california hipaa privacy implementation survey: appendix a. … · 2018-01-02 · california hipaa...

California HIPAA Privacy Implementation Survey:

Appendix A. Stakeholder Interviews

Prepared for the California HealthCare Foundation

Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project

April 2002

California HIPAA Privacy Implementation Survey/California HealthCare Foundation 2

Appendix A. Stakeholder Interviews Prior to developing a finalized HIPAA survey for this project, an independent survey research firm conducted a series of stakeholder interviews. The purpose of these interviews was to obtain a general sense of what the actual and perceived barriers are to implementation of the HIPAA privacy rule from those who are and will be directly affected. The NCQA and The Health Privacy Project at Georgetown University chose the stakeholders judgmentally as those who would be familiar with the issues surrounding implementation of the HIPAA privacy rule. Not all stakeholders that were chosen were interviewed due to the time constraints of the project and stakeholders non-compliance. Using a pre-determined script (Attachment I), developed by the research firm, NCQA and The Health Privacy Project at Georgetown University, a total of seven stakeholders were interviewed. The results of the calls identified some main themes that were included in the generation of the final survey. The main themes are:

1. Training for HIPAA will be costly and time consuming; 2. California state law already has strict regulations regarding privacy so that HIPAA will not

drastically change most of the processes; 3. Lack of industry knowledge surrounding technology and its capabilities; 4. Specific Requirements (i.e. consent, minimum necessary, business associate, research) could use

clarification. Detailed Summary of Results Potential Implementation Issue Stakeholder Answers General – Do you think guidance or modifications are needed with regards to HIPAA? Is guidance/ modification really the issue with HIPAA? If yes, where in the HIPAA regulations do you think more guidance should be given? If not, what is/are the issue(s)?

“Accounting of disclosures.” “Yes, the privacy rule within larger organizations will be onerous. The solo/small group offices will be affected the most. California state requirements already have legal implications for security breaches.” “At a minimum the DHHS, should clarify the regulations.”

Cost – What do you think the cost of implementing the HIPAA regulations will be for your organization? Will there be offsetting financial benefits of implementing other sections of HIPAA, such as the transactions and code sets?

“The savings are real, but distant. We will not benefit for a couple of years and there will be an ongoing expense associated with this.” “State law is already so strict, the cost of this implementation should not be prohibitive.” “Anticipate that it will cost $1,000 - $2,000 per doctor to train.” “Do not see any cost off-set by the transaction and code set regulation, since they are already submitting electronically.”

People - What staffing changes do you anticipate having to make to meet the policy requirements by the deadline and then complying with the regulations after the deadline?

“PMO’s have already been established to distribute responsibility.” “Organizations may have trouble dedicating people to regulate HIPAA compliance.” “The Chief Medical Officer has the lead on HIPAA implementation.”


Potential Implementation Issue Stakeholder Answers “For small offices, the doctor will become the privacy official.” “The Medical Director is taking the lead with at least another FTE and additional data systems staff.”

Process – Do you think you will need to change the processes within your organization (i.e. the way information travels, employee behavior) in order to comply with HIPAA? Why? Is one of the issues time? What are the other process issues? Do you envision any difficulties doing this?

“California already has strict privacy laws. Most organizations are already in compliance.” “It is always difficult to change people’s behavior.” “There is a tough state law, so everybody is meeting the requirements already.” “Have already been doing so much to plan ahead. Thought about manpower, resources, re-evaluating all past policies and procedures.” “Doctor’s offices will have a problem writing/maintaining all of the policies needed for HIPAA.”

Training - Do you think that you will be able to effectively train all of your employees on the regulations? Do you envision any difficulties doing this?

“This will be a resource issue. It may be smart to piggy back this type of training off of Sexual Harassment training.” “The small offices will be looking to the professional organizations to guide them.” “Already planning the training but this is a large undertaking. Training center accommodates five at a time and there are over 300 doctors in the group.”

Technology – Do the regulations provide adequate guidelines for information technology developers? Can the regulations, such as confidential communications, be implemented with available tools and technologies? Do the regulations support current efforts to automate processes and transactions, e.g. electronic signatures on consent forms?

“[HIPAA] Regulations will be a reason to delay moving towards technology.” “The regulations will make technology development less problematic.” “Believe that current technology can support confidential communications.” “There is an internet barrier. People think that everything on the internet is wide-open. [They think that] will not be able to use the internet anymore.” “Doctor’s do not have internet security.” “No upgrades or system changes have to be made.”

Consent - Are the regulation’s current consent requirements workable? What are some of the specifics issues/ barriers/problems you see with the consent requirements? ? Do you think that the consent requirements may limit the flow of information needed to assess health care quality?

“The current consent requirements are workable.” “That is a good question. It will be interesting to see what people say.” “Yes, consent requirements may limit the flow of information needed to assess health care quality.” “ The new [Consent] requirements will create confusion for doctors … uncertain as to what is required and how you will know if you are in compliance. ” “In time, [Consent] will be workable.”


Potential Implementation Issue Stakeholder Answers Minimum Necessary – Does the “minimum necessary” rule achieve its intended purpose? Are there unintended consequences? What are they? Do you think Minimum Necessary may limit the flow of information needed to deliver, pay for, and assess health care quality?

“This will be a nightmare for referring physicians. Its onerous and I do not see the point. The unintended consequence is that this will drive up cost of compliance. It is too reliant on personal judgment” “Creates tendency to develop overkill and can create unnecessary complexity.” “This is the easiest part of it. Doctors already do this. Now, it is a documentation process but it won’t hurt much.”

Research – Does the regulation adequately distinguish research and health care operations? Are the guidelines clear for what process providers should follow when determining whether they can or cannot participate in quality measurement activities under HIPAA? Does the rule create significant barriers to researcher access to patient data, or does the rule impose needed procedural safeguards?

“My concern is that research will be cut off.” “This will thwart clinical research. Local doctors will not participate in studies, like breast cancer studies. Regulations must be simplified and made more logical.” “Don’t deal much with research but it will be increasingly difficult to enroll patients in disease management programs. It is not so good now but HIPAA will make things worse.”

Additional Comments: “Fear that health plans will no longer contract with disease management organizations because they will think that transmitting PHI will be breaking the law. More education is needed on consent and disease management entities need to be defined under HIPAA.” “Transaction rule is the best aspect of HIPAA.” “HIPAA is more of an administrative exercise then an exercise of value.” “The strategy should be made simpler.”

Please rank the top barriers of implementation: “Minimum Necessary; Business Associates; Intersect between state and federal regulations.” “Perception that you will be unable to use the internet; Research; Training; Compliance / Quality Assurance; Doctor education around the issues.” “Policy and procedure development; Resource use and cost.” “Design of office plan; Training requirements; Was not a collaborative approach between legislation and delivery system.” “Information exchange between doctors, patients and research; Technology; Training; Quality Assurance; Implementation of the rest of the regulations.”


Stakeholder Interview Script Preliminary Stakeholder Interviews

Draft Agenda

Date:

Time:

Our firm was hired by the National Committee for Quality Assurance (NCQA) in order to assist in the

development and execution of a survey for the California HealthCare Foundation. The survey’s goal is to

identify actual and perceived barriers to the implementation of the HIPAA privacy regulation. The

president of the NCQA, and the project director of the Georgetown University Health Privacy Project,

have identified you as an individual who might be able to give us some insight into the actual and

perceived barriers so that we can develop a focused survey. We are looking to you to help identify key

survey topics and also assist in identifying potential survey respondents. Your participation will be kept

confidential and only those participating in the development of the survey will have access to your

responses. I know that this is a busy time of the year so; I would like to thank you in advance for your

time. I anticipate that this interview will take between 30 and 40 minutes. The meeting agenda will be as

follows:

• Background / Roles

• Key Issues surrounding HIPAA

• Survey Respondent Identification

• Wrap-Up

Background / Roles We were was chosen to aid the NCQA in developing a survey that would identify areas of the HIPAA

privacy regulation where guidance or modifications may be needed to clarify and interpret sections of the

rule. The results of this survey will be shared with the Department of Health and Human Services in order

to help them understand any issues identified The survey will be a telephone survey that will take under


an hour and consist of 20 to 25 closed-ended questions with one or two open ended questions. The survey

respondents will be healthcare entities of various types that operate (in some fashion) in the state of

California.

Our next step will be to ask you some open-ended questions to get some of your thoughts with regard to

HIPAA. Please excuse me if there are pauses after you respond to our questions, as I will be attempting to

take detailed notes.

Key Issues surrounding HIPAA • Do you think guidance or modifications are needed with regards to HIPAA?

• Is guidance/ modification really the issue with HIPAA?

• If yes, where in the HIPAA regulations do you think more guidance should be given?

• If not, what is/are the issue(s)?

The following issues are those that the development team thinks may be perceived as barriers to HIPAA

implementation; Cost, People, Process Redesign, Training, Technology Constraints, Unclear Regulations.

As we review these, please provide feedback as to whether you think that these may also be real barriers

to the healthcare community:

• Cost – What do you think the cost of implementing the HIPAA regulations will be for your

organization? Will there be offsetting financial benefits of implementing other sections of HIPAA,

such as the transactions and code sets?

• People - What staffing changes do you anticipate having to make to meet the policy requirements by

the deadline and then complying with the regulations after the deadline?


• Process – Do you think you will need to change the processes within your organization (i.e., the way

information travels, employee behavior) in order to comply with HIPAA? Why? Is one of the issues

time? What are the other process issues? Do you envision any difficulties doing this?

• Training - Do you think that you will be able to effectively train all of your employees on the

regulations? Do you envision any difficulties doing this?

• Technology – Do the regulations provide adequate guidelines for information technology developers?

Can the regulations, such as confidential communications, be implemented with available tools and

technologies? Do the regulations support current efforts to automate processes and transactions; e.g.,

electronic signatures on consent forms?

• Unclear Regulations - CHCF has identified the following three categories as key issues where the

language may need clarification within the HIPAA regulation. Please provide feedback as to whether

you also think that these topics may need some clarification or modification:

• Consent - Are the regulation’s current consent requirements workable? What are some of the

specifics issues/ barriers/problems you see with the consent requirements? ? Do you think that the

consent requirements may limit the flow of information needed to assess health care quality?

• Minimum Necessary – Does the “minimum necessary” rule achieve its intended purpose? Are there

unintended consequences? What are they? Do you think Minimum Necessary may limit the flow of

information needed to deliver, pay for, and assess health care quality?

• Research – Does the regulation adequately distinguish research and health care operations? Are the

guidelines clear for what process providers should follow when determining whether they can or

cannot participate in quality measurement activities under HIPAA? Does the rule create significant

barriers to researcher access to patient data, or does the rule impose needed procedural safeguards?

Of the barriers / key issues identified above, what do you think are the most significant? Please rank the

top five.


Respondent Identification

Our goal is to survey between 75 and 100 healthcare organizations. We are limiting our survey to

respondents representing hospitals, health plans, physician organizations, disease management

companies, and researchers. After having spoken with us to gain an understanding of the survey objective,

who do you feel would be appropriate to respond to the survey?

One of the most challenging parts of this survey is to identify whom the correct person to respond within

an organization. Identifying the correct individual would help us get more meaningful data therefore, as

much detail on the respondents you give us would be appreciated (i.e. name, title, telephone number).

Wrap-Up

I would like to thank you for taking the time to help us develop our survey topics and questions. The

information that you have provided us is central in helping us to achieve our goal. Once we have finished

conducting our survey, NCQA will compile and analyze the information and send it to the California

Healthcare Foundation for their publication. Once again, I would like to ensure you that your responses

will not be tied to you or your organization in the final survey results. If you think of additional

information after the call that may be useful to us, please feel free to call me at ____________________.

California HIPAA Privacy Implementation Survey: Appendix B. Questionnaire



April 2002


Appendix B. California HIPAA Implementation Survey Questionnaire Hello, my name is________________. Our research group was hired by the National Committee

for Quality Assurance (NCQA) and the Georgetown University Health Privacy Project to conduct a

survey for the California HealthCare Foundation. The survey’s goal is to obtain feedback on the

impact of the HIPAA privacy regulation on your organization. Once we have finished conducting

the survey, NCQA and Georgetown University Health Privacy Project will compile and analyze the

results and prepare a report for publication by the California HealthCare Foundation. The results of

this survey will be shared with the Department of Health and Human Services. In addition, as a

participant in this survey, you will receive a copy of the final report.

You have been identified as the individual within your organization who will be able to answer the

survey questions on behalf of your organization. Your responses will be kept confidential. Only

those administering the survey will have access to your responses. There will be a total of 20 closed-

ended and 9 open-ended questions. I anticipate that this interview will take between 30 and 40

minutes, so thank you in advance for your time. What questions do you have at this time?

These questions are scripted, so if at any time you need me to repeat a question or answer, please

feel free to interrupt. Also, please excuse any pauses, as I will be taking detailed notes during this

survey.


First, I would like to verify some demographic information. Please remember that your name will

be kept confidential and your organization will not be publicly associated with its specific responses.

Background Participant: Name: Position: Phone #: Name of Facility/Organization: Type of Facility/Organization:

Hospital: Rural, Community, Academic Size: < 50 bed, 50 – 99, 100 – 299, > 300

Physician: Single Specialty Multi-specialty

Size: < 30 31 – 100 > 100

Payor: Type: Commercial Medicaid Medicare (Check all that apply)

Researcher

Disease Management Address of Facility/Organization Street 1: Street 2: City: State: Zip:


Questions 1. On a scale of 1 –5, with 1 being “Low” and 5 being “High”, how would you rate your

overall knowledge of the HIPAA privacy regulation?

1 = Low (only cursory awareness) 2 = 3 = Medium – Have attended a HIPAA awareness seminar 4 = 5 = High – Have read the HIPAA Regulations and Notice of Proposed Rule Making and

attended training

1 2 3 4 5

2. On a scale of 1 – 5, with 1 being “least workable” and 5 being “most workable”, how

do you view the workability of the HIPAA Privacy Regulation’s current consent requirements? 1 = Consent requirements are not workable 2 = 3 = Consent requirements are somewhat workable 4 = 5 = Consent requirements are very workable

1 2 3 4 5 Don’t Know

3. On a scale of 1 –5, with 1 being “will greatly limit” and 5 being “will greatly enhance”

how do you think the consent requirements will affect the flow of information needed to assess health care quality? 1 = Consent requirements will greatly limit the flow of information 2 = Consent requirements will somewhat limit the flow of information 3 = Consent requirements will have no affect on the flow of information 4 = Consent requirements will somewhat enhance the flow of information 5 = Consent requirements will greatly enhance the flow of information



3a. (If answered “1” or “2” to question 3) In what way do you think that the consent

requirement will limit the flow of information?

4. What do you deem useful and what are your concerns with the consent

requirements?

5. On a scale of 1 – 5, with 1 being “least workable” and 5 being “most workable”, how

do you view the workability of the HIPAA Privacy Regulation’s current “Minimum Necessary” requirements? 1 = “Minimum Necessary” requirements are not workable 2 = 3 = “Minimum Necessary” requirements are somewhat workable 4 = 5 = “Minimum Necessary” requirements are very workable



6. This will be a three-part question. On a scale of 1 – 5, with 1 being “will greatly limit”

and 5 being “will greatly enhance”, how do you think the “Minimum Necessary” rule will affect the flow of information needed for each of the following: delivery, payment, and assessment of health care quality? Please use these choices for each of the following categories; delivery, payment and assessment: 1 = “Minimum Necessary” will greatly limit the flow of information 2 = “Minimum Necessary” will somewhat limit the flow of information 3 = “Minimum Necessary” will have no affect on the flow of information 4 = “Minimum Necessary” will somewhat enhance the flow of information 5 = “Minimum Necessary” will greatly enhance the flow of information 1 2 3 4 5 Don’t Know Delivery Payment Assessment

7. On a scale of 1-5, with 1 being “No Impact” and 5 being “Significant Impact”, to

what degree will the regulations have an impact on whether or not providers can or cannot participate in quality measurement activities under HIPAA? 1 = No impact 2 = 3 = Minimal impact 4 = 5 = Significant impact


8. This will be a three-part question. Do you believe that the regulations clearly define

who your business associates are, what their responsibilities are and what provisions need to be included in the agreement? Yes No Don’t Know Business Associates Responsibilities Agreement Provisions


8a. (If “No” to any part of question 8) Where do additional clarifications or

modifications need to be given?

