Back in October of 2014, the Office for Civil Rights of HHS began conducting the first round of HIPAA audits at physician practices, healthcare facilities, and with their business associates. As technology has expanded the ways practices interact with sensitive patient data, HIPAA has evolved to ensure that data is protected. Curious about the state of compliance, and eager to find ways we could help get any stragglers up-to-speed, we conducted our 2014 HIPAA Survey.
Well now we’re at it again! With 2014’s announcement finally seeing the light of day, we thought it might be worth taking a look at where medical practices currently stand along the path to compliance.
Let’s start with some of the more encouraging news. One of the largest areas of growth concerned the general awareness of HIPAA and how it affects the workplace.
Intended to encourage the enforcement of privacy guidelines described by HIPAA, Phase 2 audits were originally set to begin in October of 2014 by the Office for Civil Rights of HHS. In our 2014 survey, when we asked how many were aware that these audits were being planned, only 32% of respondents said that they were. Today, that number has risen to 40%. Even though that shows some significant growth, there's still plenty of people in the industry that have yet to hear the news. Our hope is that surveys like these can help spread the word.
HIPAA extended its reach in 2013 by adding stricter security guidelines, greater patient transparency, and harsher penalties all around. When we last asked about knowledge of these updates, 64% said that they were aware of the Omnibus. This time around, 69% said they were familiar. Any positive growth is encouraging, especially considering that knowledge of these updates is pretty crucial to maintaining a HIPAA compliant work environment.
Compliance only starts at awareness. From there, active steps must be taken to ensure all guidelines are being followed. The next section of our survey casts a spotlight on the actual efforts made toward becoming HIPAA compliant. And it's where a few respondents have begun to stumble.
Without a plan, it's impossible to get compliant. The good news is that many have taken their first steps in the right direction. When last asked, 58% of respondents said their compliance plan was in effect. Now, just over 70% claim to have compliance plans. That's the single largest positive change we saw in all of the results, so way to go! Though it's still critically important to the rest that they start getting a plan together. You can't be compliant without it.
What's a Compliance Plan?
A compliance plan is a set of policies and procedures that covers all aspects of compliance within your practice.
Visit the HIPAA Resource Page for more detailed information.
Practices seemed to be slipping a little with regard to some of the other aspects of compliance. Annual training is one of those areas. Ensuring staff know the appropriate steps to take in case of a breach is an important part of their yearly training. Where previously, 62% of owners, managers, and administrators claimed they provided training for their staff annually, that number has surprisingly decreased to 58%. The off-again, on-again delays in auditing may have contributed to this downswing.
Another area of slight concern is in the appointing of officers. HIPAA requires an appointed Security officer and a Privacy Officer in order to create a single point of contact at each business responsible for handling any conflicts. Originally asked, 56% of owners, administrators, and managers reported that they had appointed their Security Officer. The same number claimed to have appointed Privacy Officers. Since then, those numbers have seen a minor drop. Appointed Security Officers currently stand at 53%, while Privacy Officers decreased to 54%. These may not be extraordinary changes, but the numbers are moving in the wrong direction!!
A region that suggests a correlation between increased awareness and improved compliance is that of Business Associate Agreements. Established as part of the 2013 Omnibus, BAAs concern the negotiations between Covered Entities and any third-party vendors that have access to their PHI. When we last checked in, 60% of owners, managers, and administrators were in the know. Today, closer to 70% are aware that BAAs are an important part of compliance. When we asked about the percentage of BAAs currently evaluated, we saw pretty similar levels of improvement. In 2014, 28% of respondents had not even started evaluating their BAAs, while 23% had completed the task. Today those numbers have nearly flipped. Twenty-nine percent (29%) have completed evaluating their BAAs while only 25% have neglected the duty altogether. The rest are somewhere in between, but still working hard to get fully caught up.
Next we attempted to gauge the overall use and levels of confidence in all of the various electronic devices around the office. These include emerging technologies that will have an impact on the industry for years to come. But first we were interested in the overall progress of cataloging devices like printers and scanners as well as mobile phones, tablets, laptops, and digital cameras already in use.
According to HIPAA, any electronic devices that contain PHI must be properly cataloged. Previously, only 27% of respondents said they had cataloged 76-100% of their devices. The same amount claimed they had not cataloged any devices at all. Our newest findings show that those numbers have both improved. Thirty-three percent (33%) say they have now achieved the highest tier of cataloging, while those that have yet to begin have shrunk to 22%.
Confidence that these devices are within HIPAA guidelines has also increased. Two years ago, only 31% of management and owners were “very confident” that all electronic devices at their place of business were fully compliant. Today that figure is closer to 37%. Though it's always tricky to correlate cause and effect, the increased confidence does happen to be directly proportional to the increase in cataloged devices.
Perhaps one of the more interesting findings from our survey concerns the use of online communication in the workplace. Whether with patients, or between staff members, the increased use of mobile apps, email, texting, and social media seems to be slightly outpacing confidence that those technologies are in fact HIPAA compliant.
When tracking the difference in use of these technologies for communicating with patients, a small but steady increase can be seen, especially in the area of texting.
A similar pattern emerges when we look at the use of these same methods used for communication between staff members.
However, when we now look at the overall change in respondents who expressed the highest level of confidence that these communications are HIPAA compliant, we find more or less stagnant conditions. New technologies can change our ways of interacting pretty rapidly. It's important to ensure all staff are properly trained on any device in which they may be communicating sensitive information.
The final question on each survey asked practices how confident they are that there is at least one employee who is familiar with HIPAA and is taking active steps to ensure compliance. The results were in line with most other questions regarding confidence. In 2014, about 81% of respondents said that they were either “very” or “somewhat” confident. Today, the number making the same claim is 83%. Not a striking improvement, but progress nonetheless.
And that seems to be the narrative of compliance overall in the last two years. While we’re always excited to see any positive change, helping those in need achieve full compliance has always been a goal in the process. So feel free to check out our resource page for all kinds of information to help you get your business HIPAA compliant today!
Have some insight on HIPAA you'd like to share? Maybe a question you'd like answered? Leave comments below!