, with Physician Groups being more likely to answer affirmatively (81%) than Hospitals, Payors, and Others. Only half of Payors felt their business associates were clearly defined by the regulations. Sixty-three percent of respondents felt that the regulations clearly defined the responsibilities of parties. Hospitals and Physician Groups were more likely to answer affirmatively (72% and 78% respectively), while Payors were least likely to answer affirmatively. Only 44% of Payors felt that parties responsibilities were clearly defined by the regulations. Sixty-two percent of respondents felt that the regulations clearly defined what provisions needed to be included in agreements with business associates. Hospitals and Physician Groups were more likely to answer affirmatively (74% and 71% respectively), while only half of Payors felt the regulations clearly defined agreement provisions for business associates. When responses were stratified by overall level of knowledge regarding HIPAA, 55% of the low to medium group and 67% of the high knowledge group felt that the regulations clearly defined who their business associates were; 41% of the low to medium knowledge group and 69% of the high knowledge group felt that responsibilities of parties were clearly defined; and 45% of the low to medium knowledge group and 67% of the high knowledge group felt that the regulations clearly defined agreement provisions. Thus, the high California HIPAA Privacy Implementation Survey/California HealthCare Foundation 16

knowledge group was more likely to feel that the regulations clearly defined their business associates, responsibilities, and agreement provisions than the low to medium knowledge group. Finally, organizations that were much more likely to feel that the regulations clearly defined business associates and their responsibilities were those that had completed readiness initiatives or had conducted gap assessments. Question 8A. Respondents who answered that the regulations did not clearly define any one of the three topics discussed above regarding business associates were asked what additional clarifications and modifications need to be given. Approximately 48 suggestions were obtained, out of which four commonly occurring themes emerged: 1) Greater clarification of who is and who is not a business associate, and what relationships and activities determine whether one is or is not a business associate (48%) 2) Roles, responsibilities of parties, and follow up actions (31%) 3) Clarification of Chain of Trust issues (6%) 4) Consent issues: who needs to obtain it, who can use it, how often it must be obtained (4%) Question 9. Respondents were asked to estimate the magnitude of the burden of implementing the business associate contracts in terms of cost and time. More than half of the respondents (53%) felt that in terms of cost of implementation, the business associate requirements posed a substantial or a large burden (Figure 6). Hospitals and Physician Groups were more likely to associate a moderate to large cost burden with the business associate requirement (60% and 68% respectively) than Payors or Others. Figure 6: Cost of business associates implementation 5-High 25% 1-Low 7% 2 7% 3-Medium 32% 4 28% In terms of a time burden associated with implementing the business associate requirements, 72% of overall respondents felt that there would be a substantial to large time burden (see Figure 7). Eighty-six percent of California HIPAA Privacy Implementation Survey/California HealthCare Foundation 17

Hospitals and Physician Groups felt that there would be a substantial to large burden compared with 64% of Payors and 55% of Others. Figure 7: Time burden of implementing business associate requirements 1-Low 6% 2 4% 5-High 39% 3-Medium 18% 4 33% When this issue was further examined by overall knowledge of HIPAA, 48% of the low to medium knowledge group felt the cost burden of implementing the business associate requirements is moderate to large compared to 55% of the high knowledge group. Sixty-one percent of the low to medium knowledge group felt that the time burden of implementing the business associate requirement is moderate to large compared to 75% of the high knowledge group. Thus, the high knowledge group is more likely than the low to medium knowledge group to feel that both the cost and time burden will be moderate to large. 6. Resources Are Needed To Assist Preemption Analysis Fourteen percent of respondents did not know whether they had conducted any preemption analysis. Of those who did know, more than half have not identified the laws in the states in which they do business that either are or are not preempted by HIPAA. When asked how they were planning to identify and track these laws, most respondents indicated that they hoped outside sources would develop and track preemption issues or that they were expending significant resources hiring outside legal assistance. Question 20. Respondents were asked to identify whether they have identified state laws that are preempted by and are not preempted by HIPAA. Thirteen percent of respondents did not know whether they have identified state laws that are preempted by HIPAA, and 14% did not know whether they have identified state laws that are not preempted by HIPAA. Of those respondents that said they knew the answer, less than half (44%) of overall respondents reported that they have identified state laws that are preempted by HIPAA. Hospitals were slightly more likely to have identified state law preemptions (52%) and Physician Groups were least likely to have identified state law preemptions (38%). California HIPAA Privacy Implementation Survey/California HealthCare Foundation 18

