Medical Records Briefing 2014 HIPAA Compliance Benchmarking Survey

Question Title

* 1. Which of the following best describes your job title?

HIM director or manager

Privacy officer

Security officer/Information security officer

Non-managerial HIM staff member

HIT or HIS director/manager

Compliance officer or manager

Other (please specify)

Question Title

* 2. Do you serve as your organization's privacy officer, security officer, or information security officer?

I serve as privacy officer

I serve as the security officer or information security officer

I serve as both the privacy and security officer or information security officer

No, I do not serve in either role

Question Title

* 3. Which best describes the setting in which you work?

Acute care hospital

Critical access hospital

Inpatient rehabilitation hospital

Long-term acute care hospital

Psychiatric/Behavioral health hospital

Healthcare system corporate office

Home health agency

Skilled nursing facility

Ambulatory surgery center

Physician office

Urgent care facility

Other (please specify)

Question Title

* 4. If you work in a hospital, how many beds does it have?

25 or fewer beds

26-49 beds

50-99 beds

100-199 beds

200-299 beds

300-399 beds

400-499 beds

500 or more beds

I don't work in a hospital

Question Title

* 5. How often does your facility conduct HIPAA training for staff?

Once, upon hire

Every six months

Annually

Every two years

On an as needed basis

I don't know

Other (please describe)

Question Title

* 6. Which of the following training methods does your organization employ for HIPAA training? (Please check all that apply.)

Lectures/seminars/workshops

Books/other printed material

Slide presentations/videos

On-the-job training

Online learning

We don't provide HIPAA training

I don't know

Other (please specify)

Question Title

* 7. Does your organization address medical identity theft in its HIPAA training?

No, but we plan to include it in the future

No, we have no plans to address it specifically

I don't know

Yes (please specify)

Question Title

* 8. Does your organization's HIPAA training (orientation and ongoing) include take-aways (e.g., handbooks, other printed material)?

No, but we plan to include this in the future

No, we have no plans to include this in our training

I don't know

Yes (please specify)

Question Title

* 9. Does your organization provide HIPAA training for its business associates?

No, but we plan to do so in the future

No, we have no plans to do this

I don't know

Yes (please specify)

Question Title

* 10. What are the sources of your HIPAA training materials. (Please check all that apply.)

Training materials created internally

Training materials purchased from external organizations

Information available at no cost from government websites and other online sources

We don't provide HIPAA training

I don't know

Other (please specify)

Question Title

* 11. How often does your organization conduct internal audits to assess HIPAA compliance?

Monthly

Every six months

Annually

Every two years

On an as needed basis

Other (please specify)

Question Title

* 12. Does your organization conduct walk-around security audits?

Yes, on a monthly basis

Yes, every six months

Yes, annually

Yes, on an as needed basis

No, but we plan to do so in the future

No, we have no plans to do so

I don't know

Other (please specify)

Question Title

* 13. Who conducts your internal audits to assess HIPAA compliance?

Employees/other workforce members

External consultants

We don't conduct internal audits to assess HIPAA compliance

I don't know

Other (please specify)

Question Title

* 14. Are you aware of any healthcare organizations in your state being audited or having been audited by a state or federal agency (e.g., CMS, OCR, OIG) for HIPAA compliance?

I don't know

Yes, please specify

Question Title

* 15. How prepared is your organization for an OCR HIPAA privacy and security compliance audit?

Fully prepared

Somewhat prepared

Not prepared at all

I don't know

Question Title

* 16. Are all payers honoring the HIPAA 5010 transaction set for billing?

All payers are accepting transactions sent in 5010 format and accommodating the 25 diagnosis and 25 procedure codes

All payers are accepting transactions sent in 5010 format but not all are accommodating 25 diagnosis and 25 procedure codes

I don't know

Other (please specify)

Question Title

* 17. Approximately how many requests for an accounting of disclosures have you received in the past year?

None

1-2

3-5

6-10

11-20

More than 20

I don't know

Question Title

* 18. Which of the following has your organization done or experienced as a result of the HIPAA Omnibus Rule? (check all that apply)

Trained business associates on HIPAA security and/or privacy

Amended contracts with business associates to account for their new responsibilities with respect to HIPAA compliance

Worked with business associates and subcontractors to implement a compliance plan

Updated all business associate agreements

Revised our Notice of Privacy Practices

Revised policies and procedures in response to marketing restrictions

Reported a breach to the OCR and/or local media outlets

Updated release of information policies and procedures

Restricted one or more patients’ information upon request when they have paid for services out-of-pocket

Changed the method of providing copies of records to patients (e.g., you now provide electronic access, or you save the medical record on a CD-ROM)

Further limited fundraising and/or marketing activities using that involve use of patient information

None of the above

Other, please specify

Question Title

* 19. Has your organization experienced an increase in the number of reportable breaches at your organization since the HIPAA Omnibus Rule became enforceable?