9. On a scale of 1 – 5, with 1 being “small” and 5 being “large”, what is the magnitude

of the burden of implementing the Business Associate Agreement in terms of cost and time? 1 = Small burden 2 = 3 = Burden is neither small nor large 4 = 5 = Large burden 1 2 3 4 5 Don’t Know Cost Time

10. On a scale of 1 – 5, with 1 being “regulations are unclear” and 5 being “regulations

are very clear”, does the regulation adequately distinguish between research and health care operations? 1 = The regulations are unclear between research and operations 2 = 3 = The regulations are neither clear nor unclear 4 = 5 = The regulations are clear between research and operations 1 2 3 4 5 Don’t Know

10a. (If answered “1” or “2” to question 10) Where do additional clarifications or

modifications need to be given?


11. Are there additional areas in the HIPAA Privacy Regulation where you would like to

see the Department of Health and Human Services provide additional clarification and/or modification? Yes No Don’t Know

11a. (If “Yes” to question 11) Which component(s) of the Privacy Regulation would you

like to see the Department of Health and Human Services provide additional clarification and/or modification?

12. Has your organization developed a strategy for HIPAA Privacy Regulation

compliance? Yes No Don’t Know

13. We are now ten months into a two-year compliance period. Which of the following

has your organization completed toward the implementation of the HIPAA Privacy Regulation? (Check all that apply) Yes No Don’t Know Developed a strategic plan Conducted Gap Assessment Developed Readiness Initiatives Completed Implementing Readiness Initiatives

14. Has your organization designated a Privacy Official as defined by HIPAA?

Yes No Don’t Know


14a. (If “Yes” to question 14) Has the Privacy Official identified the resources (people) within your organization that are needed to ready your organization for HIPAA compliance? Yes No Don’t know

15. Which department in your organization has the lead on the HIPAA privacy

implementation? 1 = Medical Records 2 = Information Technology 3 = Legal 4 = Operations 5 = Other, please specify: ____________________________________________ 1 2 3 4 5 Don’t Know

16. If and when do you anticipate the cost to comply with the Privacy regulations will be

offset by the savings expected by implementing other components of the regulations (e.g., the Transaction and Code Set regulations)? (Check all that apply). Short Term (<1 year) Medium Term (3–5 years) Long Term (5+ years) No Savings Don’t Know

17. Which of the following describes your organization’s progress in regards to the

budgeting and funding of your HIPAA efforts?(Check the option that most applies to your organization). Not Budgeted Budgeted, but not yet funded Partially funded (e.g., cost to upgrade system and develop consent form, privacy notice and disclosure form) Fully Funded Not developing a HIPAA specific budget (e.g. will be included in individual department’s budget) Don’t Know


18. In which departments or areas of your organization will implementation of the HIPAA Privacy Regulation be most costly? Please provide the top three in descending order – highest to lowest. 1. Area:

2. Area:

3. Area:

19. How does your organization plan to monitor compliance after the HIPAA Privacy

regulation is in effect? ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

20. Have you identified those state laws that are preempted by and are not preempted by

the HIPAA Privacy Regulation?

Yes No Don’t Know Preempt Do Not Preempt

20a. (If “Yes” to question 20) How are you analyzing and tracking state privacy law’s

interplay with HIPAA?

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________________________________________________________

________________________


20b. (If “No” to question 20) How are you planning to analyze and track state privacy

laws interplay with HIPAA? ______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

______________________________________________________________________________

21. On a scale of 1 – 5, with 1 being “no guidelines” and 5 being “extensive guidelines”,

to what extent do the HIPAA Privacy regulations provide guidelines for information technology developers? 1 = No guidelines 2 = Few guidelines 3 = Adequate guidelines 4 = Several guidelines 5 = Extensive guidelines


22. Can the following requirements be implemented with available tools and

technologies? Yes Partially No Don’t know Tracking Consent Revocations of Consent Limitations on Consent Accounting of Disclosure


23. What are the greatest benefits and/or challenges for your organization relating to the

implementation of the HIPAA Privacy Regulation?

This concludes the survey. Thank you for taking the time to participate. Once again, I would like to

ensure you that your responses will not be tied to you or your organization in the final survey results.

Thank you.

Have a good day.

California HIPAA Privacy Implementation Survey: Appendix C. Survey Protocol Outcomes Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002

California HIPAA Implementation Survey/California HealthCare Foundation 2

Appendix C: Survey Protocol Outcomes 1) Response Rates Overall and by Group There were 420 organizations identified for the survey, out of which 416 were still in business at the time of the survey. These organizations were classified as Hospitals, Physician Groups, Payors, and Others (Disease Management Organizations, Researchers, and Other organizations believed to be impacted by HIPAA regulations). One hundred surveys out of the 416 were completed, yielding an overall response rate of 24% for the survey. The highest response rate by group was 70%, among respondents representing Payors (26 completed out of 37 attempted). Respondents representing Others had the second highest response rate at 32% (26 completed out of 81 attempted). Only 22% (29 out of 131 attempted) of the Hospitals in our sample completed the survey, and only 11% (19 out of 167 attempted) of Physician Groups in our sample completed the survey. 2) Reasons given by Non-Respondents Of non-respondents that could be reached, many provided reasons for not participating in the survey when asked. Twenty-four respondents stated that they did not believe their organization would be impacted by HIPAA regulations. Fifty percent of these responses were from Physician Group non-respondents, and 47% of these responses were from Disease Management organization non-respondents. Other common reasons given for non-participation were “no time” to do the survey or that the respondent “doesn’t do surveys.” 3) Characteristics of Respondents Overall and by Group Despite the low response rates among Hospital respondents in this study, surveys completed by respondents representing Hospitals still constitute 29% of the total number of completed surveys, followed by Payors and Others (each 26% of total). Physician Groups constituted 19% of the total number of completed surveys. Hospitals represented in the sample tended to be large community hospitals. Of the 29 Hospitals, 18 (63%) were Community hospitals, 8 (27%) were Academic hospitals, and 3 (10%) were rural hospitals. Sixty-three percent of the Hospital respondents represented hospitals with 300 or more beds, 27% were from hospitals with 100 to 299 beds, 7% were from hospitals with 50 to 99 beds, and 3% were from hospitals with less than 50 beds. Physician Groups represented in the sample tended to be mostly multiple specialty groups with more than 100 physicians. Multiple specialty physician groups comprise 84% of Physician Group responses, while single specialty groups comprise 16% of Physician Group responses. 74% of Physician Group responses were from groups with a size greater than 100; 10% were from groups of 31 to 100 in size, and 16% of physician responses were from groups with less than 30 physicians. Fifty percent of Payors were either partially or exclusively Medicaid Payors, while 46% were either Commercial or Commercial and Medicare. Fifty percent of Other respondents represented Disease Management Organizations, and 46% were from Other organizations. Only 1 respondent was classified as “Researcher.” Twelve respondents classified as Other represented organizations such as: clearinghouses, corporate offices for a system of hospitals, employee benefit consulting firms, behavioral health care organizations, medical groups/medical management groups, and online companies.

California HIPAA Privacy Implementation Survey: Appendix D. Pie Charts Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002


Appendix D. Pie charts with percentages of total valid responses for each closed-ended question


1. On a scale of 1 –5, with 1 being “Low” and 5 being “High”, how would yourate your overall knowledge of the HIPAA privacy regulation?

Percentage of Responses by Category

Response #1 Response #2 Response #3Response#4

Response#5

Hospital 0% 0% 10% 34% 55%PhysicianGroup 5% 5% 26% 42% 21%Payor 0% 8% 35% 31% 27%Other 0% 0% 15% 46% 38%

Total Response Percentage - By Response

438%

1-Low1%

3-Medium21%

5-High37%

23%


2. On a scale of 1 – 5, with 1 being “least workable” and 5 being “most workable”,how do you view the workability of the HIPAA Privacy Regulation’s currentconsent requirements?


419%

1-Low7%

3-Medium51%

5-High10%

213%



Response#5



3. On a scale of 1 –5, with 1 being “will greatly limit” and 5 being “will greatly enhance” how do you think the consent requirements will affect the flow of information needed to assess health care quality?


49%

1-Low7%

3-Medium32%

5-High1%

251%

Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Hospital 4% 61% 18% 18% 0% Physician Group 5% 42% 42% 5% 5% Payor 4% 48% 44% 4% 0% Other 15% 50% 27% 8% 0%


5. On a scale of 1 – 5, with 1 being “least workable” and 5 being “most workable”, how do you view the workability of the HIPAA Privacy Regulation’s current “Minimum Necessary” requirements?


418%

1-Low4%

3-Medium58%

5-High5%

215%



6. This will be a three-part question. On a scale of 1 – 5, with 1 being “will greatly limit” and 5 being “will greatly enhance”, how do you think the “Minimum Necessary” rule will affect the flow of information needed for each of the following: delivery, payment, and assessment of health care quality?

Delivery


49%

1-Low4%

3-Medium45%

5-High1%

241%


6. Payment


412%

1-Low4%

3-Medium45%

5-High4%

235%



6. Assessment


46%

1-Low9%

3-Medium35%

5-High2%

248%



7. On a scale of 1-5, with 1 being “No Impact” and 5 being “Significant Impact”,to what degree will the regulations have an impact on whether or notproviders can or cannot participate in quality measurement activities underHIPAA?


415%

1-Low29%

3-Medium26%

5- High 8%

222%



Response#5



8. This will be a three-part question. Do you believe that the regulations clearly define who

your business associates are, what their responsibilities are and what provisions need to be included in the agreement? Business Associates


2-No35%

1 -Yes65%

Percentage of Responses by Category Response #1 Response #2 Hospital 69% 31% Physician Group 81% 19% Payor 50% 50% Other 64% 36%


8- Responsibilities

Total Response Percentage - By Percentage

1-Yes63%

2-No37%



8- Agreement Provisions

Total Repsonse Percentage - By Response

1 -Yes62%

2-No38%


Response #1 Response #2Hospital 74% 26%PhysicianGroup 71% 29%Payor 50% 50%Other 54% 46%


9. On a scale of 1 – 5, with 1 being “small” and 5 being “large”, what is the magnitude of

the burden of implementing the Business Associate Agreement in terms of cost and time? Cost


428%

1-Low7%

3-Medium32%

5-High25%

27%



9-Time


1-Low6%

3-Medium18%

5-High39%

24%

433%



Response#5



10. On a scale of 1 – 5, with 1 being “regulations are unclear” and 5 being “regulations are

very clear”, does the regulation adequately distinguish between research and health care operations?


433%

1-Low8%

3-Medium32%

5-High17% 2

10%




see the Department of Health and Human Services provide additional clarification and/or modification?


1-Yes 78%

2-No 22%




compliance?

Total Repsonse Percentage - By Response

1-Yes86%

2-No14%

Percentage of Responses by Category Response #1 Response #2 Hospital 93% 7% Physician 78% 22% Payor 77% 23% Other 92% 8%


13. We are now ten months into a two-year compliance period. Which of the following has

your organization completed toward the implementation of the HIPAA Privacy Regulation? (Check all that apply)

Developed a strategic plan


1-Yes81%

2-No19%



13-Conducted Gap Assessment


1-Yes67%

2-No33%



13-Developed Readiness Initiatives


1-Yes52%

2-No 48%



13-Completed Implementing Readiness Initiatives


1-Yes12%

2-No83%





2-No23%

1-Yes77%

Percentage of Responses by Category Response #1 Response #2 Hospital 76% 24% Physician Group 65% 35% Payor 75% 25%


14a. (If “Yes” to question 14) Has the Privacy Official identified the resources (people)

within your organization that are needed to ready your organization for HIPAA compliance?


2 No13%

1-Yes87%




implementation?


4-Legal 10%

2-Medical Records9%

5-Operations13%

3-InformationTechnology

13%

1-Compliance27%

6-Other28%

Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Response #5 Response #6 Hospital 46% 25% 4% 0% 11% 14% Physician Group 16% 11% 21% 5% 21% 26% Payor 23% 0% 8% 23% 15% 31% Other 16% 0% 24% 12% 8% 40%



offset by the savings expected by implementing other components of the regulations (e.g., the Transaction and Code Set regulations)? (Check all that apply).


4-No Savings48%

2-Medium Term26%

3-Long Term22%

1-Short Term4%

Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Hospital 11% 26% 37% 26% Physician Group 6% 25% 6% 63% Payor 0% 31% 23% 46% Other 0% 25% 20% 55%



budgeting and funding of your HIPAA efforts? (Check the option that most applies to your organization).


4-Fully Funded21%

2-Bugeted Not Funded

6%

5-Not Developing28%

3-Partially Funded 27%

1-Not Budgeted18%



20. Have you identified those state laws that are preempted by and are not preempted by

the HIPAA Privacy Regulation? Preempt


2-No56%

1-Yes44%



20. Do Not Preempt


2-No 54%

1-Yes46%



21. On a scale of 1 – 5, with 1 being “no guidelines” and 5 being “extensive guidelines”, to

what extent do the HIPAA Privacy regulations provide guidelines for information technology developers?


4-High Guidelines9%

2-Low Guidelines49%

3-Guidelines29%

1-No Guidelines13%

Percentage of Responses by Category Response #1 Response #2 Response #3 Response #4 Hospital 5% 48% 43% 5% Physician Group 6% 56% 31% 6% Payor 14% 43% 29% 14% Other 23% 55% 14% 9%


22. Can the following requirements be implemented with available tools and technologies?

Tracking Consent


2-Partial26%

3-No21%

1-Yes53%

Percentage of Responses by Category Response #1 Response #2 Response #3 Hospital 52% 28% 20% Physician Group 47% 20% 33% Payor 53% 32% 16% Other 61% 22% 17%


22. Revocations of Consent


2-Partially27%

3-No28%

1- Yes45%



22. Limitations of Consent


2-Partially28%

3-No35%

1- Yes37%



22. Accounting of Disclosure


2-Partially28%

3-No 29%

1-Yes43%


California HIPAA Privacy Implementation Survey: Appendix E. Bar Charts Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002


1. On a scale of 1 –5, with 1 being “Low” and 5 being “High”, how would you

rate your overall knowledge of the HIPAA privacy regulation?

Number of Responses by Category

0 0

3

10

16

1 1

5

8

4

0

2

98

7

0 0

4

12

10

0

2

4

6

8

10

12

14

16

18

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e

HospitalPhysicianPayorOther


2. On a scale of 1 – 5, with 1 being “least workable” and 5 being “most workable”, how do you view the workability of the HIPAA Privacy Regulation’s current consent requirements?


1

2

19

4

3

1

3

11

4

0

3

5

9

4 4

2

3

11

7

3

0

2

4

6

8

10

12

14

16

18

20

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e





1

17

5 5

0

1

8 8

1 11

12

11

1

0

4

13

7

2

00

2

4

6

8

10

12

14

16

18

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e





1

4

16

5

21

2

13

21

0

5

12

5

12

3

13

5

1

0

2

4

6

8

10

12

14

16

18

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



6. This will be a three-part question. On a scale of 1 – 5, with 1 being “will greatly limit” and 5 being “will greatly enhance”, how do you think the “Minimum Necessary” rule will affect the flow of information needed for each of the following: delivery, payment, and assessment of health care quality.

Delivery


0

8

14

5

01

9

7

01

0

11

9

3

0

3

10

12

0 00

2

4

6

8

10

12

14

16

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



6 Payment


1

5

16

4

10

10

6

1 10

14

6

3

1

32

12

3

1

0

2

4

6

8

10

12

14

16

18

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



6. Assessment


1

9

12

3

0

1

11

4

0

22

11

7

2

0

4

11

8

0 00

2

4

6

8

10

12

14

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



7. In a scale of 1-5, with 1 being “No Impact” and 5 being “Significant Impact”, to

what degree will the regulations have an impact on whether or not providers can or cannot participate in quality measurement activities under HIPAA?


13

4

7

2

0

3 3

5 5

1

3

7

6

2

3

6

5 5

4

3

0

2

4

6

8

10

12

14

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



8. This will be a three-part question. Do you believe that the regulations clearly

define who your business associates are, what their responsibilities are and what provisions need to be included in the agreement?

Business Associates


20

9

13

3

13 13

16

9

0

5

10

15

20

25

1 2

Type of Response

Num

ber o

f Res

pons

e



8- Responsibilities


21

8

14

4

11

1415

10

0

5

10

15

20

25

1 2

Type of Response

Num

ber o

f Res

pons

e



8- Agreement Provisions


20

7

12

5

12 1213

11

0

5

10

15

20

25

1 2

Type of Response

Num

ber o

f Res

pons

e



9. On a scale of 1 – 5, with 1 being “small” and 5 being “large”, what is the magnitude of the burden of implementing the Business Associate Agreement in terms of cost and time? Cost


1

2

8 8 8

1

0

5

8

5

3

1

8

5

8

2

4

9

6

3

0

1

2

3

4

5

6

7

8

9

10

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



9- Time


1 1

2

8

15

1

0

2

5

11

2

0

7

8 8

2

3

6

10

3

0

2

4

6

8

10

12

14

16

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



10. On a scale of 1 – 5, with 1 being “regulations are unclear” and 5 being “regulations

are very clear”, does the regulation adequately distinguish between research and health care operations?


