HIPAA Privacy Implementation Issues in Pennsylvania Healthcare Facilities

by Patricia Anania Firouzan, MSIS, RHIA, and James McKinnon

Abstract

A 20-question survey was sent in the mail to HIM directors in Pennsylvania healthcare facilities to solicit feedback regarding implementation issues of the HIPAA privacy rule requirements. Questions focused on gathering basic demographic data, information on HIM involvement with the privacy rule requirements, the procedures whereby facilities were meeting the privacy rule requirements, occurrences of confidentiality breaches, and respondents' perceptions about the privacy rule. Findings suggested that HIM professionals continue to be involved with many areas of the privacy rule and have taken on new responsibilities with this involvement. Findings also suggested that respondents did not think the privacy rule would prevent future confidentiality breaches. Only half of respondents thought that the privacy regulations were even necessary. Many respondents felt their level of importance within their facility increased.

Introduction

The Secretary of Health and Human Services issued the HIPAA privacy regulations on December 28, 2000. This time frame gave covered entities a little more than two years to become compliant with the regulations. Covered entities had until April 14, 2003, to meet the regulation expectations, while smaller health plans had until April 14, 2004, to be compliant. Covered entities are those persons or organizations that are considered as "healthcare providers," "health plans," or "healthcare clearinghouses" as defined in the regulation.

The privacy regulation covers "protected health information" (PHI) in any form that is created or received by a covered entity. PHI is individually identifiable "health information," which is defined as any oral or recorded information about the health of an individual, the provision of healthcare to the individual, or the payment for healthcare. Health information that is "individually identifiable" is information that identifies or reasonably can be used to identify the individual.

The HIPAA privacy rule addresses issues relating to patient access rights, rules for use and disclosure, new administrative requirements, and means for enforcement and compliance. The rule affects virtually every person in a covered entity. These requirements bring many changes to the way PHI is handled in healthcare organizations, and health information managers hold a key role in facilitating these changes.

Literature Review

Recent surveys have been conducted by a number of different organizations to gauge some of the key trends emerging in the move toward HIPAA privacy rule implementation. In their Winter 2003 "U.S. Healthcare Industry Quarterly HIPAA Compliance Survey," the Healthcare Information and Management Systems Society (HIMSS) and Phoenix Health Systems observed that there would be a rush toward implementation since most organizations were not in compliance as of January 2003. At that time, only nine percent of providers and five percent of payers had actually completed privacy compliance. This statistic reflected little change from the HIMSS Fall 2002 results, when only five percent of each industry segment reported completion. The Healthcare Financial Management Association also found similar results from its March 2002 online survey, where only 22 percent of organizations surveyed had begun implementing the privacy rule.

The Health Care Compliance Association (HCCA) produced two relevant surveys in 2002. Their fifth annual survey, "2002 Profile of Health Care Compliance Officers," found significant trends toward HIPAA privacy compliance. One significant finding was that HIPAA privacy was the most pressing goal of corporate compliance officers. Another finding was 68 percent of respondents indicated HIPAA is the biggest issue that their programs were facing. HCCA also conducted a HIPAA readiness survey in early 2002. A major finding of this survey was that most organizations had not developed policies and procedures concerning PHI. Additionally, the survey concluded that most organizations had begun to address issues of HIPAA privacy, but had not fully implemented the regulation.

A HIPAA implementation survey conducted in January and February 2002 by the National Committee for Quality Assurance and the Georgetown University Health Privacy Project looked at how implementation efforts were proceeding under the final privacy rule in California healthcare organizations. A major finding was that few organizations (12 percent) had actually completed readiness initiatives, although a large number of respondents (81 percent) had developed a strategic plan for implementation.

Objective

The objective of this study is to explore the health information manager's role in implementation of the HIPAA privacy rule in Pennsylvania healthcare facilities and to examine some of the issues related to privacy rule implementation. These issues include designation of the privacy officer, training requirements, perceptions of the privacy rule, and other related matters.

Methodology

A survey was developed with input from the University of Pittsburgh's Office of Measurement and Evaluation. The survey was then submitted to the exempt review team of the university's institutional review board for their approval. Once revisions were made and approval was granted, the 20-question survey was mailed to HIM directors of all Pennsylvania healthcare facilities (N=268) as listed in the American Hospital Association's "Hospital Statistics" guide (Attachment A). Respondents were asked to complete the survey and return in the enclosed self-addressed stamped envelope within one week. Results were collected over a three-week period and reported as aggregate data with no individually identifiable information gathered.

