- Healthcare organizations are doing more to remain HIPAA compliant compared to two years ago, says NueMD’s 2016 HIPAA Survey Update.
The survey looked at HIPAA compliance trends amongst 927 healthcare professionals as a follow-up to a similar 2014 survey.
In the course of the past two years, more healthcare professionals have brushed up on their HIPAA knowledge. Today, a total of 69 percent of respondents knew about and understood the HIPAA Omnibus Rule, while only 64 percent of 2014 respondents reported the same.
As a result, NueMD found that more organizations are establishing business associate agreements, a provision of the Omnibus rule. In 2014, only 24 percent of respondents stated they had reviewed all of their business associate agreements, while 29 percent say they have in 2016. Only 26 percent of 2016 respondents haven’t reviewed any business associate agreements.
Today’s healthcare organizations are also putting better HIPAA compliance measures into place, with just over 70 percent of respondents stating that their organization has a HIPAA compliance plan. Only 58 percent of respondents said the same in 2014.
That all said, healthcare organizations are lagging in some areas. In 2014, 56 percent of respondents reported that their organizations had appointed HIPAA security and HIPAA privacy officers. That number has since dropped, with only 53 and 54 percent reporting the same, respectively.
Healthcare organizations are also falling behind on annual HIPAA training. Currently, 58 percent of organizations provide annual staff HIPAA training, while 62 percent of organizations did so in 2014.
The survey finds more promise with regard to electronic devices. Under HIPAA guidelines, healthcare organizations must catalog all of their devices containing PHI, and in increasing number of organizations report doing so. In 2014, only 27 percent of respondents said they’d cataloged their electronic devices, while 33 percent say they have done so today.
Healthcare professionals are also more confident that the devices they’re using are HIPAA compliant, with only 31 percent of professionals stating such in 2014 and 37 percent doing so in 2016.
Providers are slightly more involved with electronic communication devices than they were in 2014, with 45 percent of respondents using mobile devices to communicate with patients, 58 percent using email, 35 percent using text, and 15 percent using social media. These are all modest increases from the reported numbers in 2014.
Despite some of the gains in HIPAA compliance knowledge of the past two years, most healthcare organizations have remained equally as confident in their security measures as they were in 2014. On the whole, a majority of healthcare professionals are only somewhat confident that someone at their organization is managing HIPAA compliance, while only about 40 percent are very confident of this.
NueMD conducted this survey in light of the phase 2 of OCR HIPAA audits, which was recently discussed by the Department of Health and Human Services’ Office for Civil Rights (OCR). According to OCR, this second round will begin soon.
HIPAA audits are used to gauge the state of HIPAA compliance across the industry. By taking a look at the HIPAA compliance at representative healthcare organizations, HHS hopes to understand how the industry is tackling healthcare data security and improve education on the matter.
“Audits are an important compliance tool for OCR that supplements OCR’s other enforcement tools, such as complaint investigations and compliance reviews,” OCR explained. “These tools enable OCR to identify best practices and proactively uncover and address risks and vulnerabilities to protected health information (PHI).”
Ideally, the phase 2 HIPAA audits will result in a new set of tools developed by OCR.
“OCR’s audits will enhance industry awareness of compliance obligations and enable OCR to better target technical assistance regarding problems identified through the audits,” OCR stated. “Through the information gleaned from the audits, OCR will develop tools and guidance to assist the industry in compliance self-evaluation and in preventing breaches. We will evaluate the results and procedures used in our phase 2 audits to develop our permanent audit program.”