2

4

8 8

2

0

2

6

2

3

2

1

7

8

3

2

1

4

8

5

0

1

2

3

4

5

6

7

8

9

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e




see the Department of Health and Human Services provide additional clarification and/or modification?


25

1

57

15

4

16

5

0

5

10

15

20

25

30

1 2

Type of Response

Num

ber o

f Res

pons

e




compliance?


27

2

14

4

20

6

22

2

0

5

10

15

20

25

30

1 2

Type of Response

Num

ber o

f Res

pons

e



13. We are now ten months into a two-year compliance period. Which of the following

has your organization completed toward the implementation of the HIPAA Privacy Regulation? (Check all that apply)

Developed a strategic plan


27

1

11

6

20

6

20

5

0

5

10

15

20

25

30

1 2

Type of Response

Num

ber o

f Res

pons

e



13- Conducted Gap Assessment


21

7

98

18

8

15

8

0

5

10

15

20

25

1 2

Type of Response

Num

ber o

f Res

pons

e



13- Developed Readiness Initiatives


18

9

6

1112

131312

0

2

4

6

8

10

12

14

16

18

20

1 2

Type of Response

Num

ber o

f Res

pons

e



13-Completed Implementing Readiness Initiatives


1

26

2

15

2

23

6

19

0

5

10

15

20

25

30

1 2

Type of Response

Num

ber o

f Res

pons

e





22

7

11

6

18

6

22

3

0

5

10

15

20

25

1 2

Type of Response

Num

ber o

f Res

pons

e



14a. (If “Yes” to question 14) Has the Privacy Official identified the resources (people)

within your organization that are needed to ready your organization for HIPAA compliance?


22

0

9

3

15

4

19

3

0

5

10

15

20

25

1 2

Type of Response

Num

ber o

f Res

pons

e




implementation?


13

7

1

0

3

4

3

2

4

1

4

5

6

0

2

6

4

8

4

0

6

3

2

10

0

2

4

6

8

10

12

14

1 2 3 4 5 6

Type of Response

Num

ber o

f Res

pons

e




offset by the savings expected by implementing other components of the regulations (e.g., the Transaction and Code Set regulations)? (Check all that apply).


2

5

7

5

1

4

1

10

0

4

3

6

0

5

4

11

0

2

4

6

8

10

12

1 2 3 4

Type of Response

Num

ber o

f Res

pons

e




budgeting and funding of your HIPAA efforts? (Check the option that most applies to your organization).


5

4

7 7

6

8

2

4

1

4

1

0

10

7

6

3

0

5 5

11

0

2

4

6

8

10

12

1 2 3 4 5

Type of Response

Num

ber o

f Res

pons

e



20. Have you identified those state laws that are preempted by and are not preempted

by the HIPAA Privacy Regulation? Preempt


1413

5

8

10

14

9

13

0

2

4

6

8

10

12

14

16

1 2

Type of Response

Num

ber o

f Res

pons

e



20- Do not Preempt


15

12

5

8

10

13

9

12

0

2

4

6

8

10

12

14

16

1 2

Type of Response

Num

ber o

f Res

pons

e



21. On a scale of 1 – 5, with 1 being “no guidelines” and 5 being “extensive guidelines”,

to what extent do the HIPAA Privacy regulations provide guidelines for information technology developers?


1

10

9

11

9

5

1

3

9

6

3

5

12

3

2

0

2

4

6

8

10

12

14

1 2 3 4

Type of Response

Num

ber o

f Res

pons

e



22. Can the following requirements be implemented with available tools and technologies? Tracking Consent


13

7

5

7

3

5

10

6

3

14

54

0

2

4

6

8

10

12

14

16

1 2 3

Type of Response

Num

ber o

f Res

pons

e



22. Revocations of Consent


11

8

6

7

3

5

7

5

6

12

6 6

0

2

4

6

8

10

12

14

1 2 3Type of Response

Num

ber o

f Res

pons

e



22- Limitations of Consent


7

9

7

6

4

5

6

4

9

10

5

7

0

2

4

6

8

10

12

1 2 3

Type of Response

Num

ber o

f Res

pons

e



22. Accounting of Disclosure


11

8

6

5 5 5

9

5

7

10

5

6

0

2

4

6

8

10

12

1 2 3

Type of Response

Num

ber o

f Res

pons

e


California HIPAA Privacy Implementation Survey:

Appendix F. Data Frequency Sheets for Open-ended Questions



April 2002

California HIPAA Privacy Implementation Survey/California HealthCare Foundation

2

Survey Response Rate Population Surveyed Percent

Total 420 100 24% Hospital 133 29 22% Rural - 3 - < 50 bed - - - 50 - 99 - 1 - 100 - 299 - - - > 300 bed - 2 - Community - 18 - < 50 beds - 1 - 50 - 99 - 1 - 100 - 299 - 6 - > 300 beds - 10 - Academic - 8 - < 50 beds - - - 50 - 99 - - - 100 - 299 - 2 - > 300 beds - 6 - Physician Group 167 19 11% Single Specialty - 3 - < 30 - 3 - 31 - 100 - - - >100 - - - Multi-Specialty - 16 - < 30 - - - 31 - 100 - 2 - > 100 - 14 - Payor 39 26 67% Commercial - 3 - Medicaid - 7 - Medicare - 3 - Commercial and Medicaid - 3 - Commercial and Medicare - 6 - Medicaid and Medicare - - - All - 4 - Other 81 26 32% Researcher - 1 - Disease Mgmt - 13 - Other - 12 -


3

1. On a scale of 1 –5, with 1 being “Low” and 5 being “High”, how would you rate your overall knowledge of the HIPAA privacy regulation?

1

Low 2 3

Medium4 5

High Don't Know

Total 1 3 21 38 37 - Hospital - - 3 10 16 - Rural - - - - 3 - < 50 bed - - - - - - 50 - 99 - - - - 1 - 100 - 299 - - - - - - > 300 bed - - - - 2 - Community - - 3 10 5 - < 50 beds - - 1 - - - 50 - 99 - - - - 1 - 100 - 299 - - 2 2 2 - > 300 beds - - - 8 2 - Academic - - - - 8 - < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - - - - 2 - > 300 beds - - - - 6 - Physician Group 1 1 5 8 4 - Single Specialty 1 - 1 1 - - < 30 1 - 1 1 - - 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty - 1 4 7 4 - < 30 - - - - - - 31 – 100 - - 1 - 1 - > 100 - 1 3 7 3 - Payor - 2 9 8 7 - Commercial - - 1 1 1 - Medicaid - - 3 4 - - Medicare - - 1 2 - - Commercial and Medicaid - 1 - - 2 - Commercial and Medicare - - 3 1 2 - Medicaid and Medicare - - - - - - All - 1 1 - 2 - Other - - 4 12 10 - Researcher - - - - 1 - Disease Mgmt - - 2 8 3 - Other - - 2 4 6 -


4

2. On a scale of 1 – 5, with 1 being “least workable” and 5 being “most workable”, how do you view the workability of the HIPAA Privacy Regulation’s current consent requirements?

1 Least

Workable

2 3 4 5 Most

Workable

Don't Know

Total 7 13 50 19 10 1 Hospital 1 2 19 4 3 - Rural - - 2 1 - - < 50 bed - - - - - - 50 - 99 - - 1 - - - 100 - 299 - - - - - - > 300 bed - - 1 1 - - Community 1 2 12 2 1 - < 50 beds - - - 1 - - 50 - 99 - - 1 - - - 100 - 299 - - 6 - - - > 300 beds 1 2 5 1 1 - Academic - - 5 1 2 - < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - - 2 - - - > 300 beds - - 3 1 2 - Physician Group 1 3 11 4 - - Single Specialty 1 - 2 - - - < 30 1 - 2 - - - 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty - 3 9 4 - - < 30 - - - - - - 31 - 100 - 1 1 - - - > 100 - 2 8 4 - - Payor 3 5 9 4 4 1 Commercial 1 1 - - 1 - Medicaid 1 2 2 1 1 - Medicare - - 2 1 - - Commercial and Medicaid - 1 - 1 1 - Commercial and Medicare - 1 4 1 - - Medicaid and Medicare - - - - - - All 1 - 1 - 1 1


5

Other 2 3 11 7 3 - Researcher - - - 1 - - Disease Mgmt 2 1 8 1 1 - Other - 2 3 5 2 -


6


1

Will GreatlyLimit

2 3 4 5

Will Greatly Enhance

Don't Know

Total 7 50 31 9 1 2 Hospital 1 17 5 5 - 1 Rural - 1 - 2 - - < 50 bed - - - - - - 50 - 99 - 1 - - - - 100 - 299 - - - - - - > 300 bed - - - 2 - - Community 1 13 4 - - - < 50 beds - - 1 - - - 50 - 99 - 1 - - - - 100 - 299 - 3 3 - - - > 300 beds 1 9 - - - - Academic - 3 1 3 - 1 < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - 1 - 1 - - > 300 beds - 2 1 2 - 1 Physician Group 1 8 8 1 1 - Single Specialty - 3 - - - - < 30 - 3 - - - - 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty 1 5 8 1 1 - < 30 - - - - - - 31 - 100 - 1 - - 1 - > 100 1 4 8 1 - - Payor 1 12 11 1 - 1 Commercial - 1 2 - - - Medicaid - 2 5 - - - Medicare - 2 - 1 - - Commercial and Medicaid 1 1 1 - - - Commercial and Medicare - 4 2 - - - Medicaid and Medicare - - - - - - All - 2 1 - - 1


7

Other 4 13 7 2 - - Researcher - 1 - - - - Disease Mgmt 2 6 4 1 - - Other 2 6 3 1 - -


8


1

Least Workable

2 3 4 5

Most Workable

Don't Know

Total 4 14 54 17 5 6 Hospital 1 4 16 5 2 1 Rural - 2 1 - - - < 50 bed - - - - - - 50 - 99 - - 1 - - - 100 - 299 - - - - - - > 300 bed - 2 - - - - Community 1 1 11 3 1 1 < 50 beds - - - 1 - - 50 - 99 - - 1 - - - 100 - 299 - - 3 1 1 1 > 300 beds 1 1 7 1 - - Academic - 1 4 2 1 - < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - - 2 - - - > 300 beds - 1 2 2 1 - Physician Group 1 2 13 2 1 - Single Specialty - - 3 - - - < 30 - - 3 - - - 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty 1 2 10 2 1 - < 30 - - - - - - 31 - 100 - 1 - - 1 - > 100 1 1 10 2 - - Payor - 5 12 5 1 3 Commercial - 1 2 - - - Medicaid - 3 - 2 - 2 Medicare - - 3 - - - Commercial and Medicaid - - 1 2 - - Commercial and Medicare - 1 3 1 1 - Medicaid and Medicare - - - - - - All - - 3 - - 1


9

Other 2 3 13 5 1 2 Researcher - - 1 - - - Disease Mgmt 1 3 5 2 1 1 Other 1 - 7 3 - 1


10

6. This will be a three-part question. On a scale of 1 – 5, with 1 being “will greatly limit” and 5 being “will greatly enhance”, how do you think the “Minimum Necessary” rule will affect the flow of information needed for each of the following: delivery, payment, and assessment of health care quality?

6a. Delivery 1

Greatly Limit

2 3 4 5

Greatly Enhance

Don't Know

Total 4 38 42 8 1 7 Hospital - 8 14 5 - 2 Rural - - 2 - - 1 < 50 bed - - - - - - 50 - 99 - - 1 - - - 100 - 299 - - - - - - > 300 bed - - 1 - - 1 Community - 5 10 2 - 1 < 50 beds - - 1 - - - 50 - 99 - 1 - - - - 100 - 299 - - 5 - - 1 > 300 beds - 4 4 2 - - Academic - 3 2 3 - - < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - 2 - - - - > 300 beds - 1 2 3 - - Physician Group 1 9 7 - 1 1 Single Specialty - 2 - - - 1 < 30 - 2 - - - 1 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty 1 7 7 - 1 - < 30 - - - - - - 31 - 100 - 1 - - 1 - > 100 1 6 7 - - - Payor - 11 9 3 - 3 Commercial - 2 1 - - - Medicaid - 2 2 3 - - Medicare - 3 - - - - Commercial and Medicaid - 1 2 - - - Commercial and Medicare - 1 3 - - 2 Medicaid and Medicare - - - - - - All - 2 1 - - 1


11

Other 3 10 12 - - 1 Researcher - 1 - - - - Disease Mgmt 1 6 5 - - 1 Other 2 3 7 - - -


12

6b. Payment

6b. Payment 1

Greatly Limit

2 3 4 5

Greatly Enhance

Don't Know

Total 4 31 40 11 4 10 Hospital 1 5 16 4 1 2 Rural - - 2 - - 1 < 50 bed - - - - - - 50 - 99 - - 1 - - - 100 - 299 - - - - - - > 300 bed - - 1 - - 1 Community 1 3 10 2 1 1 < 50 beds - - 1 - - - 50 - 99 - - 1 - - - 100 - 299 - 1 3 1 - 1 > 300 beds 1 2 5 1 1 - Academic - 2 4 2 - - < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - - 2 - - - > 300 beds - 2 2 2 - - Physician Group - 10 6 1 1 1 Single Specialty - 1 - 1 - 1 < 30 - 1 - 1 - 1 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty - 9 6 - 1 - < 30 - - - - - - 31 - 100 - 1 - - 1 - > 100 - 8 6 - - - Payor - 14 6 3 1 2 Commercial - 2 - - 1 - Medicaid - 2 3 2 - - Medicare - 2 - 1 - - Commercial and Medicaid - 1 2 - - - Commercial and Medicare - 4 1 - - 1 Medicaid and Medicare - - - - - - All - 3 - - - 1 Other 3 2 12 3 1 5 Researcher - - 1 - - - Disease Mgmt 1 2 4 2 - 4 Other 2 - 7 1 1 1


13

6c. Assessment

6c. Assessment 1

Greatly Limit

2 3 4 5

Greatly Enhance

Don't Know

Total 8 42 31 5 2 12 Hospital 1 9 12 3 - 4 Rural - - 2 - - 1 < 50 bed - - - - - - 50 - 99 - - 1 - - - 100 - 299 - - - - - - > 300 bed - - 1 - - 1 Community - 6 9 - - 3 < 50 beds - - 1 - - - 50 - 99 - 1 - - - - 100 - 299 - 2 3 - - 1 > 300 beds - 3 5 - - 2 Academic 1 3 1 3 - - < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - 2 - - - - > 300 beds 1 1 1 3 - - Physician Group 1 11 4 - 2 1 Single Specialty 1 1 - - - 1 < 30 1 1 - - - 1 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty - 10 4 - 2 - < 30 - - - - - - 31 - 100 - 1 - - 1 - > 100 - 9 4 - 1 - Payor 2 11 7 2 - 4 Commercial 1 1 1 - - - Medicaid - 1 3 2 - 1 Medicare - 3 - - - - Commercial and Medicaid - 1 2 - - - Commercial and Medicare 1 3 1 - - 1 Medicaid and Medicare - - - - - - All - 2 - - - 2 Other 4 11 8 - - 3 Researcher 1 - - - - - Disease Mgmt 1 6 4 - - 2 Other 2 5 4 - - 1


14

7. On a scale of 1-5, with 1 being “No Impact” and 5 being “Significant Impact”, to what degree will the regulations have an impact on whether or not providers can or cannot participate in quality measurement activities under HIPAA?