This study's major limitation was that it was completed a few months prior to the deadline for meeting HIPAA privacy rule requirements, a time that found many HIM professionals and other healthcare workers deep in the throes of HIPAA. Much more work has been completed since that time and is not reflected in this research. In addition, people's perceptions about these issues may have changed since the implementation date of April 14, 2003. Also limiting the study is the fact that the survey was only sent to facilities in Pennsylvania and results may differ in other parts of the country. Future surveys should be sent to a sample of facilities in all states with the survey content focusing on post-implementation issues.

Analysis and Results

As the surveys were returned, the information was coded and entered into an Excel file for statistical analysis. Of the 268 surveys mailed, 128 of them were returned, with a response rate of 48 percent. Of the facilities surveyed, 48 percent were hospitals with 100 to 400 beds (medium sized). Twenty percent were hospitals with less than 100 beds (small sized) and 10 percent were hospitals with more than 400 beds (large sized). Seven percent were mental and behavioral health facilities, and 14 percent were considered "other," which included categories of home care, long-term care, hospice, and acute rehabilitation.

The majority of respondents (91 percent) indicated they were either the HIM director or the medical records manager, and only nine percent were not HIM directors/managers. Of those who were not HIM directors/managers, their titles included corporate compliance officers (CCO), administrators, and quality improvement directors. Fifty-seven percent of the respondents held the RHIA credential, and 33 percent were RHIT credentialed. Of the remaining 10 percent, the credentials were varied, with the RN (registered nurse), CPHQ (certified professional in healthcare quality), and CCS (certified coding specialist) credentials present. For hospitals with more than 400 beds, 77 percent of respondents were RHIAs and 23 percent were RHITs, as compared with hospitals with 100-400 beds (60 percent RHIAs, 33 percent RHITs, 2 percent RNs and 5 percent "other") and smaller hospitals with less than 100 beds (35 percent RHIAs, 41 percent RHITs, 12 percent RNs and 12 percent "other." In mental and behavioral health facilities, 40 percent were RHIAs, 40 percent were RHITs, 7 percent were RNs, and 13 percent were "other" (Figure 1).

An administrative requirement of the HIPAA privacy rule is that facilities must designate a privacy official to be in charge of ensuring that HIPAA privacy regulations are followed. In 41 percent of facilities, the privacy officer was also the HIM director (Figure 2). In 25 percent of facilities, the corporate compliance officer also had the designation of privacy officer. Other breakdowns included eight percent of facilities reporting that hospital administration took over the privacy officer responsibilities, and four percent of legal counsels were taking on this position.

However, when analyzed by facility type, in hospitals with more than 400 beds, 46 percent of CCOs were designated as the privacy officer, 31 percent of HIM directors had the designation, and eight percent of legal counsel professionals had the designation. In medium-sized hospitals (100-400 beds) 46 percent of HIM directors were designated as the privacy officer, and 27 percent of the CCOs had the designation. The difference is even more evident in smaller hospitals, where 50 percent of HIM directors had the designation, and only 10 percent of CCOs were the privacy officer, and in mental and behavioral health facilities, where 67 percent of HIM directors had the designation, 13 percent were legal counsel and only seven percent of CCOs had the privacy officer designation (Figure 3).

The most common HIPAA privacy training methods employed by respondents were HIPAA pamphlets, formal classes, and informal training. The least common method used was computer-based training. A few facilities indicated that training had not begun as of early February 2003. Sixty-one percent of respondents indicated that training lasted one to four hours, 17 percent indicated five to nine hours of training, and 14 percent indicated their training lasted more than 10 hours (Figure 4). Six percent indicated their training lasted less than one hour, and two percent did not know the length of their training. When analyzed by hospital type, there was not much difference in the time spent for training.

When asked to rank the most confusing aspects of the HIPAA privacy rule, 34 percent of respondents ranked the rules for certain entities (such as hybrid or affiliated) as most confusing, and 23 percent ranked the administrative requirements as the next most confusing. Ranked next to the last on the list were rules for use and disclosure, and the last and least confusing item on the list was patient access (Figure 5). Results were similar when analyzed by respondent's credential.