Likewise, of those respondents that said they knew the answer about state laws that are not preempted by HIPAA, less than half (46%) reported that they had identified state laws that are not preempted by HIPAA. Again, Hospitals were more likely (56%) to have identified state laws that are not preempted and Physician Groups were least likely to have done so (38%). When Medicaid and non-medicaid Payors were separated, while 50% of non-medicaid Payors reported identifying preemptions and 55% reported identified non-preemptions, only 33% of Medicaid plans had identified preemptions and non-preemptions. Whether or not respondents had identified state laws that are preempted by and are not preempted by HIPAA varied greatly with level of overall knowledge of HIPAA. Fifty-four percent of high knowledge respondents had identified state laws that preempt and 56% had identified state laws that do not preempt compared with 15% and 20% of the low to medium knowledge group. Don t know responses constituted 11 to 12.5% of the high knowledge responses, and 20% of the low knowledge responses. Question 20A. Respondents who had identified preemptions and non-preemptions were asked how they were analyzing and tracking state privacy laws interplay with HIPAA. Common themes among the 42 responses were: Internal legal departments/compliance departments/privacy officers (29%) External legal counsel/consultants (24%) Professional and industry organizations and associations (29%) Hospitals were more likely to rely on internal legal and compliance departments and professional/industry associations, while Payors were likely to rely on all three means. Others were likely to rely on external legal counsel/consultants and professional/industry organizations and associations. Question 20B. Respondents who had not identified preemptions and non-preemptions were asked how they planned to analyze and track state laws interplay with HIPAA. Common themes among the 36 responses were very similar to the ones identified for identifying preemptions: Internal legal departments/compliance departments/privacy officers (19%) External legal counsel/consultants (28%) Professional and industry organizations and associations (25%) State and federal DHS or HHS Payors are likely to rely on all four means, while Others will rely on internal departments, external consultants, and state and federal agencies. Physician Groups report that they will rely on internal departments and professional and industry organizations. 7. Compliance Efforts Are Not Fully Funded With respect to funding, only 21% of respondents indicated that their compliance efforts were fully funded. More than half of respondents indicated that their HIPAA compliance efforts were only partially funded or not funded at all. When asked whether they think the anticipated costs of complying with the Privacy Rule will eventually be offset by savings expected from implementing other components of HIPAA (e.g., the Transaction and Code Set regulations), 31% to 32% of respondents said they did not know. Of those that said they did know, 48% expect no savings, 22% expect some savings but not within the next 5 years, 26% expect some savings within 3 to 5 years. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 19

Question 16. Respondents were asked when they anticipate the costs to comply with the Privacy Rule will be offset by the savings expected by implementing other components of the HIPAA regulations such as the Transaction and Code Set regulations. Thirty-two percent of the respondents answering indicated that they Don t know. Of those who believe they know, 48% anticipated no savings at any time in the future. Longterm savings (after five years) were anticipated by 22% of the respondents, while medium term savings (from 3 to 5 years after compliance) were anticipated by 26% of the respondents, and short-term savings (within one year of compliance) was anticipated 4% of the time by respondents (see Figure 8). Figure 8: Overall responses to Question 16 (savings anticipated from implementation) 1-Short Term 4% 4-No Savings 48% 2-Medium Term 26% 3-Long Term 22% Physician Groups and Others were more likely to anticipate no savings at any time in the future (63% of Physician Groups, and 55% of Others). Hospitals were more likely to anticipate some savings than Other organizations. There were substantial differences when results were stratified by level of HIPAA knowledge. Table 2: Anticipated savings by level of HIPAA knowledge No Savings Long-Term Medium-Term Short-Term High Knowledge 44% 26% 26% 44% Low Knowledge 62% 0% 31% 7% Question 17. Respondents were asked to describe their organization s progress in regard to budgeting and funding of HIPAA compliance efforts. Across organization types, 51% of respondents reported that in regard to HIPAA compliance efforts, their organizations have only partially funded, budgeted but not funded, or not budgeted at all. Another 28% reported that their organization is not developing a HIPAA-specific budget, but that individual departments responsible for compliance would have to budget for compliance efforts themselves. Only 21% of all respondents said that compliance efforts were fully funded (see Figure 9). Physician Groups were less likely to budget than Payors. Within Payors, plans offering a Medicaid product were less likely to have a funding mechanism in place. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 20