1

No Impact

2 3 4 5

Significant Impact

Don't Know

Total 25 19 23 13 7 13 Hospital 13 4 7 2 - 3 Rural 2 - - - - 1 < 50 bed - - - - - - 50 - 99 1 - - - - - 100 - 299 - - - - - > 300 bed 1 - - - - 1 Community 8 3 5 1 - 1 < 50 beds 1 - - - - - 50 - 99 - 1 - - - - 100 - 299 4 1 - - - 1 > 300 beds 3 1 5 1 - - Academic 3 1 2 1 - 1 < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - - 1 - - 1 > 300 beds 3 1 1 1 - - Physician Group 3 3 5 5 1 2 Single Specialty - 1 1 1 - - < 30 - 1 1 1 - - 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty 3 2 4 4 1 2 < 30 - - - - - - 31 - 100 - - - 1 1 - > 100 3 2 4 3 - 2 Payor 3 7 6 2 3 5 Commercial 1 - 1 - - 1 Medicaid - 4 1 1 - 1 Medicare - - 1 - - 2 Commercial and Medicaid - 1 1 1 - - Commercial and Medicare 1 2 1 - 1 1 Medicaid and Medicare - - - - - - All 1 - 1 - 2 -


15

Other 6 5 5 4 3 3 Researcher - - - - 1 - Disease Mgmt 3 2 3 3 - 2 Other 3 3 2 1 2 1


16

8.a This will be a three-part question. Do you believe that the regulations clearly define who your business associates are, what their responsibilities are and what provisions need to be included in the agreement? 8.a Business Associates Yes No Don’t Know

Total 62 34 4 Hospital 20 9 - Rural 3 - - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 2 - - Community 11 7 - < 50 beds 1 - - 50 - 99 - 1 - 100 - 299 3 3 - > 300 beds 7 3 - Academic 6 2 - < 50 beds - - - 50 - 99 - - - 100 - 299 1 1 - > 300 beds 5 1 - Physician Group 13 3 3 Single Specialty - 1 2 < 30 - 1 2 31 - 100 - - - >100 - - - Multi-Specialty 13 2 1 < 30 - - - 31 - 100 2 - - > 100 11 2 1 Payor 13 13 - Commercial - 3 - Medicaid - 7 - Medicare 2 1 - Commercial and Medicaid 3 - - Commercial and Medicare 4 2 - Medicaid and Medicare - - - All 4 - - Other 16 9 1 Researcher 1 - - Disease Mgmt 8 5 - Other 7 4 1


17

8.b - Responsibilities 8.b Responsibilities Yes No Don’t Know

Total 61 36 3 Hospital 21 8 - Rural 2 1 - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 1 1 - Community 12 6 - < 50 beds 1 - - 50 - 99 - 1 - 100 - 299 3 3 - > 300 beds 8 2 - Academic 7 1 - < 50 beds - - - 50 - 99 - - - 100 - 299 1 1 - > 300 beds 6 - - Physician Group 14 4 1 Single Specialty - 2 1 < 30 - 2 1 31 - 100 - - - >100 - - - Multi-Specialty 14 2 - < 30 - - - 31 - 100 2 - - > 100 12 2 - Payor 11 14 1 Commercial 1 2 - Medicaid 1 6 - Medicare 1 1 1 Commercial and Medicaid 2 1 - Commercial and Medicare 4 2 - Medicaid and Medicare - - - All 2 2 - Other 15 10 1 Researcher 1 - - Disease Mgmt 7 6 - Other 7 4 1


18

8.c- Agreement Provisions 8.c Agreement Provisions Yes No Don’t Know

Total 57 35 8 Hospital 20 7 2 Rural 2 1 - < 50 bed 1 - - 50 - 99 - - - 100 - 299 - - - > 300 bed 1 1 - Community 13 4 1 < 50 beds 1 - - 50 - 99 - 1 - 100 - 299 4 2 - > 300 beds 8 1 1 Academic 5 2 1 < 50 beds - - - 50 - 99 - - - 100 - 299 - 1 1 > 300 beds 5 1 - Physician Group 12 5 2 Single Specialty - 1 2 < 30 - 1 2 31 - 100 - - - >100 - - - Multi-Specialty 12 4 - < 30 - - - 31 - 100 2 - - > 100 10 4 - Payor 12 12 2 Commercial 2 1 - Medicaid 1 6 - Medicare 1 1 1 Commercial and Medicaid 2 1 - Commercial and Medicare 4 1 1 Medicaid and Medicare - - - All 2 2 - Other 13 11 2 Researcher - - 1 Disease Mgmt 7 6 - Other 6 5 1


19

9. On a scale of 1 – 5, with 1 being “small” and 5 being “large”, what is the magnitude of the burden of implementing the Business Associate Agreement in terms of cost and time?

9a. Cost 1

Small 2 3 4 5

Large Don't Know

Total 7 7 30 27 24 5 Hospital 1 2 8 8 8 2 Rural - - 1 2 - - < 50 bed - - - - - - 50 - 99 - - 1 - - - 100 - 299 - - - - - - > 300 bed - - - 2 - - Community 1 2 5 4 5 1 < 50 beds 1 - - - - - 50 - 99 - - - 1 - - 100 - 299 - 1 2 1 2 - > 300 beds - 1 3 2 3 1 Academic - - 2 2 3 1 < 50 beds - - - - - - 50 - 99 - - - - - - 100 - 299 - - - 1 - 1 > 300 beds - - 2 1 3 - Physician Group 1 - 5 8 5 - Single Specialty - - - 1 2 - < 30 - - - 1 2 - 31 - 100 - - - - - - >100 - - - - - - Multi-Specialty 1 - 5 7 3 - < 30 - - - - - - 31 - 100 - - - - 2 - > 100 1 - 5 7 1 - Payor 3 1 8 5 8 1 Commercial 1 - - - 2 - Medicaid 1 1 3 1 1 - Medicare - - 1 1 1 - Commercial and Medicaid - - - - 2 1 Commercial and Medicare - - 3 2 1 - Medicaid and Medicare - - - - - - All 1 - 1 1 1 -


20

Other 2 4 9 6 3 2 Researcher - - - 1 - - Disease Mgmt 1 2 5 3 - 2 Other 1 2 4 2 3 -


21

9b-Time

9b) Time 1

Small 2 3 4 5

Large Don't Know

Total 6 4 17 31 37 5 Hospital 1 1 2 8 15 2 Rural - - 1 1 1 - < 50 bed - - - - - - 50 – 99 - - 1 - - - 100 – 299 - - - - - - > 300 bed - - - 1 1 - Community 1 1 1 5 9 1 < 50 beds 1 - - - - - 50 – 99 - - - 1 - - 100 – 299 - 1 - 2 3 - > 300 beds - - 1 2 6 1 Academic - - - 2 5 1 < 50 beds - - - - - - 50 – 99 - - - - - - 100 – 299 - - - 1 - 1 > 300 beds - - - 1 5 - Physician Group 1 - 2 5 11 - Single Specialty - - - 1 2 - < 30 - - - 1 2 - 31 – 100 - - - - - - >100 - - - - - - Multi-Specialty 1 - 2 4 9 - < 30 - - - - - - 31 – 100 - - - - 2 - > 100 1 - 2 4 7 - Payor 2 - 7 8 8 1 Commercial - - 1 - 2 - Medicaid 1 - 3 2 1 - Medicare - - - 2 1 - Commercial and Medicaid - - - - 2 1 Commercial and Medicare - - 2 3 1 - Medicaid and Medicare - - - - - - All 1 - 1 1 1 - Other 2 3 6 10 3 2 Researcher - - - 1 - - Disease Mgmt 1 2 4 4 - 2 Other 1 1 2 5 3 -


22

10. On a scale of 1 – 5, with 1 being “regulations are unclear” and 5 being “regulations are very clear”, does the regulation adequately distinguish between research and health care operations?

1

Unclear 2 3 4 5

Very Clear Don't Know

Total 6 8 25 26 13 22 Hospital 2 4 8 8 2 5 Rural - - - 1 - 2 < 50 bed - - - - - - 50 – 99 - - - - - 1 100 – 299 - - - - - - > 300 bed - - - 1 - 1 Community 1 2 6 4 2 3 < 50 beds - - 1 - - - 50 – 99 - - 1 - - - 100 – 299 - - 2 1 1 2 > 300 beds 1 2 2 3 1 1 Academic 1 2 2 3 - - < 50 beds - - - - - - 50 – 99 - - - - - - 100 – 299 - - 1 1 - - > 300 beds 1 2 1 2 - - Physician Group - 2 6 2 3 6 Single Specialty - - 1 - - 2 < 30 - - 1 - - 2 31 – 100 - - - - - - >100 - - - - - - Multi-Specialty - 2 5 2 3 4 < 30 - - - - - - 31 – 100 - - - - 2 - > 100 - 2 5 2 1 4 Payor 2 1 7 8 3 5 Commercial 1 1 - 1 - - Medicaid - - 2 3 1 1 Medicare - - - 2 1 Commercial and Medicaid - - 1 - 1 1 Commercial and Medicare - - 2 2 - 2 Medicaid and Medicare - - - - - - All 1 - 2 - - 1 Other 2 1 4 8 5 6 Researcher - 1 - - - -


23

Disease Mgmt 1 - 3 5 - 4 Other 1 - 1 3 5 2


24

11. Are there additional areas in the HIPAA Privacy Regulation where you would like to see the Department of Health and Human Services provide additional clarification and/or modification?

Yes No Don’t Know

Total 61 17 22 Hospital 25 1 3 Rural 3 - - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 2 - - Community 15 1 2 < 50 beds - 1 - 50 - 99 1 - - 100 - 299 4 - 2 > 300 beds 10 - - Academic 7 - 1 < 50 beds - - - 50 - 99 - - - 100 - 299 2 - - > 300 beds 5 - 1 Physician Group 5 7 7 Single Specialty - 1 2 < 30 - 1 2 31 - 100 - - - >100 - - - Multi-Specialty 5 6 5 < 30 - - - 31 - 100 - - 2 > 100 5 6 3 Payor 15 4 7 Commercial 3 - - Medicaid 4 1 2 Medicare - 2 1 Commercial and Medicaid 1 - 2 Commercial and Medicare 4 1 1 Medicaid and Medicare - - - All 3 - 1 Other 16 5 5 Researcher 1 - - Disease Mgmt 9 1 3 Other 6 4 2


25

12. Has your organization developed a strategy for HIPAA Privacy Regulation compliance?

Yes No Don’t Know

Total 83 14 3 Hospital 27 2 - Rural 3 - - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 2 - - Community 16 2 - < 50 beds 1 - - 50 - 99 1 - - 100 - 299 4 2 - > 300 beds 10 - - Academic 8 - - < 50 beds - - - 50 - 99 - - - 100 - 299 2 - - > 300 beds 6 - - Physician Group 14 4 1 Single Specialty 2 1 - < 30 2 1 - 31 - 100 - - - >100 - - - Multi-Specialty 12 3 1 < 30 - - - 31 - 100 2 - - > 100 10 3 1 Payor 20 6 - Commercial 3 - - Medicaid 5 2 - Medicare 3 - - Commercial and Medicaid 2 1 - Commercial and Medicare 5 1 - Medicaid and Medicare - - - All 2 2 - Other 22 2 2 Researcher 1 - - Disease Mgmt 12 - 1 Other 9 2 1


26

13. We are now ten months into a two-year compliance period. Which of the following has your organization completed toward the implementation of the HIPAA Privacy Regulation? (Check all that apply)

13a) Developed a Strategic Plan Yes No Don’t Know

Total 78 18 4 Hospital 27 1 1 Rural 3 - - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 2 - - Community 16 1 1 < 50 beds 1 - - 50 - 99 1 - - 100 - 299 4 1 1 > 300 beds 10 - - Academic 8 - - < 50 beds - - - 50 - 99 - - - 100 - 299 2 - - > 300 beds 6 - - Physician Group 11 6 2 Single Specialty 2 1 - < 30 2 1 - 31 - 100 - - - >100 - - - Multi-Specialty 9 5 2 < 30 - - - 31 - 100 1 1 - > 100 8 4 2 Payor 20 6 - Commercial 3 - - Medicaid 5 2 - Medicare 3 - - Commercial and Medicaid 2 1 - Commercial and Medicare 5 1 - Medicaid and Medicare - - - All 2 2 - Other 20 5 1 Researcher - 1 - Disease Mgmt 11 1 1 Other 9 3 -


27

13b-Conducted Gap Assessment

13b) Conducted Gap Assessment Yes No Don’t Know

Total 63 31 6 Hospital 21 7 1 Rural 3 - - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 2 - - Community 12 5 1 < 50 beds - 1 - 50 - 99 1 - - 100 - 299 3 2 1 > 300 beds 8 2 - Academic 6 2 - < 50 beds - - - 50 - 99 - - - 100 - 299 1 1 - > 300 beds 5 1 - Physician Group 9 8 2 Single Specialty 1 2 - < 30 1 2 - 31 - 100 - - - >100 - - - Multi-Specialty 8 6 2 < 30 - - - 31 - 100 - 2 - > 100 8 4 2 Payor 18 8 - Commercial 3 - - Medicaid 3 4 - Medicare 2 1 - Commercial and Medicaid 2 1 - Commercial and Medicare 6 - - Medicaid and Medicare - - - All 2 2 - Other 15 8 3 Researcher 1 - - Disease Mgmt 7 3 3 Other 7 5 -


28

13c- Developed Readiness Initiatives

13c) Developed Readiness Initiatives Yes No Don’t Know

Total 49 45 6 Hospital 18 9 2 Rural 2 1 - < 50 bed - - - 50 - 99 - 1 - 100 - 299 - - - > 300 bed 2 - - Community 12 5 1 < 50 beds 1 - - 50 - 99 1 - - 100 - 299 1 4 1 > 300 beds 9 1 - Academic 4 3 1 < 50 beds - - - 50 - 99 - - 100 - 299 2 - - > 300 beds 2 3 1 Physician Group 6 11 2 Single Specialty - 3 - < 30 - 3 - 31 - 100 - - - >100 - - - Multi-Specialty 6 8 2 < 30 - - - 31 - 100 - 2 - > 100 6 6 2 Payor 12 13 1 Commercial 2 1 - Medicaid 1 6 - Medicare 1 2 - Commercial and Medicaid 1 1 1 Commercial and Medicare 5 1 - Medicaid and Medicare - - - All 2 2 - Other 13 12 1 Researcher - 1 - Disease Mgmt 8 4 1 Other 5 7 -


29

13. Continued –

13d) Completed Implementing Readiness Initiatives Yes No Don’t Know

Total 11 83 6 Hospital 1 26 2 Rural - 3 - < 50 bed - - - 50 - 99 - 1 - 100 - 299 - - - > 300 bed - 2 - Community 1 16 1 < 50 beds - 1 - 50 - 99 - 1 - 100 - 299 - 5 1 > 300 beds 1 9 - Academic - 7 - < 50 beds - - - 50 - 99 - - - 100 - 299 - 1 1 > 300 beds - 6 - Physician Group 2 15 2 Single Specialty - 3 - < 30 - 3 - 31 - 100 - - - >100 - - - Multi-Specialty 2 12 2 < 30 - - - 31 - 100 - 2 - > 100 2 10 2 Payor 2 23 1 Commercial - 3 - Medicaid - 7 - Medicare - 3 - Commercial and Medicaid - 3 - Commercial and Medicare 1 4 1 Medicaid and Medicare - - - All 1 3 - Other 6 19 1 Researcher - 1 - Disease Mgmt 3 9 1 Other 3 9 -


30


Yes No Don’t Know

Total 73 22 5 Hospital 22 7 - Rural 3 - - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 2 - - Community 13 5 - < 50 beds 1 - - 50 - 99 1 - - 100 - 299 4 2 - > 300 beds 7 3 - Academic 6 2 - < 50 beds - - - 50 - 99 - - - 100 - 299 1 1 - > 300 beds 5 1 - Physician Group 11 6 2 Single Specialty 2 - 1 < 30 2 - 1 31 - 100 - - - >100 - - - Multi-Specialty 9 6 1 < 30 - - - 31 - 100 2 - - > 100 7 6 1 Payor 18 6 2 Commercial 3 - - Medicaid 4 2 1 Medicare 3 - - Commercial and Medicaid 1 2 - Commercial and Medicare 5 - 1 Medicaid and Medicare - - - All 2 2 - Other 22 3 1 Researcher 1 - - Disease Mgmt 13 - - Other 8 3 1


31

14a. (If “Yes” to question 14) Has the Privacy Official identified the resources (people) within your organization that are needed to ready your organization for HIPAA compliance?

Yes No Don’t Know

Total 65 10 2 Hospital 22 - 1 Rural 3 - - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed 2 - - Community 14 - - < 50 beds 1 - - 50 - 99 1 - - 100 - 299 4 - - > 300 beds 8 - - Academic 5 - 1 < 50 beds - - - 50 - 99 - - - 100 - 299 - - 1 > 300 beds 5 - - Physician Group 9 3 1 Single Specialty - 2 - < 30 - 2 - 31 - 100 - - - >100 - - - Multi-Specialty 9 1 1 < 30 - - - 31 - 100 2 - - > 100 7 1 1 Payor 15 4 - Commercial 3 - - Medicaid 2 2 - Medicare 2 1 - Commercial and Medicaid 2 - - Commercial and Medicare 5 - - Medicaid and Medicare - - - All 1 1 - Other 19 3 - Researcher 1 - - Disease Mgmt 11 2 - Other 7 1 -


32


implementation?