An implementation requirement of the privacy rule mandates an accounting of disclosures. Question eight of the survey asked, "As the HIM director, is your department involved in the process of accounting for disclosures and creating a notice of privacy practices?" Eighty-four percent of respondents indicated that their department is involved in the accounting of disclosures and creating a notice of privacy practices.

When asked to estimate their current level of compliance with the privacy rule, only 28 percent of respondents estimated they were 75 percent or more compliant with the HIPAA requirements. Thirty-eight percent estimated they were 50 to 74 percent compliant, 21 percent were 25 to 49 percent compliant and 13 percent indicated they were less than 25 percent compliant with the regulations. When analyzed by facility type, mental and behavioral health facilities showed the greatest level of compliance, with 47 percent being 75 percent or more compliant with the act. In hospitals with more than 400 beds, only 31 percent were 75 percent or more compliant, and in medium size and smaller hospitals, only 27 percent each were 75 percent or more in compliance (Figure 6). When the data was analyzed by respondent's credential there was not much difference in the percentage of compliance.

Under the privacy rule, a general consent for treatment, payment, and healthcare operations (TPO) is no longer a requirement. When asked if their facility would provide a general consent for treatment, payment, and healthcare operations even though it is not required under HIPAA, overall, 65 percent of respondents said they would still ask for consent. Fifteen percent responded that they would not ask for consent, and 20 percent were unsure if they would ask for consent. When classified by facility type, it is interesting to note that 83 percent of mental and behavioral health facilities responded that they would still ask for consent, whereas the responses by the hospitals ranged between 58 percent (medium sized) and 73 percent (more than 400 beds) (Figure 7).

According to the survey responses, 25 percent of respondents thought the HIPAA privacy rule would complicate daily operations in the HIM department; 59 percent responded that it would not affect HIM operations, and 16 percent were not sure. Responses did not differ much when analyzed by credential and facility type.

Responsibility for developing and updating policies related to privacy issues needs to be delineated in order to ensure compliance with the HIPAA regulations. Question 12 asked which individual is responsible for notice of privacy practices, authorization/disclosures, accounting for disclosures, request for patient access, minimum necessary standard, and request for amendments. Respondents indicated that in many facilities the privacy officer is responsible for maintaining notice of privacy practices (59 percent), and the minimum necessary standard (45 percent). HIM staff is predominately responsible for the other policies, such as authorization/disclosures (35 percent), accounting for disclosures (36 percent), request for patient access (46 percent), and request for amendments (36 percent) (Figure 8).

When asked their opinion of the necessity of HIPAA privacy regulations, 50 percent of respondents thought that the regulations were necessary, 33 percent did not think they were necessary, and 17 percent were unsure. Results did not vary much when analyzed by credential or facility type.

Through the enactment of the HIPAA privacy rule, it is expected that the confidentiality of patient information will be better maintained. According to survey results, nearly half of the surveyed facilities experienced a breach of confidentiality in the last three years. However, for mental and behavioral health facilities, only 29 percent experienced a breach, whereas in the hospitals, 52 percent of those with less than 100 beds experienced a breach, 41 percent of hospitals with 100-400 beds experienced a breach, and 45 percent of hospitals with more than 400 beds experienced one (Figure 9).

In facilities that experienced a breach, the majority of breaches (77 percent) were committed by employees, eight percent were committed by patients, and five percent were committed by doctors (Figure 10). No breaches were committed by hackers. When examined by facility type, in mental and behavioral health facilities, employees committed 50 percent of breaches and 50 percent were committed by patients. This figure differs from the results for hospitals. In hospitals with more than 400 beds, employees committed 67 percent of breaches and 33 percent were committed by "others." In hospitals with 100 to 400 beds, employees committed 71 percent of breaches and 29 percent were committed by "others." In hospitals with less than 100 beds, employees committed 84 percent of breaches and 16 percent were committed by patients (Figure 11).

When asked if the HIPAA privacy rule would prevent patient confidentiality breaches, only 20 percent responded affirmatively. Fifty-six percent thought the rule would not prevent confidentiality breaches, and 24 percent were not sure. Results were similar when analyzed by credential and facility type.