Figure 9: Overall responses to Question 17 (organization s progress toward budgeting HIPAA implementation efforts) 5-Not Developing 28% 1-Not Budgeted 18% 2-Budgeted Not Funded 6% 4-Fully Funded 21% 3-Partially Funded 27% Question 18. Respondents were asked to state which three departments or areas within their organizations would be the most costly for implementation of the HIPAA Privacy Rule. Information Technology and Information Systems, Medical Records, and Clinical Operations were seen by Hospitals and Physician Groups to be the most costly departments to implement the HIPAA Privacy Rule. For Payors and Others, IT/IS was also seen as the most costly department to implement the regulations, and Operations and Legal departments were seen as the second and third most costly departments. For more detail on these responses, see Appendices D, E, and F of this report on the CHCF Web site at www.chcf.org. 8. There Is A General Need For Modifications And/Or Clarifications Seventy-eight percent of respondents felt HHS needed to make modifications and/or clarifications to the final Privacy Rule. Many respondents requested clarifications with respect to consent, minimum necessary, the definition and rules concerning business associates, the rules concerning communications, marketing and funding, and preemption. Others wanted clarification around research rules and how the regulations apply to disease management organizations. Question 11A. Respondents provided 67 additional areas in which they felt the Privacy Rule needed clarification and modification, which are provided verbatim in Appendix G for this report at www.chcf.org. The following are additional areas in the HIPAA Privacy Rule that respondents felt would need clarification or modification: The minimum necessary requirements Communication/ marketing and funding issues Clarifications on consent State preemption clarifications Research clarifications Clarifications regarding business associates California HIPAA Privacy Implementation Survey/California HealthCare Foundation 21

Q8A. Respondents who felt the regulations were unclear about business associates, responsibilities, and agreement provisions were asked to list areas they felt needed greater clarification. Roughly nineteen suggestions were received and are provided verbatim in Appendix G at www.chcf.org (see Question 8A). The following were common areas regarding business associates identified by respondents as needing clarification or modification: Greater clarification of who is and who is not a business associate, and what relationships and activities determine whether one is or is not a business associate Roles, responsibilities of parties, and follow up actions Clarification of Chain of Trust issues Consent issues: who needs to obtain it, who can use it, how often it must be obtained Q10A. Respondents who felt the regulation was unclear about the distinction between research and health care operations were asked which areas they felt needed clarification or modification. Roughly 42 suggestions were given, which are provided verbatim in Appendix G (see Question 10A). The following were common areas regarding research that respondents suggested for clarification: Define what is considered research, and how to distinguish it from quality improvement activity, care, and health plan operations Exclusions to the regulation, prohibited activities, authorizations for activities What information can be disclosed and under what circumstances Consent and IRB waivers 9. Research vs. Health Care Operations Overall, 50% of the respondents answered with either a 4 or a 5, but only 17% answered with a 5, meaning they felt the regulations were clear. Only 8% of Hospitals and 14% of Payors felt the regulations clearly distinguished between research and health care operations, while about a quarter of Physicians Groups and Others felt that the regulations were clear between research and health care operations. Q10. Respondents were asked to rate how clearly the regulations distinguish between research and health care operations with 1 being the regulations are unclear between research and operations, 3 being the regulations are neither clear nor unclear, and 5 being the regulations are clear between research and operations. There were no substantively meaningful differences when results were stratified by knowledge level. Q10A. Respondents who answered either 1 or 2 (regulations were unclear between research and operations) were asked to indicate which areas needed clarifications and modifications. Common themes among the 19 responses were: Define what is considered research, and how to distinguish it from quality improvement activity, care, and health plan operations (37%) Exclusions to the regulation, prohibited activities, authorizations for activities (11%) What information can be disclosed and under what circumstances (26%) Consent and IRB waivers (11%) Hospitals tended to identify 1, 3, and 4 as areas needing clarification, while Payors identified 2 and 3. Physicians identified 2, while Others identified 1 as areas needing clarification. California HIPAA Privacy Implementation Survey/California HealthCare Foundation 22