No, but we an anticipate an increase

No, and we do not anticipate an increase

I don't know

Yes, we experience an increase of (write in percentage or number)

Question Title

* 20. Have you experienced an increase in the number of patient requests for medical records since the HIPAA Omnibus Rule became enforceable?

No, but we an anticipate an increase

No, and we do not anticipate an increase

Yes, we experienced an increase in requests

I don't know

Question Title

* 21. In which format do most of your patients request their medical records?

Paper

Electronic

Both paper and electronic

I don't know

Other (please specify)

Question Title

* 22. Has your organization experienced an increase in the number of out-of-pocket payments since the HIPAA Omnibus Rule became enforceable?

No, but we an anticipate an increase

No, we do not anticipate an increase

Yes, we experienced an increase in requests

I don't know

Question Title

* 23. Has your organization developed a method of restricting the disclosure of PHI to a health plan if a healthcare item or service has been paid out of pocket?

Yes, we quarantine the record in the EHR

Yes, we maintain a record that is separate from the EHR for these services

No, but we have developed a plan to do so in 2014

No, we have not yet developed a plan for complying with this provision

I don't know

Other (please specify)

Question Title

* 24. Has your organiztaion experienced a HIPAA breach within the past two years?

Yes, involving fewer than 100 patients

Yes, involving 100-250 patients

Yes, involving 250-500 patients

Yes, involving more than 500 patients

No, we haven’t experienced a HIPAA breach

I don't know

Question Title

* 25. If your organization experienced one or more breaches, how did you become aware? (Select all that apply.)

Patient complaint

Workforce member self reporting

Workforce member reporting another member

Through an audit

Other (please specify)

Question Title

* 26. Which breach reporting methods does your organization make available to your workforce and the public? (Select all that apply.)

Toll-free phone number

Website

Other (please specify)

Question Title

* 1. Which of the following best describes your job title?

Question Title

* 2. Do you serve as your organization's privacy officer, security officer, or information security officer?

Question Title

* 3. Which best describes the setting in which you work?

Question Title

* 4. If you work in a hospital, how many beds does it have?

Question Title

* 5. How often does your facility conduct HIPAA training for staff?

Question Title

* 6. Which of the following training methods does your organization employ for HIPAA training? (Please check all that apply.)

Question Title

* 7. Does your organization address medical identity theft in its HIPAA training?

Question Title

* 8. Does your organization's HIPAA training (orientation and ongoing) include take-aways (e.g., handbooks, other printed material)?

Question Title

* 9. Does your organization provide HIPAA training for its business associates?

Question Title

* 10. What are the sources of your HIPAA training materials. (Please check all that apply.)

Question Title

* 11. How often does your organization conduct internal audits to assess HIPAA compliance?

Question Title

* 12. Does your organization conduct walk-around security audits?

Question Title

* 13. Who conducts your internal audits to assess HIPAA compliance?

Question Title

* 14. Are you aware of any healthcare organizations in your state being audited or having been audited by a state or federal agency (e.g., CMS, OCR, OIG) for HIPAA compliance?

Question Title

* 15. How prepared is your organization for an OCR HIPAA privacy and security compliance audit?

Question Title

* 16. Are all payers honoring the HIPAA 5010 transaction set for billing?

Question Title

* 17. Approximately how many requests for an accounting of disclosures have you received in the past year?

Question Title

* 18. Which of the following has your organization done or experienced as a result of the HIPAA Omnibus Rule? (check all that apply)

Question Title

* 19. Has your organization experienced an increase in the number of reportable breaches at your organization since the HIPAA Omnibus Rule became enforceable?

Question Title

* 20. Have you experienced an increase in the number of patient requests for medical records since the HIPAA Omnibus Rule became enforceable?

Question Title

* 21. In which format do most of your patients request their medical records?

Question Title

* 22. Has your organization experienced an increase in the number of out-of-pocket payments since the HIPAA Omnibus Rule became enforceable?

Question Title

* 23. Has your organization developed a method of restricting the disclosure of PHI to a health plan if a healthcare item or service has been paid out of pocket?

Question Title

* 24. Has your organiztaion experienced a HIPAA breach within the past two years?

Question Title

* 25. If your organization experienced one or more breaches, how did you become aware? (Select all that apply.)

Question Title

* 26. Which breach reporting methods does your organization make available to your workforce and the public? (Select all that apply.)

Question Title

* 27. Can you share any guidance for HIPAA breach response preparedness?

Question Title

* 28. What is your primary concern about the HIPAA Omnibus Rule and efforts to comply?

Question Title

* 29. Can you share your HIPAA compliance success stories?