ComplianceMedical Records

Information Technology Legal

Operations Other

Don'tKnow

Total 26 9 13 10 13 27 2 Hospital 13 7 1 - 3 4 1 Rural 2 - - - - 1 - < 50 bed - - - - - - - 50 - 99 1 - - - - - - 100 - 299 - - - - - - - > 300 bed 1 - - - - 1 - Community 6 6 1 - 3 1 1 < 50 beds - 1 - - - - - 50 - 99 1 - - - - - - 100 - 299 - 3 1 - 1 - 1 > 300 beds 5 2 - - 2 1 - Academic 5 1 - - - 2 - < 50 beds - - - - - - - 50 - 99 - - - - - - - 100 - 299 2 - - - - - - > 300 beds 3 1 - - - 2 - Physician Group 3 2 4 1 4 5 - Single Specialty - 1 1 - - 1 - < 30 - 1 1 - - 1 - 31 - 100 - - - - - - - >100 - - - - - - - Multi-Specialty 3 1 3 1 4 4 - < 30 - - - - - - - 31 - 100 - - - - - 2 - > 100 3 1 3 1 4 2 - Payor 6 - 2 6 4 8 - Commercial 1 - - 1 1 - - Medicaid 1 - 1 1 1 3 - Medicare 2 - - - - 1 - Commercial and Medicaid - - - 2 1 - - Commercial and Medicare 1 - - 1 - 4 - Medicaid and Medicare - - - - - - - All 1 - 1 1 1 - -


33

Other 4 - 6 3 2 10 1 Researcher - - - - - 1 - Disease Mgmt 1 - 4 2 1 5 - Other 3 - 2 1 1 4 1


34

16. If and when do you anticipate the cost to comply with the Privacy regulations will be offset by the savings expected by implementing other components of the regulations (e.g., the Transaction and Code Set regulations)? (Check all that apply).

Short Term (< 1 year)

Medium Term(3 – 5 years)

Long Term (>5 years) No Savings

Don’t Know

Total 3 18 15 32 32 Hospital 2 5 7 5 10 Rural - 1 - - 2 < 50 bed - - - - - 50 - 99 - 1 - - - 100 - 299 - - - - - > 300 bed - - - - 2 Community 2 4 5 2 5 < 50 beds 1 - - - - 50 - 99 - - 1 - - 100 - 299 1 2 - 1 2 > 300 beds - 2 4 1 3 Academic - - 2 3 3 < 50 beds - - - - - 50 - 99 - - - - - 100 - 299 - - 1 - 1 > 300 beds - - 1 3 2 Physician Group 1 4 1 10 3 Single Specialty - - - 2 1 < 30 - - - 2 1 31 - 100 - - - - - >100 - - - - - Multi-Specialty 1 4 1 8 2 < 30 - - - - - 31 - 100 - 1 - - 1 > 100 1 3 1 8 1 Payor - 4 3 6 13 Commercial - 1 - 1 1 Medicaid - 1 - 2 4 Medicare - - - 2 1 Commercial and Medicaid - - 2 - 1 Commercial and Medicare - 2 - 1 3 Medicaid and Medicare - - - - - All - - 1 - 3


35

Other - 5 4 11 6 Researcher - - - 1 - Disease Mgmt - 3 1 5 4 Other - 2 3 5 2


36

18. In which departments or areas of your organization will implementation of the HIPAA Privacy Regulation be most costly? Please provide the top three in descending order – highest to lowest.

High Medium Low Hospital IT Clinics Medical Records IS None None Tracking Disclosures None None IT Medical Records None IT Compliance Department Medical Records IT None None IT None None Medical Records Contract Management Nursing HIM Business Office Information Services IT Medical Records Nursing

Health Information Management

Human Resources – training the workforce IT

IS Medical Records Clinical Departments Nursing Information Systems Administration Medical Records Admission/Registration HIPAA Office Dept Medical Records Admitting and Registration Clinical/Nursing IS Education Medical Records Admitting/ Registration Medical Records IT Medical Records Information Systems Clinical areas M R EDI Clinical Operations Education IS Medical Records Registration Cancer Center I/S Risk Management Medical Records Compliance

have not assessed costs yet

None None

IT None None Security Privacy EDI Nursing Units Admitting Medical Records Nursing Time Medical Records Privacy Officer IT Administration Education

IT - Security Tracking systems for disclosures Training & Audit

Physician Groups Medical Records IT None Clinic Operations IT Billing Operations Transactions Sets Human Resource (people) Information Systems Medical Operations Providers Services Information services Medical records Operations Record Management Admissions IS Information Conversion None None Billing Administration Technology

Information Technology Education/Training Quality Risk Management/Compliance

I/T Medical Management Provider Relations


37

High Medium Low Customer Service Health Resource Management Contract Areas I/T Medical Management Provider Relations Medical costs Administrative costs IS costs IS Claims Processing Eligibility Information Technology Care Management Customer Service

Information Technology Medical Records Patient Accounting & Registration

MIS Medical Records Nursing Information Technology Medical Records Operations Payor Operations Utilization Management None System Modifications Training Procedures IT Legal Customer Service MIS Facilities Medical Mgmt Utilization management Member services Provider network operations IT Medical Mgmt Staff Model Dept MIS Claims Utilization Member Services None None Operations IT None Accounting Medical records IS Information Systems Claims Member Services Legal Affairs Medical Management Customer Services IS Don't Know Don't Know IT Contracting Physical Plants Member Services Provider Services Medical Services Operations None None

Medical Services (Pharmacy) I/T Claims/Member Services

Administration Contracting None Operations Member Services Provider Relations Customer Service Network Management Claims Legal IT Network Relations Systems Upgrade None None Operations Health/Plan Enrollment Information Technology IS Provider Network Services Quality Management IS Marketing Materials Legal Legal Providers Services Clinical

Other Legal IRB

Researchers (much more time devoted to obtaining data from providers)

Operations IT None Medical Management IT Legal Clinical Department Information Technology Medical Records IT Health management Operations IT Clinical Management HR Engineering Operations None

IT Policies & Procedures throughout Organization None

Operations IT Marketing


38

High Medium Low Telemedicine None None Billing Medical Records Operations IT Operations G&A Operations None None Administration Service Delivery Compliance Monitoring IT Customer Service Claims Contracting IT None Legal Quality Assurance Operations MIS Quality Management Provider Services

Information Technology Human Resource/Benefits Management Communications

Legal Clinical Operations Record Keeping

Keeping "record of disclosures" if "disclosures" include transactions.

Legal issues associated w/ BA contracts None

Fiscal Office Medical Records IT Training Development of Standards IT IT None None

HIPAA Department (Cost Center) Operations Information systems

Information Services Operations Marketing


39

20. Have you identified those state laws that are preempted by and are not preempted by the HIPAA Privacy Regulation?

20.1) Preempted Yes No Don’t Know

Total 38 48 14 Hospital 14 13 2 Rural 1 2 - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed - 2 - Community 9 7 2 < 50 beds - 1 - 50 - 99 1 - - 100 - 299 3 2 1 > 300 beds 5 4 1 Academic 4 4 - < 50 beds - - - 50 - 99 - - - 100 - 299 - 2 - > 300 beds 4 2 - Physician Group 5 8 6 Single Specialty 1 1 1 < 30 1 1 1 31 - 100 - - - >100 - - - Multi-Specialty 4 7 5 < 30 - - - 31 - 100 - 2 - > 100 4 5 5 Payor 10 14 2 Commercial 1 2 - Medicaid 1 6 - Medicare 1 2 - Commercial and Medicaid 2 1 - Commercial and Medicare 4 2 - Medicaid and Medicare - - - All 1 1 2 Other 9 13 4 Researcher - - 1 Disease Mgmt 5 6 2 Other 4 7 1


40

20. Continued –

20.2 Do Not Preempt Yes No Don’t Know

Total 39 45 15 Hospital 15 12 2 Rural 1 2 - < 50 bed - - - 50 - 99 1 - - 100 - 299 - - - > 300 bed - 2 - Community 10 6 2 < 50 beds - 1 - 50 - 99 1 - - 100 - 299 4 1 1 > 300 beds 5 4 1 Academic 4 4 - < 50 beds - - - 50 - 99 - - - 100 - 299 - 2 - > 300 beds 4 2 - Physician Group 5 8 6 Single Specialty 1 1 1 < 30 1 1 1 31 - 100 - - - >100 - - - Multi-Specialty 4 7 5 < 30 - - - 31 - 100 - 2 - > 100 4 5 5 Payor 10 13 3 Commercial 1 2 - Medicaid 1 6 - Medicare 1 1 1 Commercial and Medicaid 2 1 - Commercial and Medicare 4 2 - Medicaid and Medicare - - - All 1 1 2 Other 9 12 4 Researcher - - 1 Disease Mgmt 5 5 2 Other 4 7 1


41

21. On a scale of 1 – 5, with 1 being “no guidelines” and 5 being “extensive guidelines”, to what extent do the HIPAA Privacy regulations provide guidelines for information technology developers?

1 No Guidelines 2 3 4 5 Extensive

Guidelines Don't Know

Total 10 40 23 7 - 20 Hospital 1 10 9 1 - 8 Rural - - 1 - - 2 < 50 bed - - - - - - 50 – 99 - - 1 - - - 100 – 299 - - - - - - > 300 bed - - - - - 2 Community 1 6 5 - - 6 < 50 beds - - 1 - - - 50 – 99 - 1 - - - - 100 – 299 1 3 - - - 2 > 300 beds - 2 4 - - 4 Academic - 4 3 1 - - < 50 beds - - - - - - 50 – 99 - - - - - - 100 – 299 - 2 - - - - > 300 beds - 2 3 1 - - Physician Group 1 9 5 1 - 3 Single Specialty - 1 - - - 2 < 30 - 1 - - - 2 31 – 100 - - - - - - >100 - - - - - - Multi-Specialty 1 8 5 1 - 1 < 30 - - - - - - 31 – 100 - 1 1 - - - > 100 1 7 4 1 - 1 Payor 3 9 6 3 - 5 Commercial 1 2 - - - - Medicaid - 4 1 - - 2 Medicare - 1 1 - - 1 Commercial and Medicaid - - 2 1 - - Commercial and Medicare 1 - 2 2 - 1 Medicaid and Medicare - - - - - - All 1 2 - - - 1


42

Other 5 12 3 2 - 4 Researcher - - - - - 1 Disease Mgmt 3 6 2 - - 2 Other 2 6 1 2 - 1


43

22a. Can the following requirements be implemented with available tools and technologies?

22a. Tracking Consent Yes Partially No Don’t Know

Total 44 21 17 18 Hospital 13 7 5 4 Rural 1 1 - 1 < 50 bed - - - - 50 – 99 1 - - - 100 – 299 - - - - > 300 bed - 1 - 1 Community 9 4 3 2 < 50 beds 1 - - - 50 – 99 - - 1 - 100 – 299 3 1 1 1 > 300 beds 5 3 1 1 Academic 3 2 2 1 < 50 beds - - - - 50 – 99 - - - - 100 – 299 - 1 - 1 > 300 beds 3 1 2 - Physician Group 7 3 5 3 Single Specialty 1 - 1 - < 30 1 - 1 - 31 – 100 - - - - >100 - - - - Multi-Specialty 6 3 4 3 < 30 - - - - 31 – 100 - 1 1 - > 100 6 2 3 3 Payor 10 6 3 8 Commercial 1 - 1 1 Medicaid 4 1 1 1 Medicare 3 - - - Commercial and Medicaid - 1 - 2 Commercial and Medicare 1 2 - 3 Medicaid and Medicare - - - - All 1 2 1 1 Other 14 5 4 3 Researcher - - - 1 Disease Mgmt 7 2 2 2 Other 7 3 2 -


44

22b. Revocations of Consent

22b. Revocations of Consent Yes Partially No Don’t Know

Total 37 22 23 18 Hospital 11 8 6 4 Rural 1 1 - 1 < 50 bed - - - - 50 – 99 1 - - - 100 – 299 - - - - > 300 bed - 1 - 1 Community 7 5 4 2 < 50 beds 1 - - - 50 – 99 - - 1 - 100 – 299 2 1 2 1 > 300 beds 4 4 1 1 Academic 3 2 2 1 < 50 beds - - - - 50 – 99 - - - - 100 – 299 - 1 - 1 > 300 beds 3 1 2 - Physician Group 7 3 5 4 Single Specialty 1 - 1 1 < 30 1 - 1 1 31 – 100 - - - - >100 - - - - Multi-Specialty 6 3 4 3 < 30 - - - - 31 – 100 - 1 1 - > 100 6 2 3 3 Payor 7 5 6 8 Commercial 1 - 1 1 Medicaid 3 - 3 1 Medicare 2 - - 1 Commercial and Medicaid - 1 - 2 Commercial and Medicare 1 1 1 3 Medicaid and Medicare - - - - All - 3 1 - Other 12 6 6 2 Researcher 1 - - - Disease Mgmt 6 1 4 2 Other 5 5 2 -


45

22c. Revocations of Consent

22c) Limitations on Consent Yes Partially No Don’t Know

Total 29 22 28 21 Hospital 7 9 7 6 Rural 1 1 - 1 < 50 bed - - - - 50 – 99 1 - - - 100 – 299 - - - - > 300 bed - 1 - 1 Community 6 6 3 3 < 50 beds 1 - - - 50 – 99 - - 1 - 100 – 299 2 1 1 2 > 300 beds 3 5 1 1 Academic - 2 4 2 < 50 beds - - - - 50 – 99 - - - - 100 – 299 - 1 - 1 > 300 beds - 1 4 1 Physician Group 6 4 5 4 Single Specialty 1 - 1 1 < 30 1 - 1 1 31 – 100 - - - - >100 - - - - Multi-Specialty 5 4 4 3 < 30 - - - - 31 – 100 1 - 1 - > 100 4 4 3 3 Payor 6 4 9 7 Commercial 1 - 1 1 Medicaid 1 - 5 1 Medicare 3 - - - Commercial and Medicaid - 1 - 2 Commercial and Medicare 1 1 1 3 Medicaid and Medicare - - - - All - 2 2 - Other 10 5 7 4 Researcher - - - 1 Disease Mgmt 5 2 3 3 Other 5 3 4 -


46

22d. Accounting of Disclosures

22d. Accounting of Disclosure Yes Partially No Don’t Know

Total 35 23 24 18 Hospital 11 8 6 4 Rural 1 1 1 - < 50 bed - - - - 50 – 99 1 - - - 100 – 299 - - - - > 300 bed - 1 1 - Community 9 4 2 3 < 50 beds 1 - - - 50 – 99 - - 1 - 100 – 299 3 1 - 2 > 300 beds 5 3 1 1 Academic 1 3 3 1 < 50 beds - - - - 50 – 99 - - - - 100 – 299 - 1 - 1 > 300 beds 1 2 3 - Physician Group 5 5 5 4 Single Specialty 1 - 1 1 < 30 1 - 1 1 31 – 100 - - - - >100 - - - - Multi-Specialty 4 5 4 3 < 30 - - - - 31 – 100 1 - 1 - > 100 3 5 3 3 Payor 9 5 7 5 Commercial 1 - 2 - Medicaid 2 - 4 1 Medicare 2 1 - - Commercial and Medicaid - 2 - 1 Commercial and Medicare 2 - 1 3 Medicaid and Medicare - - - - All 2 2 - - Other 10 5 6 5 Researcher - - - 1 Disease Mgmt 4 2 3 4 Other 6 3 3 -

California HIPAA Privacy Implementation Survey: Appendix G. Verbatim Responses Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002


Appendix G. Verbatim Responses Question 3a. In what way do you think the consent requirement will limit the flow of information?

N=60

a) 30% = process complications/paperwork burden b) 17% = confusion over requirments c) 15% = patient factors such as revoking consent/continuity of care d) 6% = inadequate transfer/flow of information needed for patient assessment Inadequate time is a theme that runs throughout all the answer categories. Hospitals were more likely to see a and c as a problem Payors were more likely to see b as a big problem Question 4. What do you deem useful and what are your concerns with the consent requirements?