Two survey questions addressed the need for adding staff in order to meet the HIPAA privacy requirements. Overall, only 29 percent of respondents thought there was a need to increase staff to the HIM department. However, there was a variance in results when analyzed by facility type, with 55 percent of respondents from hospitals with more than 400 beds answering that there was a need to add additional HIM staff. Only 25 percent of medium-sized hospitals, 23 percent of small hospitals, and 15 percent of mental and behavioral health facilities responded that they need additional HIM staff (Figure 12).

When asked if there was a need to add staff to the organization as a whole, 36 percent overall responded affirmatively. Again results were varied when analyzed by facility type, 45 percent of respondents from larger hospitals answered that there was a need for additional staff in the organization as a whole and 57 percent of mental and behavioral health respondents said they need more. Only 29 percent of medium sized and 26 percent of smaller hospitals responded that they needed additional staff in the organization as a whole (Figure 13).

The HIPAA privacy rule requires covered entities to have appropriate safeguards in place to protect the privacy of protected health information. When asked if their facility had to adjust their current safeguards to meet this requirement, approximately 78 percent of facilities had to make adjustments to their administrative, technical, and physical safeguards to meet the HIPAA requirement.

Some organizations have found it necessary to use consultants to comply with the privacy regulations. Of the facilities surveyed, 44 percent had used consultants while 53 percent had not. Results did not vary by credential, but it is important to note that only 29 percent of respondents in mental and behavioral health facilities use consultants, and 33 percent of hospitals with more than 400 beds responded that they have used consultants. Forty-five percent of medium- and small-sized hospitals used consultants (Figure 14).

Finally, 58 percent of respondents said their importance within the facility increased moderately or greatly since the implementation of the HIPAA privacy rule. Forty-two percent reported that their importance has stayed the same and none of the respondents said their importance decreased.

When classified by credential, 67 percent of RHIAs, 46 percent of RHITs, and 17 percent of RNs responded that their importance has increased moderately or greatly (Figure 15).

When sorted by facility type, only 45 percent from hospitals with less than 100 beds said their importance increased moderately or greatly. However, 50 percent of respondents from mental and behavioral health facilities, 67 percent of respondents from hospitals with more than 400 beds, and 61 percent of respondents of hospitals with 100-400 beds responded that their importance has increased moderately or greatly. (Figure 16)

Discussion

Healthcare facilities and entities in Pennsylvania have worked hard to make changes to the way they handle and communicate information about their patients as they prepared to meet the requirements of the HIPAA privacy rule. In late winter of 2003, just a few months before the deadline for meeting the privacy rule requirements, a good number of facilities in Pennsylvania were compliant with between one fourth and one half of the requirements. Many facilities have made changes to their existing administrative, technical, and physical safeguards. New training requirements were met using a variety of methods (pamphlets, classes, and informal training were the most popular) and most facilities' training sessions lasting between one and four hours in length.

An important finding is that HIM professionals continue to play a key role in meeting and maintaining the privacy rule requirements. In almost half of the responding facilities the HIM director had also been designated as the privacy officer. This fact was most evident in medium- and small-sized hospitals and in mental and behavioral health facilities. The trend in larger-sized hospitals was for the corporate compliance officer to hold the privacy officer title.

Another important finding was that a few facilities responded that they had not yet begun the required privacy training as of early February 2003 with the April 2003 deadline fast approaching, indicating that they most likely would miss the deadline for compliance.

The majority of HIM departments were involved in the accounting of disclosures and creating a notice of privacy practice for their facility. In at least one third of facilities, the HIM staff held the primary responsibility for maintaining other important policies including authorizations, disclosures, patient access, and amendment requests. This element signifies that HIM professionals will continue in their familiar role of overseeing access to and release of patient information.

When assessing their current level of compliance with the privacy rule, many respondents in hospital environments indicated they still had a lot of work to do to bring them into compliance. Mental and behavioral health facilities had the highest level of compliance. This factor may be due to the sensitive nature of their health information has always required these facilities to take extra precautions. Thus, they have already been doing some of the provisions now required under HIPAA. Along this line it is not surprising to see that most mental and behavioral health facilities will continue to ask for a general consent for treatment, payment, and healthcare operations, although it is no longer a requirement under HIPAA. Again it can be surmised that the sensitive nature of their health information is the motivation behind the continuation of this policy.

