Automated Policy: HOSPITAL HIPAA COMPLIANCE
Lead Institution: Dartmouth
Project Leader: Denise Anthony
Research Progress
-
Abstract
New regulations for promoting health information security and privacy must fit with market and organizational conditions by providing the right incentives and considering the relevant barriers that may impede provider compliance. This project set out to identify organizational and environmental factors associated with initial HIPAA Privacy and Security Rule compliance (in 2003) among middle and large (50+ beds) acute-care hospitals. Identifying hospital characteristics and market factors that may impede (or facilitate) compliance with federal regulations for information security and privacy help to demonstrate that health information security and privacy is not simply a matter of the design or implementation of technology, but also depends on the regulatory structure, the existing organizations, and factors that influence provider compliance. -
Focus of the research/Market need for this project
New regulations for promoting health information security and privacy must fit with market and organizational conditions of providers (i.e., covered entities) by providing the right incentives and considering the relevant barriers that may impede provider compliance. -
Project Aims/Goals
We analyzed data from the 2003 Health Information and Management System Society Analytics Database on 3,321 nonfederal (i.e., not Veterans Administration hospitals), acute-care (i.e., not rehabilitation or long-term care facilities) hospitals with 50 or more beds regarding their compliance (100% compliance or not) with the HIPAA Privacy and Security Rules. We conducted cross-sectional logistic regression analyses to predict the likelihood of compliance with each rule by hospital strategies, profit status, market conditions, and institutional factors. We also looked at the interaction of profit status with two organizational strategies: dedicated compliance officer and external consultants. -
Key Conclusions/Significant Findings/Milestones reached/Deliverables
- Findings: We find that organizational strategies and institutional environments influence hospital compliance, and further that institutional logics moderate the effect of some strategies, indicating the interplay of regulation, institutions, and organizations that contribute to the extensive variation that characterizes the U.S. health care system.
Specific findings:- Hospitals were much more likely to be in compliance with the mandatory HIPAA Privacy Rule in 2003 than the voluntary Security Rule.
- Nearly half of hospitals appointed a dedicated compliance officer, which was associated with increased Privacy Rule compliance, but decreased Security Rule compliance.
- Though about one third of both for-profit and nonprofit hospitals pursued the strategy of hiring external consultants, the consultants increased compliance with the Privacy Rule in for-profit hospitals only; they decreased Privacy Rule compliance in nonprofit hospitals.
- Compliance at peer hospitals in a local market increased the likelihood of a given hospital’s compliance with the HIPAA Privacy and Security Rules.
Note: HIPAA = Health Insurance Portability and Accountability Act.
* Non-federal, acute care hospitals with 50 or more beds.
† For-profit hospitals are significantly more likely than Non-Profit hospitals to be in compliance with the mandatory HIPAA Privacy Rule.
‡ For-profit hospitals are significantly less likely than Non-Profit hospitals to be in compliance with the voluntary (in 2003) HIPAA Security Rule.
- Deliverables: Preliminary analyses and findings presented at:
- American Sociological Association Annual Meeting, August 2010, Atlanta, GA.
- Institutionalizing HIPAA Compliance: Organizations and Competing Logics in U.S. Healthcare
Anthony Denise, Ajit Appari, and M. Eric Johnson
Journal of Health & Social Behavior, 55(1):108 – 124, 2014
- Findings: We find that organizational strategies and institutional environments influence hospital compliance, and further that institutional logics moderate the effect of some strategies, indicating the interplay of regulation, institutions, and organizations that contribute to the extensive variation that characterizes the U.S. health care system.
-
Materials Available for Other Investigators/interested parties
Published article available. -
Market entry strategies
N/A
Bibliography
Institutionalizing HIPAA Compliance: Organizations and Competing Logics in U.S. Healthcare
Anthony Denise, Ajit Appari, and M. Eric Johnson
Journal of Health & Social Behavior, 55(1):108 – 124, 2014
Policy Brief accompanying article:
Anthony Denise, Ajit Appari, and M. Eric Johnson
Journal of Health & Social Behavior, 55(1):107 – 124, 2014