N=90

Useful a) 30% = assuring patient rights b) 16% = consistency among providers/national standards c) 16% = nothing A number of respondents did not answer what they deemed useful. Payors were more likely to answer a or c. Others were more likely to answer a. Hospitals and physician groups were evenly divided among the three groups. Concerns a) 19% = continuity of care b) 14% = confusion about consent (patients/employees/physicians) c) 9% = cost Payors were more likely to answer b. Question 8A: Where do additional clarifications or modifications need to be given? (Answered if answered “No” to any of the three items in Question 8).


a) 42% = Greater clarification of who is and who is not a Business Associate & what relationships and activities determine whether or not one is a Business Associate [hospitals, physicians, payors, others] b) 31% = Roles and Responsibilities of Parties, Follow up Actions [hospitals , physicians, payors, others] c) 6% = Clarification of "Chain of Trust" issues [hospitals, payors, others] d) 4% = Consent - who needs to obtain it, who needs to use it, how often must it be obtained [payors]

N= 52 Hospitals: ♦ Entire Business Associate Area is unclear ♦ Need better definition and examples of who is and who is not a business associate; what

activities and relationships make you a business associate ♦ Follow-up actions that Business associates need to take ♦ Clarification on “Chain of Trust” issues ♦ Clarification on whether confidentiality on business associates part is adequate Physicians: ♦ Entire Business Associate Area needs clarification ♦ Clarification on where IPAs fall in ♦ Definition of Business Associate Payors: ♦ Clarification of Roles of parties/entities ♦ Too much ambiguity, open to much interpretation ♦ Status of providers added to a plan on a fee for service basis vs. network providers ♦ Where subcontractors fit in ♦ Clarification on complex relationships of brokers and agents in insurance industry ♦ Who has to have consent and who can use the consent ♦ How often is consent needed (annually, each time information is gathered?) Others: ♦ Definitions and Examples of Business Associates ♦ Category under which Disease Management Organizations fall (indirect or direct provider vs.

Business Associate)


♦ Areas of oversight and how oversight is to be performed ♦ Risks and Liabilities for covered entities ♦ “Chain of Trust” ♦ Clarifications for companies providing patient assistance, ombudsman and advocacy services Question 10A: Where do additional clarifications or modifications need to be given? (Answered if respondent said 1 or 2 for question 10). a) 37% = Define what is considered research and how to distinguish it from Quality Improvement, Care, and Health Plan Operations [hosp, others] b) 11% = Exclusions to the regulation, prohibited activities, authorizations for activities [physicians, payors] c) 26% = What information can be disclosed and under what circumstances? [hosp, payors] d) 11% = Consent and IRB waivers [hosp]

N=19 Hospitals ♦ Research area … Define what is considered Research ♦ Informed Consent and Whether IRB Waivers still apply under HIPAA ♦ Patient registries (ie: for Cancer) - states want information, but its unclear if this is a breach of

HIPAA ♦ Whether information can be released for retrospective analysis ♦ Where to draw the line between research and Quality Improvement activities ♦ Clarify care that overlaps from Clinical trial to inpatient hospitalization – what parts of the

Clinical Trial chart become PHI Physicians ♦ What types of research are excluded from the reg? Payor ♦ Define prohibited activities, authorization for activities, and the relationship of research and

operations with health plans ♦ Whether providers can release records for HEDIS data without authorization Other ♦ How to categorize cooperative research projects involving Quality Improvement Projects at

multiple sites ♦ Liabilities of Business Associates and covered entities


♦ What covered entities can disclose to facilitate healthcare operations to third parties working with consumers to help them manage healthcare benefits

Question 18: In which departments or areas of your organization will implementation of the HIPAA Privacy Regulation be most costly? Please provide the top three in descending order…

HOSPITALS Department High Medium Low IT/IS 12 3 4Medical Records 5 6 5Nursing Units 3 2 2Admitting/Registration 2 1HIM 2Tracking Disclosures 1 1Education 1 1 1Risk Management 1Security 1Clinical Operations 1 4Compliance Department 1 1Contract Management 1Business Office 1HR 1EDI 1 1Cancer Center 1Privacy 1 1Training and Audit 1HIPAA Office 1Administration 1 1TOTAL Responses 28 23 22

PHYSICIAN GROUPS

Department High Medium Low IT/IS 10 2 3Medical Records 2 4Clinical Operations 2Medical Operations 1 3 2Customer Service 1 1Billing 1 1Provider Relations/Services 1 3Contract Areas 1Nursing Units 1Admitting/Registration 1 1


HIM Education 1Risk Management 1Eligibility 1Compliance Department Health Resource Management 1Business Office HR 1Transaction Sets 1Claims Processing 1Care Management 1Administration 2TOTAL Responses 18 17 16

PAYORS Department High Medium Low IT/IS 8 3 2Operations 5Legal 3 1 1Member Services 3 3 2Systems Upgrade 2Utilization Management 1 1 1Medical Services (Pharmacy) 1Administration 1Customer Service 1 2Accounting 1Contract Areas 2Medical Records 1Medical Management 3 3Marketing 1Procedures 1Education/Training 1Quality Management 1Physical Plant 1Staff Model Department 1Facilities 1Network Management 1Provider Network Services 3 3Claims Processing 2 1TOTAL Responses 26 23 19

OTHER Department High Medium Low IT/IS 9 5 3Operations 3 5 3Legal 3 1 1Telemedicine 1


Medical Management 1 1HIPAA Department 1Engineering 1 2Education/Training 1Contract Areas 1Clinical Management 1 1Claims Processing 1 1Administration 1Accounting/Fiscal 1Researchers 1Quality Management/Assurance

2

Provider Network Services 1Medical Records 2 2Marketing 2IRB 1HR 1 1G&A 1Customer Service 2Compliance Monitoring 1Communications 1TOTAL Responses 25 23 18 19. How does your department plan to monitor HIPAA compliance after the privacy regulation is in effect? Hospitals: a) 32% = Audit b) 21% = HIPAA Department/Privacy Officer c) 25% = Other (combinations of above or unknown) d) 7% = Committee e) 7% = Monitoring f) 3% = Security controls g) 3% = Education/Training Physician Groups: a) 35% = Audit b) 35% = HIPAA Department/Privacy Officer c) 30% = Other (combinations of above or unknown) Payors:


a) 31% = Audit b) 27% = HIPAA Department/Privacy Officer c) 23% = Monitoring d) 19% = Other (combinations of above or unknown) Others: a) 31% = Audit b) 35% = Other (combinations of above or unknown) c) 15% = HIPAA Department/Privacy Officer d) 12% = Monitoring e) 4% = Committee f) 4% = Process Change/Policies and Procedures Question 11a- Which components of the Privacy Regulations would you like to see the Department of Health and Human Services provide additional clarification and/or modification? There were a total of 67 Clarifications: a) 22% were for clarifications on consent b) 16% were for the Minimum Necessary section c) 10% with respect to Communication. Marketing and Funding d) 10% were for clarifications around Business Associates e) 7% were for state preemption clarifications f) 6% for research clarifications a and b were most common for hospitals only four physician clarification comments c and f were most common for payors c most common for Other who also wanted clarifications around Disease Mgmt one payor did mention for clarification on what this means for HEDIS data collection There were a total of 10 suggested modifications, primary ones were: Don't allow patients to revoke consent at any time Make preemption rules more strict Reduce burden of business associate agreement Make disclosure rules less stringent Waive consent for UM Question 20A: (If “Yes to Question 20) How are you analyzing and tracking state privacy laws interplay with HIPAA? a) 29% = Internal Legal/Privacy Officers/Compliance Depts. [hosp, payors]


b) 29% = Professional and Industry Organizations and Associations [hosp, physicians, payors, others] c) 24% = External Legal Counsel/Consultants [physicians, payors, others]

N=42 Hospitals: ♦ Corporate Offices responsible for Analyzing/Tracking ♦ Privacy Officers ♦ Outside Legal Counsel/consultants ♦ Internal Legal Counsel ♦ Updates and Seminars through professional/industry organizations (California Hospital

Association, California Health Management Association, California Health Information Association, California Healthcare Association)

♦ HIPAA state web sites Physicians: ♦ Matrix of state laws & HIPAA ♦ Internal & External legal counsel ♦ Professional/Industry Associations (California Healthcare Association, Community of Clinics) Payors: ♦ Internal and External legal counsel/consultants ♦ Compliance Department ♦ Newsletters, Updates ♦ Legal/Regulatory Listservs ♦ Professional/Industry Association meetings ♦ HIPAA conferences Others: ♦ Internal analyses ♦ Georgetown University study and Updates ♦ Professional/Industry Associations and Organizations. Question 20B: (If “No” to Question 20) How are you planning to analyze and track state privacy laws interplay with HIPAA? a) 19% = Internal Legal/Privacy Officers/Compliance Depts. [payors, hosp, physicians, others] b) 28% = External Legal Counsel/Consultants [payors, others]


c) 25% = Professional and Industry Organizations and Associations [Payors, hosp, physicians] d) 8% = DHS or HHS [payors, others]

N=43

Hospitals: ♦ Legal counsel/consultants ♦ Task group will track ♦ Professional/Industry Associations (California Health Information Association, California

Hospital Association) ♦ Privacy Officer ♦ Publications ♦ Seminars on Preemption Physicians: ♦ Privacy Officer/Committee ♦ Govt./Regulatory Compliance Officer ♦ Legal Counsel/External consultants ♦ Professional and Industry Associations Payors: ♦ Internal Legal department/External legal counsel ♦ CA-DHS ♦ HIA ♦ Conferences Others: ♦ Will follow clients requirements to follow state laws ♦ Not planning to analyze/track Question 23. What are the greatest benefits and/or challenges for your organization relating to the implementation of the HIPAA Privacy Regulations? N=95

Benefits a) 18% = patients can expect that their medical record is confidential/patient interests are protected b) 14% = organizational awareness of patient privacy c) 9% = standardization of code sets, uniformity across entities d) 7% = standardization and security of electronic data e) 7% = none


b was most common for hospitals c was most common for payors

Challenges a) 25% = implementation b) 24% = staff education c) 23% = cost d) 15% = time e) 8% = IT b followed by c were the most common for hospitals a was the most common for physician groups followed by b c followed closely by a were the most common for payers a was the most common for others

California HIPAA Privacy Implementation Survey: Appendix H. Percentage of “don’t know” responses for each closed-ended survey question Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002


Appendix H. Percentage of “don’t know” responses for each closed-ended survey question Question % "Don't Know" N "Don't Know" N Total Q2 1% 1 100 Q3 2% 2 100 Q5 6% 6 99 Q6_1 7.07% 7 99 Q6_2 10.10% 10 99 Q6_ 3 12.12% 12 99 Q7 13.13% 13 99 Q8_1 4.04% 4 99 Q8_2 3.03% 3 99 Q8_3 7.07% 7 99 Q9_1 5.05% 5 99 Q9_2 5.05% 5 99 Q10 22.22% 22 99 Q11 22.22% 22 99 Q12 3.03% 3 99 Q13_1 4.04% 4 99 Q13_2 6.06% 6 99 Q13_3 6.06% 6 99 Q13_4 6.06% 6 99 Q14 5.05% 5 99 Q14A 2.60% 2 77 Q15 25.25% 25 99 Q16_1 31.31% 31 99 Q16_2 32.32% 32 99 Q16_3 32.32% 32 99 Q16_4 32.32% 32 99 Q17 4.04% 4 99 Q20_1 13.27% 13 98 Q20_2 14.43% 14 97 Q21 20.41% 20 98 Q22_1 17.35% 17 98 Q22_2 18.37% 18 98 Q22_3 20.41% 20 98 Q22_4 17.35% 17 98

California HIPAA Privacy Implementation Survey:Appendix I.1

Q1: Overall HIPAA knowledge Freq. Percent Percent w/o DK Freq. Percent Percent w/o DK1= low (cursory) 0 0.00% NA 0 0.00% NA2 2 14.29% NA 0 0.00% NA3 = Medium (Attended seminar) 4 28.57% NA 5 41.67% NA4 4 28.57% NA 4 33.33% NA5 = High 4 28.57% NA 3 25.00% NA

TOTAL 14 12

Q12: Developed a compliance strategy 1 = Yes 9 64.29% 64.29% 11 91.67% 91.67%2 = No 5 35.71% 35.71% 1 8.33% 8.33%3 = Don't Know 0 0.00% NA 0 0.00% NA

TOTAL 14 12TOTAL w/o Don't Know 14 12

Q13A: Developed a Strategic Plan1 = Yes 9 64.29% 64.29% 11 91.67% 91.67%2 = No 5 35.71% 35.71% 1 8.33% 8.33%3 = Don't Know 0 0.00% NA 0 0.00% NA


Q13B: Conducted a Gap Assessment1 = Yes 7 50.00% 50.00% 11 91.67% 91.67%2 = No 7 50.00% 50.00% 1 8.33% 8.33%3 = Don't Know 0 0.00% NA 0 0.00% NA


Q13C: Developed Readiness Initiatives1 = Yes 4 28.57% 30.77% 8 66.67% 66.67%2 = No 9 64.29% 69.23% 4 33.33% 33.33%3 = Don't Know 1 7.14% NA 0 0.00% NA


Payor Medicaid = Y(N = 14 )

Payor Medicaid = N(N = 12 )

California HealthCare Foundation


Q13D: Completed Readiness Initiatives1 = Yes 1 7.14% 7.14% 1 8.33% 9.09%2 = No 13 92.86% 92.86% 10 83.33% 90.91%3 = Don't Know 0 0.00% NA 1 8.33% NA


Q14: Designated a Privacy Official1 = Yes 7 50.00% 53.85% 11 91.67% 100.00%2 = No 6 42.86% 46.15% 0 0.00% 0.00%3 = Don't Know 1 7.14% NA 1 8.33% NA


Q14A: Privacy Official Identified Resources1 = Yes 5 62.50% 62.50% 10 90.91% 90.91%2 = No 3 37.50% 37.50% 1 9.09% 9.09%3 = Don't Know 0 0.00% NA 0 0.00% NA


Q15: Which dept. has lead 1 = Medical Records 0 0.00% 0.00% 0 0.00% 0.00%2 = Information Technology 2 14.29% 14.29% 0 0.00% 0.00%3 = Legal 4 28.57% 28.57% 2 16.67% 16.67%4 = Operations 3 21.43% 21.43% 1 8.33% 8.33%5 = Other 3 21.43% 21.43% 5 41.67% 41.67%6 = Don't Know 0 0.00% NA 0 0.00% NA7 = Compliance Department 2 14.29% 14.29% 4 33.33% 33.33%




Q16A: Short Term Savings (<=1yr)1 = Yes 0 0.00% 0.00% 0 0.00% 0.00%2 = No 6 42.86% 100.00% 8 66.67% 100.00%3 = Don't Know 8 57.14% NA 4 33.33% NA

TOTAL 14 12TOTAL w/o Don’t Know 6 8

Q16B: Medium Term Savings (3 - 5 yrs)1 = Yes 1 7.14% 16.67% 0 0.00% 0.00%2 = No 5 35.71% 83.33% 7 58.33% 100.00%3 = Don't Know 8 57.14% NA 5 41.67% NA


Q16C: Long Term Savings (5+ yrs)1 = Yes 3 21.43% 50.00% 0 0.00% 0.00%2 = No 3 21.43% 50.00% 7 58.33% 100.00%3 = Don't Know 8 57.14% NA 5 41.67% NA


Q16D: No Savings 1 = Yes 2 14.29% 33.33% 4 33.33% 57.14%2 = No 4 28.57% 66.67% 3 25.00% 42.86%3 = Don't Know 8 57.14% NA 5 41.67% NA


Q17: Org's progress in funding compliance1 = Not Budgeted 0 0.00% 0.00% 1 8.33% 9.09%2 = Budgeted, not funded 0 0.00% 0.00% 0 0.00% 0.00%3 = Partially funded 5 35.71% 38.46% 5 41.67% 45.45%4 = Fully Funded 3 21.43% 23.08% 4 33.33% 36.36%5 = Not Developing HIPAA specific budget 5 35.71% 38.46% 1 8.33% 9.09%6 = Don't Know 1 7.14% NA 1 8.33% NA




Q20.1: Identified state laws that preempt1 = Yes 4 28.57% 33.33% 6 50.00% 50.00%2 = No 8 57.14% 66.67% 6 50.00% 50.00%3 = Don't Know 2 14.29% NA 0 0.00% NA


Q20.2: Identified state laws that don’t preempt1 = Yes 4 28.57% 33.33% 6 50.00% 54.55%2 = No 8 57.14% 66.67% 5 41.67% 45.45%3 = Don't Know 2 14.29% NA 1 8.33% NA