Since nearly half of the respondents experienced a breach of confidentiality at their facilities in the past three years and the majority of those breaches were committed by employees, it is surprising to find that one third of respondents did not think the HIPAA privacy regulations were necessary. One would expect that the occurrence of breaches would lead to a greater inclination of wanting more stringent safeguards, particularly in the form of policies that can be imposed upon employees. Furthermore, the majority of respondents were not convinced that the HIPAA privacy rule would prevent future breaches.

The majority of respondents were not intimidated by the increased responsibilities tied to the privacy rule since they held the belief that it would not affect HIM operations. Since these HIM professionals had already been guarding patient confidentiality throughout their careers, they were already familiar with many of the tenets set forth in the privacy rule. However, more than half of respondents from hospitals with more than 400 beds saw the need to add additional HIM staff. Because the HIPAA act is so far reaching across an organization, perhaps staff at bigger facilities felt the need for additional HIM staff to ensure that all areas of the act were covered. A large number of respondents from large hospitals and mental and behavioral health facilities also saw the need for additional staff in the organization as a whole. Again, this disparity could be due to the facility size and nature of sensitive information (in the case of mental and behavioral health) that would lead them to respond in this manner. They may have felt the need for additional organizational staff to ensure complete coverage across all departments.

More than half of respondents indicated their importance within the facility had increased, with the majority of RHIAs and almost half of RHITs responded that their importance had increased moderately or greatly. This increase may be due to the fact that the privacy rule placed an increased emphasis on health information, thereby placing more attention on HIM professionals.

Conclusion

The information gathered through this survey provides insight into some important issues surrounding the implementation efforts made toward the HIPAA privacy rule in facilities across the state of Pennsylvania. It is exciting to see that HIM professionals hold a central role in this area of HIPAA in addition to their involvement in the development and deployment of policies that affect all healthcare professionals within their organizations. Findings also suggest that many HIM professionals feel that their level of importance within their facility has increased due to the additional responsibilities, which may lead to increased visibility within their respective organizations.

Patricia Anania Firouzan, MSIS, RHIA, is an assistant professor in the department of health information management at the University of Pittsburgh. James McKinnon is a health information clerk at Children's Hospital in Pittsburgh, PA. McKinnon graduated from the University of Pittsburgh's HIM program with a Bachelor of Science degree. Currently, he is a part-time graduate student at the University of Pittsburgh Graduate School of Public and International affairs majoring in non-profit management with a healthcare emphasis. McKinnon plans to become a registered health information manager in the near future.

Notes

1. Health Privacy Project. "Summary of HIPAA Privacy Rule." Institute for Health Care Research and Policy, Georgetown University, September 13, 2002. Available at www.healthprivacy.org.
2. Ibid.
3. Amatayakul, Margret. "On the Fast Track to Privacy Rule Compliance." Journal of AHIMA 74, no. 2 (2003): 16A-D.
4. HIMSS/Phoenix Health System. "U.S. Healthcare Industry Quarterly HIPAA Compliance Survey Results." Winter 2003, p. 2. Available at http://www.himss.org/asp/industry_ research.asp?PageNum=2.
5. Healthcare Financial Management Association, "HIPAA Update Survey." Available at http://www.hfma.org/resource/HIPAAupdatereport.pdf.
6. HCCA and Walker Information. "2002 Profile of Health Care Compliance Officers." Available at http://www.hcca-info.org/Content/NavigationMenu/Compliance_ Resources/Surveys/Annualsurvey5th.pdf.
7. HCCA. "2002 HCCA HIPAA Readiness Survey Results." Available at http://www.hcca-info.org/Content/NavigationMenu/About_HCCA/ Press_Releases/3rdHIPAAsurv_results0212.ppt.
8. NCQA and Georgetown University Health Privacy Project. "California HIPAA Privacy Implementation Survey." April 2002. Available at http://www.kaisernetwork.org/ health_cast/uploaded_files/4.16.02_Exec.Summary.pdf.
9. American Hospital Association. "Hospital Statistics, 2002." Available at http://www. hospitalconnect.com/aha/resource_center/fastfacts/fast_facts_US_hospitals.html.