2020 HIPAA Survey

2020 HIPAA Compliance Survey

Thank you for participating in the 2020 HIPAA Compliance Survey conducted by SAI Global and Strategic Management Services. The survey takes about 10 minutes to complete, and the summarized results and statistical trends will be shared with all participants who submit their email at the conclusion of the survey.

Participating in this survey will allow you to:

- Compare your challenges and priorities with those of your peers

- See industry trends to help you in setting your program priorities

Individual responses will be held in strict confidence and used only to produce the results report.

Question Title

* 1. What type of healthcare-related provider best represents your organization (Select all that apply)

Behavioral/Mental Health

Clinic/Ambulatory Surgery Center

DME

Health Plan/Insurance

Hospital/Health System

Home Health/Hospice/Dialysis

Laboratory

Skilled Nursing/Long-Term Care

Physician/Group Practice

Pharmacy

Pharmaceutical Company or Medical Device Manufacturer

Health Record Vendor

Other (please specify)

Question Title

* 2. What is the status of your organization under HIPAA?

We are a Covered Entity/Healthcare Provider

We are a Covered Entity/Health Plan

We are a Covered Entity/Clearinghouse

We are a Business Associate

HIPAA is not applicable to my organization

Question Title

* 3. What is the staffing level for the HIPAA Privacy Office function?

More than one full time person

One full time person

Less than one full time person

Question Title

* 4. To whom does the Privacy Officer directly report?

Legal Counsel

Compliance Officer

CEO/President

Chief Operating Officer

Chief Information Officer

Health Information Management

Don’t Know/Not Sure

Question Title

* 5. To what oversight committee does the Privacy Officer provide formal reports? (Select all that apply)

Board of Directors or Audit/Compliance Committee of the Board

Executive-level Compliance Committee

Executive-level HIPAA Privacy/Security Committee

There is no oversight body for HIPAA operations

Other

Question Title

* 6. Which of the following statements best describes the support received from your executive leadership and Board of Directors?

Very Supportive

Supportive

Weak

Very Weak

Not Supportive

Question Title

* 7. How does your workforce access HIPAA related policies and procedures? (Select all that apply)

Polices are posted on the intranet for our organization

Policies are accessed using the policy management system or repository

Policies are posted on a shared drive folder

Policies are available in paper form (for example, a binder)

Don’t Know/Not sure

Other (please specify)

Question Title

* 8. How often do you conduct HIPAA compliance training with your employees?

Annually

New employee orientation and annually

New employee orientation only

Don’t know/Not sure

Other (please specify)

Question Title

* 9. What type of information does your organization maintain for HIPAA Training? (Select all that apply)

When the training took place

How training was delivered (LMS, live trainer)

Who was trained

Content of the training

Test/Quiz results

Other

Question Title

* 10. Is HIPAA training mandatory for all employees and business associates (i.e., is disciplinary action taken if the training is not completed)?

HIPAA training is mandatory for all employees and business associates

HIPAA training is mandatory for all employees, but not business associates

HIPAA training is only mandatory for select employees within the organization

HIPAA training is encouraged, but not mandatory

Other (please specify)

Question Title

* 11. Who is responsible for making the final determination of whether a Business Associate Agreement (BAA) is needed with a third-party vendor?

Privacy Office

Compliance Office

Legal Counsel

Procurement/Contracting Department

Don’t Know/Not Sure

Other (please specify)

Question Title

* 12. How are most HIPAA Privacy incidents detected at your organization?

Patient reports/complaints

Monitoring of workforce/user access

Employee reports directly to management/HIPAA/Compliance Office

Reports from anonymous sources

Hotline Reports

Internal Reporting System Reports (e.g., SAI Global Incident Manager)

By outside government agencies

Don’t Know/Not Sure

Other (please specify)

Question Title

* 13. Which of the following items are currently on your HIPAA/Compliance Audit Work Plan? (Select all that apply)

User access reviews (of the electronic health record or other relevant applications)

Individual Right of Access request reviews (for patients or health plan members)

Individual Release of Information (ROI) request reviews (e.g., valid authorization form, received within required timeframes, etc.)

Reviews of customer service calls/communications with patients or health plan members

Third party release of protected health information reviews (i.e., for public health purposes or research purposes)

Review of de-identification methods for external release of protected health information

Review of Business Associate activity

Review of corrective actions for HIPAA incidents/investigations

Physical location reviews/walkthroughs (e.g., secure shredding, no paper left on desk/printers, screen protectors, posting of notice of privacy practices, etc.)

We do not have an Audit Work Plan

Don’t know/not sure

Question Title

* 14. When was the last time the effectiveness of your HIPAA Privacy Program was independently evaluated?

Within the last year

Within the last three years

Over three years ago

Has not been done

Don’t Know/Not Sure

Question Title

* 15. Please select the top three priorities to be addressed by your HIPAA Compliance Program in the next 12 months:

Question Title

* 16. Which of the following HIPAA responsibilities takes the most planning and resources for your organization?

Updating policies and procedures

Providing education and training awareness

Conducting investigations

Breach determination and notification management (breach risk assessment, breach notification to patients and government)

Responding to inquiries from workforce

Conducting HIPAA related audits

Other (please specify)

Question Title

* 17. What type of impact has the COVID-19 public health emergency had on your HIPAA Program? (Select all that apply)

Increased Resources for the HIPAA Program

Decreased resources for the HIPAA Program

Increased HIPAA related training and education needed

Developed additional HIPAA Policies

Increased HIPAA related research inquiries received

Increased HIPAA breach activity

Increased responsibilities and resources needed for public health reporting

COVID-19 has not impacted the HIPAA Program

Question Title

* 18. What type of software or hardware tools do you use to carry out the Privacy Program operations at your organization? (Select all that apply)

Incident Reporting Tool (i.e., HIPAA Hotline)

Incident Tracking Software

Investigation Management Software

Policy Management Software

Learning/Training Management System

Automated monitoring of users access to PHI

Automated review of audit logs and reports from the EHR system

None

Other (please specify)

Question Title

* 19. Does your organization use on-call consultant/vendor services to assist with HIPAA Privacy and Security functions (e.g. training, investigation breaches, assisting with evaluations, policies and procedures, risk analysis etc.)?

Yes, we use consultants for HIPAA Privacy program functions

Yes, we use consultants for HIPAA Security program functions

Yes, we use consultants for both HIPAA Privacy and Security program functions

Don’t Know/Not Sure

Question Title

* 20. How confident are you that your organization is meeting the HIPAA Privacy, Security and Breach Notification Rule Requirements?

Very Confident

Somewhat Confident

Not Very Confident

Don't Know/Not Sure

Question Title

* 21. How prepared is your organization for a HIPAA Compliance audit or investigation from OCR?

Very prepared

Mostly prepared

Somewhat prepared

Not well prepared

Question Title

* 22. When was the last time your organization had a HIPAA Breach that has been reported to the Office for Civil Rights?

Within the last 12 months

One to two years ago

Three to five years ago

Never

Don't Know/Not Sure

Question Title

* 23. What type of encounters has your organization had with OCR in the last 2 years?

HIPAA Privacy related Investigation, Settlement or Corrective Action Plan

HIPAA Security related Investigation, Settlement or Corrective Action Plan

Technical Assistance

Investigation/Inquiry regarding Breach Report for incident involving under 500 individuals

Investigation/Inquiry regarding Breach Report for incident involving 500 or more individuals

No Encounters with OCR

Don’t Know/Not Sure

Other (please specify)

Question Title

* 24. For early access to the report, please leave your information below.

Name

Company

State/Province

Country

Email Address