Q2: Workability of Consent Freq. Percent Percent w/o DK Freq. Percent Percent w/o DK1 = not workable 1 4.00% 4.17% 6 8.00% 8.00%2 3 12.00% 12.50% 10 13.33% 13.33%3 = somewhat workable 14 56.00% 58.33% 36 48.00% 48.00%4 5 20.00% 20.83% 14 18.67% 18.67%5 = very workable 1 4.00% 4.17% 9 12.00% 12.00%6 = Don't Know 1 4.00% NA 0 0.00% NA


Q3: Consent & flow of information1 = will greatly limit 1 4.00% 4.17% 6 8.00% 8.11%2 = will somewhat limit 14 56.00% 58.33% 38 50.67% 51.35%3 = will have no effect 7 28.00% 29.17% 24 32.00% 32.43%4 = will somewhat enhance 1 4.00% 4.17% 6 8.00% 8.11%5 = will greatly enhance 1 4.00% 4.17% 0 0.00% 0.00%6 = Don't Know 1 4.00% NA 1 1.33% NA


Q5: Workability of Min. Necessary1 = not workable 1 4.00% 5.00% 3 4.05% 4.11%2 2 8.00% 10.00% 12 16.22% 16.44%3 = somewhat workable 13 52.00% 65.00% 40 54.05% 54.79%4 3 12.00% 15.00% 14 18.92% 19.18%5 = very workable 1 4.00% 5.00% 4 5.41% 5.48%6 = Don't Know 5 20.00% N/A 1 1.35% N/A


Knowledge = Low/Med (1,2,3) Knowledge = High (4,5)(N = 25) (N = 75)



Q6A: Min. Necessary & flow of info. For Delivery1 = will greatly limit 2 8.00% 9.52% 2 2.70% 2.82%2 = will somewhat limit 7 28.00% 33.33% 30 40.54% 42.25%3 = will have no effect 9 36.00% 42.86% 33 44.59% 46.48%4 = will somewhat enhance 2 8.00% 9.52% 6 8.11% 8.45%5 = will greatly enhance 1 4.00% 4.76% 0 0.00% 0.00%6 = Don't Know 4 16.00% N/A 3 4.05% N/A


Q6B: Min. Necessary & flow of info. For Payment1 = will greatly limit 1 4.00% 4.76% 3 4.05% 4.41%2 = will somewhat limit 7 28.00% 33.33% 24 32.43% 35.29%3 = will have no effect 8 32.00% 38.10% 31 41.89% 45.59%4 = will somewhat enhance 3 12.00% 14.29% 8 10.81% 11.76%5 = will greatly enhance 2 8.00% 9.52% 2 2.70% 2.94%6 = Don't Know 4 16.00% N/A 6 8.11% N/A


Q6C: Min. Necessary & flow of info. For Assessment1 = will greatly limit 2 8.00% 10.53% 6 8.11% 8.82%2 = will somewhat limit 8 32.00% 42.11% 33 44.59% 48.53%3 = will have no effect 6 24.00% 31.58% 25 33.78% 36.76%4 = will somewhat enhance 1 4.00% 5.26% 4 5.41% 5.88%5 = will greatly enhance 2 8.00% 10.53% 0 0.00% 0.00%6 = Don't Know 6 24.00% N/A 6 8.11% N/A


Q8.1: Regs. Clearly define Business Associates1 = Yes 12 48.00% 54.55% 49 66.22% 67.12%2 = No 10 40.00% 45.45% 24 32.43% 32.88%3 = Don’t Know 3 12.00% N/A 1 1.35% N/A




Q8.2: Regs. Clearly define Responsibilities1 = Yes 9 36.00% 40.91% 51 68.92% 68.92%2 = No 13 52.00% 59.09% 23 31.08% 31.08%3 = Don’t Know 3 12.00% N/A 0 0.00% N/A


Q8.3: Regs. Clearly define Agreement Provisions1 = Yes 9 36.00% 45.00% 48 64.86% 66.67%2 = No 11 44.00% 55.00% 24 32.43% 33.33%3 = Don’t Know 5 20.00% N/A 2 2.70% N/A


Q9.1: Cost Burden of Business Assoc. Requirements1 = small burden 3 12.00% 13.04% 4 5.41% 5.63%2 0 0.00% 0.00% 7 9.46% 9.86%3= burden neither small nor large 9 36.00% 39.13% 21 28.38% 29.58%4 6 24.00% 26.09% 20 27.03% 28.17%5 = large burden 5 20.00% 21.74% 19 25.68% 26.76%6 = Don't Know 2 8.00% N/A 3 4.05% N/A


Q9.2: Time Burden of Business Assoc. Requirements1 = small burden 2 8.00% 8.70% 4 5.41% 5.63%2 0 0.00% 0.00% 4 5.41% 5.63%3 = burden neither small nor large 7 28.00% 30.43% 10 13.51% 14.08%4 9 36.00% 39.13% 21 28.38% 29.58%5 = large burden 5 20.00% 21.74% 32 43.24% 45.07%6 = Don't Know 2 8.00% N/A 3 4.05% N/A




Q10: Distinction b/t Research & Health Care Ops.1 = unclear 1 4.00% 5.56% 5 6.76% 8.47%2 1 4.00% 5.56% 7 9.46% 11.86%3 = neither clear nor unclear 5 20.00% 27.78% 20 27.03% 33.90%4 8 32.00% 44.44% 17 22.97% 28.81%5 = clear 3 12.00% 16.67% 10 13.51% 16.95%6 = Don't Know 7 28.00% N/A 15 20.27% N/A


Q16A: Short Term Savings (<=1yr)1 = Yes 1 4.00% 7.14% 2 2.70% 3.70%2 = No 13 52.00% 92.86% 52 70.27% 96.30%3 = Don't Know 11 44.00% N/A 20 27.03% N/A


Q16B: Medium Term Savings (3 - 5 yrs)1 = Yes 4 16.00% 30.77% 14 18.92% 25.93%2 = No 9 36.00% 69.23% 40 54.05% 74.07%3 = Don't Know 12 48.00% N/A 20 27.03% N/A


Q16C: Long Term Savings (5+ yrs)1 = Yes 0 0.00% 0.00% 14 18.92% 25.93%2 = No 13 52.00% 100.00% 40 54.05% 74.07%3 = Don't Know 12 48.00% N/A 20 27.03% N/A


Q16D: No Savings 1 = Yes 8 32.00% 61.54% 24 32.43% 44.44%2 = No 5 20.00% 38.46% 30 40.54% 55.56%3 = Don't Know 12 48.00% N/A 20 27.03% N/A




Q20.1: Identified state laws that preempt1 = Yes 3 12.00% 15.00% 35 47.95% 53.85%2 = No 17 68.00% 85.00% 30 41.10% 46.15%3 = Don't Know 5 20.00% N/A 8 10.96% N/A


Q20.2: Identified state laws that don’t preempt1 = Yes 4 16.00% 20.00% 35 48.61% 55.56%2 = No 16 64.00% 80.00% 28 38.89% 44.44%3 = Don't Know 5 20.00% N/A 9 12.50% N/A


Q21: Guidelines for IT Developers1 = No guidelines 2 8.00% 10.00% 8 10.96% 13.79%2 = Few guidelines 9 36.00% 45.00% 30 41.10% 51.72%3 = Adequate guidelines 8 32.00% 40.00% 14 19.18% 24.14%4 = Several guidelines 1 4.00% 5.00% 6 8.22% 10.34%5 = Extensive guidelines 0 0.00% 0.00% 0 0.00% 0.00%6 = Don't Know 5 20.00% N/A 15 20.55% N/A


Q22A: Existing tools for Initial consent1 = Yes 13 52.00% 65.00% 31 42.47% 50.82%2 = Partially 2 8.00% 10.00% 18 24.66% 29.51%3 = No 5 20.00% 25.00% 12 16.44% 19.67%4 = Don't Know 5 20.00% N/A 12 16.44% N/A




Q22B: Existing tools for Revocations1 = Yes 9 36.00% 47.37% 27 36.99% 44.26%2 = Partially 2 8.00% 10.53% 19 26.03% 31.15%3 = No 8 32.00% 42.11% 15 20.55% 24.59%4 = Don't Know 6 24.00% N/A 12 16.44% N/A


Q22C Existing tools for Limitations1 = Yes 9 36.00% 45.00% 20 27.40% 34.48%2 = Partially 3 12.00% 15.00% 18 24.66% 31.03%3 = No 8 32.00% 40.00% 20 27.40% 34.48%4 = Don't Know 5 20.00% N/A 15 20.55% N/A


Q22D Existing tools for Acct. Discl.1 = Yes 11 44.00% 55.00% 24 32.88% 39.34%2 = Partially 3 12.00% 15.00% 19 26.03% 31.15%3 = No 6 24.00% 30.00% 18 24.66% 29.51%4 = Don't Know 5 20.00% N/A 12 16.44% N/A








Q5: Workability of Min. Necessary1 = not workable 2 2.60% 2.67% 2 11.11% 13.33%2 12 15.58% 16.00% 2 11.11% 13.33%3 = somewhat workable 40 51.95% 53.33% 10 55.56% 66.67%4 16 20.78% 21.33% 1 5.56% 6.67%5 = very workable 5 6.49% 6.67% 0 0.00% 0.00%6 = Don't Know 2 2.60% N/A 3 16.67% NA


(N=77) (N=18)Developed Strategic Plan = Yes Developed Strategic Plan =No



Q6A: Min. Necessary & flow of info. For Delivery1 = will greatly limit 2 2.60% 2.70% 2 11.11% 12.50%2 = will somewhat limit 28 36.36% 37.84% 7 38.89% 43.75%3 = will have no effect 36 46.75% 48.65% 6 33.33% 37.50%4 = will somewhat enhance 7 9.09% 9.46% 1 5.56% 6.25%5 = will greatly enhance 1 1.30% 1.35% 0 0.00% 0.00%6 = Don't Know 3 3.90% N/A 2 11.11% NA


Q6B: Min. Necessary & flow of info. For Payment1 = will greatly limit 2 2.60% 2.86% 2 11.11% 11.76%2 = will somewhat limit 24 31.17% 34.29% 6 33.33% 35.29%3 = will have no effect 30 38.96% 42.86% 8 44.44% 47.06%4 = will somewhat enhance 11 14.29% 15.71% 0 0.00% 0.00%5 = will greatly enhance 3 3.90% 4.29% 1 5.56% 5.88%6 = Don't Know 7 9.09% N/A 1 5.56% NA


Q6C: Min. Necessary & flow of info. For Assessment1 = will greatly limit 5 6.49% 7.14% 3 16.67% 20.00%2 = will somewhat limit 31 40.26% 44.29% 8 44.44% 53.33%3 = will have no effect 27 35.06% 38.57% 4 22.22% 26.67%4 = will somewhat enhance 5 6.49% 7.14% 0 0.00% 0.00%5 = will greatly enhance 2 2.60% 2.86% 0 0.00% 0.00%6 = Don't Know 7 9.09% N/A 3 16.67% NA


Q8.1: Regs. Clearly define Business Associates1 = Yes 49 63.64% 65.33% 10 55.56% 62.50%2 = No 26 33.77% 34.67% 6 33.33% 37.50%3 = Don’t Know 2 2.60% N/A 2 11.11% NA




Q8.2: Regs. Clearly define Responsibilities1 = Yes 49 63.64% 64.47% 9 50.00% 56.25%2 = No 27 35.06% 35.53% 7 38.89% 43.75%3 = Don’t Know 1 1.30% N/A 2 11.11% NA


Q8.3: Regs. Clearly define Agreement Provisions1 = Yes 47 61.04% 64.38% 8 44.44% 53.33%2 = No 26 33.77% 35.62% 7 38.89% 46.67%3 = Don’t Know 4 5.19% N/A 3 16.67% NA


Q9.1: Cost Burden of Business Assoc. Requirements1 = small burden 6 7.79% 8.00% 0 0.00% 0.00%2 7 9.09% 9.33% 0 0.00% 0.00%3= burden neither small nor large 22 28.57% 29.33% 8 44.44% 50.00%4 21 27.27% 28.00% 4 22.22% 25.00%5 = large burden 19 24.68% 25.33% 4 22.22% 25.00%6 = Don't Know 2 2.60% N/A 2 11.11% NA


Q9.2: Time Burden of Business Assoc. Requirements1 = small burden 5 6.49% 6.67% 0 0.00% 0.00%2 4 5.19% 5.33% 0 0.00% 0.00%3 = burden neither small nor large 13 16.88% 17.33% 4 22.22% 25.00%4 21 27.27% 28.00% 8 44.44% 50.00%5 = large burden 32 41.56% 42.67% 4 22.22% 25.00%6 = Don't Know 2 2.60% N/A 2 11.11% NA




Q10: Distinction b/t Research & Health Care Ops.1 = unclear 5 6.49% 7.81% 1 5.56% 9.09%2 7 9.09% 10.94% 1 5.56% 9.09%3 = neither clear nor unclear 20 25.97% 31.25% 3 16.67% 27.27%4 21 27.27% 32.81% 4 22.22% 36.36%5 = clear 11 14.29% 17.19% 2 11.11% 18.18%6 = Don't Know 13 16.88% N/A 7 38.89% NA


Q16A: Short Term Savings (<=1yr)1 = Yes 3 3.90% 5.45% 0 0.00% 0.00%2 = No 52 67.53% 94.55% 11 61.11% 100.00%3 = Don't Know 22 28.57% N/A 7 38.89% NA


Q16B: Medium Term Savings (3 - 5 yrs)1 = Yes 13 16.88% 24.07% 5 27.78% 45.45%2 = No 41 53.25% 75.93% 6 33.33% 54.55%3 = Don't Know 23 29.87% N/A 7 38.89% NA


Q16C: Long Term Savings (5+ yrs)1 = Yes 13 16.88% 24.07% 1 5.56% 9.09%2 = No 41 53.25% 75.93% 10 55.56% 90.91%3 = Don't Know 23 29.87% N/A 7 38.89% NA


Q16D: No Savings 1 = Yes 25 32.47% 46.30% 5 27.78% 45.45%2 = No 29 37.66% 53.70% 6 33.33% 54.55%3 = Don't Know 23 29.87% N/A 7 38.89% NA




Q17: Org's progress in funding compliance1 = Not Budgeted 9 11.69% 11.84% 6 33.33% 37.50%2 = Budgeted, not funded 6 7.79% 7.89% 0 0.00% 0.00%3 = Partially funded 24 31.17% 31.58% 2 11.11% 12.50%4 = Fully Funded 17 22.08% 22.37% 3 16.67% 18.75%5 = Not Developing HIPAA specific budget 20 25.97% 26.32% 5 27.78% 31.25%6 = Don't Know 1 1.30% N/A 2 11.11% NA








Q5: Workability of Min. Necessary1 = not workable 2 3.23% 3.28% 2 6.45% 7.41%2 8 12.90% 13.11% 4 12.90% 14.81%3 = somewhat workable 37 59.68% 60.66% 13 41.94% 48.15%4 12 19.35% 19.67% 5 16.13% 18.52%5 = very workable 2 3.23% 3.28% 3 9.68% 11.11%6 = Don't Know 1 1.61% NA 4 12.90% NA


(N=62) (N=31)Conducted Gap Assessment = Yes Conducted Gap Assessment= No



Q6A: Min. Necessary & flow of info. For Delivery1 = will greatly limit 2 3.08% 3.39% 2 6.45% 6.90%2 = will somewhat limit 24 36.92% 40.68% 9 29.03% 31.03%3 = will have no effect 29 44.62% 49.15% 13 41.94% 44.83%4 = will somewhat enhance 4 6.15% 6.78% 4 12.90% 13.79%5 = will greatly enhance 0 0.00% 0.00% 1 3.23% 3.45%6 = Don't Know 6 9.23% NA 2 6.45% NA


Q6B: Min. Necessary & flow of info. For Payment1 = will greatly limit 2 3.23% 3.51% 2 6.45% 6.90%2 = will somewhat limit 19 30.65% 33.33% 10 32.26% 34.48%3 = will have no effect 27 43.55% 47.37% 11 35.48% 37.93%4 = will somewhat enhance 7 11.29% 12.28% 4 12.90% 13.79%5 = will greatly enhance 2 3.23% 3.51% 2 6.45% 6.90%6 = Don't Know 5 8.06% NA 2 6.45% NA


Q6C: Min. Necessary & flow of info. For Assessment1 = will greatly limit 6 9.68% 10.71% 2 6.45% 7.41%2 = will somewhat limit 25 40.32% 44.64% 12 38.71% 44.44%3 = will have no effect 22 35.48% 39.29% 9 29.03% 33.33%4 = will somewhat enhance 2 3.23% 3.57% 3 9.68% 11.11%5 = will greatly enhance 1 1.61% 1.79% 1 3.23% 3.70%6 = Don't Know 6 9.68% NA 4 12.90% NA


