Survey: HIPAA Compliance Low
(April 19, 2006)

One year after the compliance date for the HIPAA security rule, only a quarter of provider respondents to a recent survey believe their organization is fully compliant. Half of respondents say their organizations are between 85% and 95% compliant.

In a similar survey a year ago, 17% of respondents reported their organization was fully compliant and 43% believed they were substantially compliant.

The American Health Information Management Association conducted the survey, sending e-mails to members and others involved in HIPAA implementation activities and receiving 1,117 qualified responses.

Eighty-five percent of respondents said their organization is more than 85% compliant with the HIPAA privacy rule. That's a decline from last year's survey, when 91% of respondents said their organizations had reached that level of compliance.

Fifty-five percent of respondents cited a lack of sufficient resources as the biggest barrier to full privacy compliance. Further, respondents reported sensing a loss of support from senior management and a diminished focus on the privacy rule by some staff, according to the Chicago-based association.

The survey was conducted in January, well before an investigation by the Government Accountability Office found that computer systems at the Department of Health and Human Services, and the Centers for Medicare and Medicaid Services, have serious security deficiencies. CMS is responsible for enforcing most HIPAA rules including security; HHS' Office for Civil Rights enforces the privacy rule.

Respondents also voiced concern about the burdens of some privacy rule provisions, particularly the need to account for disclosures of protected information. The number of consumers wanting to know who has seen their information is extremely low, according to survey results. Nearly two-thirds of the organizations surveyed have received no requests and most others have received only a few requests for an accounting of disclosures.

A copy of the full report, "State of HIPAA Privacy and Security Compliance 2006," is available at ahima.org.