Q8.1: Regs. Clearly define Business Associates1 = Yes 42 67.74% 68.85% 15 50.00% 53.57%2 = No 19 30.65% 31.15% 13 43.33% 46.43%3 = Don’t Know 1 1.61% NA 2 6.67% NA




Q8.2: Regs. Clearly define Responsibilities1 = Yes 44 70.97% 72.13% 14 45.16% 48.28%2 = No 17 27.42% 27.87% 15 48.39% 51.72%3 = Don’t Know 1 1.61% NA 2 6.45% NA


Q8.3: Regs. Clearly define Agreement Provisions1 = Yes 40 64.52% 68.97% 14 45.16% 50.00%2 = No 18 29.03% 31.03% 14 45.16% 50.00%3 = Don’t Know 4 6.45% NA 3 9.68% NA


Q9.1: Cost Burden of Business Assoc. Requirements1 = small burden 4 6.45% 6.56% 1 3.23% 3.57%2 7 11.29% 11.48% 0 0.00% 0.00%3= burden neither small nor large 20 32.26% 32.79% 10 32.26% 35.71%4 17 27.42% 27.87% 7 22.58% 25.00%5 = large burden 13 20.97% 21.31% 10 32.26% 35.71%6 = Don't Know 1 1.61% NA 3 9.68% NA


Q9.2: Time Burden of Business Assoc. Requirements1 = small burden 3 4.84% 4.92% 1 3.23% 3.57%2 4 6.45% 6.56% 0 0.00% 0.00%3 = burden neither small nor large 13 20.97% 21.31% 4 12.90% 14.29%4 17 27.42% 27.87% 11 35.48% 39.29%5 = large burden 24 38.71% 39.34% 12 38.71% 42.86%6 = Don't Know 1 1.61% NA 3 9.68% NA




Q10: Distinction b/t Research & Health Care Ops.1 = unclear 5 8.06% 9.80% 1 3.23% 4.17%2 8 12.90% 15.69% 0 0.00% 0.00%3 = neither clear nor unclear 15 24.19% 29.41% 8 25.81% 33.33%4 18 29.03% 35.29% 7 22.58% 29.17%5 = clear 5 8.06% 9.80% 8 25.81% 33.33%6 = Don't Know 11 17.74% NA 7 22.58% NA












Completed Readiness Initiative = Yes Completed Readiness Initiative = No







(N=11) (N=82)



Q6A: Min. Necessary & flow of info. For Delivery1 = will greatly limit 1 9.09% 9.09% 3 3.66% 3.85%2 = will somewhat limit 5 45.45% 45.45% 29 35.37% 37.18%3 = will have no effect 5 45.45% 45.45% 37 45.12% 47.44%4 = will somewhat enhance 0 0.00% 0.00% 8 9.76% 10.26%5 = will greatly enhance 0 0.00% 0.00% 1 1.22% 1.28%6 = Don't Know 0 0.00% NA 4 4.88% NA










Developed Readiness Initiative = Yes Developed Readiness Initiative = No







Q6A: Min. Necessary & flow of info. For Delivery1 = will greatly limit 2 4.17% 4.35% 2 4.44% 4.76%2 = will somewhat limit 18 37.50% 39.13% 15 33.33% 35.71%3 = will have no effect 23 47.92% 50.00% 19 42.22% 45.24%4 = will somewhat enhance 3 6.25% 6.52% 5 11.11% 11.90%5 = will greatly enhance 0 0.00% 0.00% 1 2.22% 2.38%

(N=48) (N=45)



6 = Don't Know 2 4.17% NA 3 6.67% NATOTAL 48 45

TOTAL w/o Don’t Know 46 42















Q5: Workability of Min. Necessary1 = not workable 2 2.60% 2.67% 2 11.11% 13.33%2 12 15.58% 16.00% 2 11.11% 13.33%3 = somewhat workable 40 51.95% 53.33% 10 55.56% 66.67%4 16 20.78% 21.33% 1 5.56% 6.67%5 = very workable 5 6.49% 6.67% 0 0.00% 0.00%6 = Don't Know 2 2.60% N/A 3 16.67% NA



(N=77) (N=18)Developed Strategic Plan = Yes Developed Strategic Plan =No



6 = Don't Know 3 3.90% N/A 2 11.11% NATOTAL 77 18


Q6B: Min. Necessary & flow of info. For Payment1 = will greatly limit 2 2.60% 2.86% 2 11.11% 11.76%2 = will somewhat limit 24 31.17% 34.29% 6 33.33% 35.29%3 = will have no effect 30 38.96% 42.86% 8 44.44% 47.06%4 = will somewhat enhance 11 14.29% 15.71% 0 0.00% 0.00%5 = will greatly enhance 3 3.90% 4.29% 1 5.56% 5.88%6 = Don't Know 7 9.09% N/A 1 5.56% NA


Q6C: Min. Necessary & flow of info. For Assessment1 = will greatly limit 5 6.49% 7.14% 3 16.67% 20.00%2 = will somewhat limit 31 40.26% 44.29% 8 44.44% 53.33%3 = will have no effect 27 35.06% 38.57% 4 22.22% 26.67%4 = will somewhat enhance 5 6.49% 7.14% 0 0.00% 0.00%5 = will greatly enhance 2 2.60% 2.86% 0 0.00% 0.00%6 = Don't Know 7 9.09% N/A 3 16.67% NA


Q8.1: Regs. Clearly define Business Associates1 = Yes 49 63.64% 65.33% 10 55.56% 62.50%2 = No 26 33.77% 34.67% 6 33.33% 37.50%3 = Don’t Know 2 2.60% N/A 2 11.11% NA


Q8.2: Regs. Clearly define Responsibilities1 = Yes 49 63.64% 64.47% 9 50.00% 56.25%2 = No 27 35.06% 35.53% 7 38.89% 43.75%3 = Don’t Know 1 1.30% N/A 2 11.11% NA




Q8.3: Regs. Clearly define Agreement Provisions1 = Yes 47 61.04% 64.38% 8 44.44% 53.33%2 = No 26 33.77% 35.62% 7 38.89% 46.67%3 = Don’t Know 4 5.19% N/A 3 16.67% NA


Q9.1: Cost Burden of Business Assoc. Requirements1 = small burden 6 7.79% 8.00% 0 0.00% 0.00%2 7 9.09% 9.33% 0 0.00% 0.00%3= burden neither small nor large 22 28.57% 29.33% 8 44.44% 50.00%4 21 27.27% 28.00% 4 22.22% 25.00%5 = large burden 19 24.68% 25.33% 4 22.22% 25.00%6 = Don't Know 2 2.60% N/A 2 11.11% NA


Q9.2: Time Burden of Business Assoc. Requirements1 = small burden 5 6.49% 6.67% 0 0.00% 0.00%2 4 5.19% 5.33% 0 0.00% 0.00%3 = burden neither small nor large 13 16.88% 17.33% 4 22.22% 25.00%4 21 27.27% 28.00% 8 44.44% 50.00%5 = large burden 32 41.56% 42.67% 4 22.22% 25.00%6 = Don't Know 2 2.60% N/A 2 11.11% NA


Q10: Distinction b/t Research & Health Care Ops.1 = unclear 5 6.49% 7.81% 1 5.56% 9.09%2 7 9.09% 10.94% 1 5.56% 9.09%3 = neither clear nor unclear 20 25.97% 31.25% 3 16.67% 27.27%4 21 27.27% 32.81% 4 22.22% 36.36%5 = clear 11 14.29% 17.19% 2 11.11% 18.18%6 = Don't Know 13 16.88% N/A 7 38.89% NA




Q16A: Short Term Savings (<=1yr)1 = Yes 3 3.90% 5.45% 0 0.00% 0.00%2 = No 52 67.53% 94.55% 11 61.11% 100.00%3 = Don't Know 22 28.57% N/A 7 38.89% NA


Q16B: Medium Term Savings (3 - 5 yrs)1 = Yes 13 16.88% 24.07% 5 27.78% 45.45%2 = No 41 53.25% 75.93% 6 33.33% 54.55%3 = Don't Know 23 29.87% N/A 7 38.89% NA


Q16C: Long Term Savings (5+ yrs)1 = Yes 13 16.88% 24.07% 1 5.56% 9.09%2 = No 41 53.25% 75.93% 10 55.56% 90.91%3 = Don't Know 23 29.87% N/A 7 38.89% NA


Q16D: No Savings 1 = Yes 25 32.47% 46.30% 5 27.78% 45.45%2 = No 29 37.66% 53.70% 6 33.33% 54.55%3 = Don't Know 23 29.87% N/A 7 38.89% NA


Q17: Org's progress in funding compliance1 = Not Budgeted 9 11.69% 11.84% 6 33.33% 37.50%2 = Budgeted, not funded 6 7.79% 7.89% 0 0.00% 0.00%3 = Partially funded 24 31.17% 31.58% 2 11.11% 12.50%4 = Fully Funded 17 22.08% 22.37% 3 16.67% 18.75%5 = Not Developing HIPAA specific budget 20 25.97% 26.32% 5 27.78% 31.25%6 = Don't Know 1 1.30% N/A 2 11.11% NA



California HIPAA Implementation Survey:Appendix I.2








Conducted Gap Assessment = Yes Conducted Gap Assessment= No(N=62) (N=31)



Completed Readiness Initiative = Yes Completed Readiness Initiative = No








(N=11) (N=82)



Developed Readiness Initiative = Yes Developed Readiness Initiative = No








(N=48) (N=45)


California HIPAA Privacy Implementation Survey: Appendix J. Characteristics of Survey Respondents Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002


Appendix J: Characteristics of Survey Respondents There were 420 organizations identified for the survey, of which 416 were still in business at the time of the survey. These organizations were classified as Hospitals, Physician Groups, Payors, and Others (defined as Disease Management Organizations, Researchers, and other organizations believed to be impacted by HIPAA regulations). One hundred surveys out of the 416 were completed, yielding an overall response rate of 24% for the survey. Of non-respondents who could be reached, many provided reasons for not participating in the survey when asked. Twenty-four respondents stated that they did not believe their organization would be impacted by HIPAA regulations. Fifty percent of these responses were from Physician Group non-respondents, and 47% of these responses were from Disease Management Organization non-respondents. Other common reasons given for non-participation were “no time” to do the survey or that the respondent “doesn’t do surveys.” Hospitals constituted 29% of the total number of completed surveys, followed by Payors and Others (each 26% of total). Physician Groups constituted 19% of the total number of completed surveys. Hospitals represented in the sample tended to be large community hospitals. Of the 29 Hospitals, 18 (63%) were Community, 8 (27%) were Academic, and 3 (10%) were Rural. Sixty-three percent of the Hospital respondents represented hospitals with 300 or more beds, 27% were from hospitals with 100 to 299 beds, 7% were from hospitals with 50 to 99 beds, and 3% were from hospitals with fewer than 50 beds. Physician Groups represented in the sample tended to be mostly multiple specialty groups with more than 100 physicians. Multiple specialty physician groups comprise 84% of Physician Group responses, while single specialty groups comprise 16% of Physician Group responses. Seventy-four of Physician Group responses were from groups with a size greater than 100; 10% were from groups of 31 to 100, and 16% of physician responses were from groups with fewer than 30 physicians. Fifty percent of Payors were either partially or exclusively Medicaid Payors, while 46% were either Commercial or Commercial and Medicare. Fifty percent of Other respondents represented Disease Management Organizations, and 46% were from Other organizations. Only 1 respondent was classified as Researcher. Twelve respondents classified as Other represented organizations such as: clearinghouses, corporate offices for a system of hospitals, employee benefit consulting firms, behavioral health care organizations, medical groups/medical management groups, and online companies.

California HIPAA Privacy Implementation Survey: Appendix K. List of Survey Respondents Prepared for the California HealthCare Foundation Prepared by National Committee for Quality Assurance and Georgetown University Health Privacy Project April 2002


Appendix K: List of Survey Respondents Organization City State Adventist Health Roseville CA Aetna Hartford CT Alameda Alliance for Health Alameda CA American Healthways Nashville TN Brown & Toland Physician Services Org. San Francisco CA California Pacific Medical Center San Francisco CA CalOptima Orange CA CareCounsel San Rafael CA Catholic Healthcare West Corporate San Francisco CA Cedars-Sinai Medical Center Los Angeles CA Central California Faculty Medical Group Fresno CA Central Valley General Hospital Hanford CA Childrens Hospital Los Angeles Hollywood CA Chinese Community Health Plan San Francisco CA Community Health Group Chula Vista CA Community Hospital of Gardena Gardena CA Core Solutions Buffalo Grove IL Desert Regional Medical Center Palm Springs CA Epic Management Redlands CA Esoterix Inc. Brentwood TN EXCEL MSO, LLC San Jose CA General/ St Joseph Hospital Eureka CA Healinx Corporation Emeryville CA Health Hero Network, Inc. Mountain View CA Health Net, Inc. Woodland Hills CA Health Plan of San Joaquin Stockton CA Health Plan of San Mateo San Francisco CA Health Plan of the Redwoods Santa Rosa CA HealthCare Partners Medical Group Torrance CA Hill Physicians San Ramon CA Hoag Memorial Presbyterian Hospital Newport Beach CA Huntington Beach Hospital Huntington Beach CA Huntington Memorial Hospital Pasadena CA Inland Empire Health Plan San Bernardino CA Intervalley Health Plan Pomona CA I-Trax, Inc. Philadelphia PA Kaiser Permanente Oakland CA Kern Health Systems Bakersfield CA L.A. Care Health Plan Los Angeles CA La Maestra Family Clinic, Inc. San Diego CA LifeMasters Supported Self Care Newport Beach CA Los Angeles Free Clinic Los Angeles CA


Marin General Hospital Greenbrae CA MedPOINT Management Woodland Hills CA Menifee Valley Medical Center Sun City CA Merck-Medco Franklin Lake NJ Meridian Healthcare Management Woodland Hills CA Molina Healthcare Long Beach CA MSO of Sharp Community Medical San Diego CA Network Medical Management, Inc. Alhambra CA North American Medical Management CA, Inc. Ontario CA On Lok Senior Health Services San Francisco CA Pacific Partners Mgmt. Services, Inc. Foster City CA PacifiCare Health Systems Cypress CA Palo Alto Medical Foundation Palo Alto CA Paradigm Health Corp. Concord CA Physician Associates of the Greater San Gabriel Valley Pasadena CA Premera Blue Cross Mountlake Terrace WA Prospect Medical Group Santa Ana CA Qmed Inc. Laurence Harbor NJ Quintiles Transnational Corp Durham NC RAND Health Santa Monica CA Redwood Coast Medical Services Gualala CA Resolution Health, Inc. San Jose CA Riverside County Regional Medical Center Moreno Valley CA RMS Disease Mgmt McGaw Park IL RxHub LLC St Paul MN Saint Joesphs Hospital Orange CT Salinas Valley Memorial Hospital Salinas CA San Antonio Community Hospital Upland CA San Francisco Health Plan San Francisco CA San Jose Good Samaritan Medical Group San Jose CA Santa Clara Family Health Plan San Jose CA Santa Cruz Womens Health Center Santa Cruz CA Sante Health System Inc. Fresno CA SCAN Health Plan Long Beach CA Scripps Mercy Hospital San Diego CA Serenity Senior Support Services Daly City CA Sharp Health Plan San Diego CA Sharp Home Health Care San Diego CA Sonora Community Hospital - Adventist Health Sonora CA St. Bernardine Medical Center San Bernardino CA St. Agnes Medical Center Fresno CA St. Joseph Health System Santa Rosa CA St. Joseph Heritage Health Foundation Fullerton CA Stanford University Medical Center Stanford CA Sun Health Care Group Albuquerque NM


Tarzana Treatment Centers, Inc. Tarzana CA Torrance Hospital Independent Practice Assn. Torrance CA Towers Perrin San Francisco CA Tri-City Regional Medical Center Hawaiian Gardens CA UC Davis Health System Sacramento CA UCSD Health Sciences San Diego CA UHP Healthcare Inglewood CA United Health Care Edina MN Universal Care, Inc. Signal Hill CA University Affiliates Medical Group IPA Alhambra CA University of California San Francisco San Francisco CA WellMed, Inc. Portland OR Wellpoint (BCCA) Thousand Oaks CA

california hipaa privacy implementation survey: appendix a. … · 2018-01-02 · california hipaa...

Documents