Findings of the 2014 HIPAA Survey

By | January 14, 2015

In 2014 NueMD, a medical practice management software company, surveyed over 1,100 medical practices and medical billing companies across the United States. NueMD conducted their survey in partnership with a research company and a law firm.

The intent of the survey was to determine the medical industry’s current standing in regards with HIPAA compliance. The results will serve to educate on the requirements and common misconceptions of HIPAA compliance. These responses can help medical practices and billing companies prepare for upcoming audits by the OCR (Office for Civil Rights). These audits were originally scheduled to start in October of 2014 but have been delayed to start in 2015. With these audits looming, the medical industry is under pressure to prepare for them immediately. Audit failures tagged by HHS (Department of Health and Human Services) can cripple a medical organization since they could incur significant fines and irreparable damage to their reputation.

The survey

The survey looked at different types of medical practices and medical billing companies. NueMD received 1,197 responses. Of these respondents: 87% were from medical practices and 13% were from medical billing companies. Respondents were categorized by practice ownership and size. The roles of the respondents were also documented by: patient care, office manager, IT specialist, etc.

The survey looked at the respondents’ knowledge of HIPAA regulations. With the Omnibus updates, HIPAA regulations security violations concerning PHI (protected health information) have become stricter, and the fines for noncompliance have increased. The survey gauged how aware the respondents were of these changes. Additionally, the survey looked at how aware the respondents were of the upcoming inspections by OCR and what they will cover.

The findings

The survey found that only 36% of the practices were aware of recent changes in HIPAA regulations via the Omnibus updates. In particular, practices were weak on understanding that patients now have more options when requesting their medical records, including the right to request them in electronic form.

The survey discovered that only 32% of respondents were aware that inspections and audits of HIPAA compliance by OCR were starting in 2015. The survey noted, however, that this lack of knowledge is partially because of HHS’s lack of consistent communication and clarity regarding these upcoming audits.

As far as being in compliance with HIPAA training, the respondents exhibited more knowledge. 62% of respondents indicated that they had a HIPAA training program in place for staff. However, only 65% were able to provide the proper documentation indicating that the training had actually happened. Only 56% had a Security Officer and only 55% had a Privacy Officer. Unfortunately, that meant almost half of those surveyed could fail an audit. A major requirement of HIPAA regulations is for an organization to have both a designated Security Officer and a Privacy Officer.


In response to potential breaches, only 45% of those surveyed had a formal breach notification policy. Only 33% of respondents stated their practice had performed a risk analysis. 14% of owners, managers, and administrators weren’t sure if their practice conducted an analysis, while 43% of office staff and non-owner care providers weren’t sure. A risk analysis is required annually for medical organizations because HIPAA policies are updated annually.
In terms of compliance with the usage of mobile electronic devices, there was a lot of confusion from respondents. While the majority of practices reported using mobile devices to conduct business and also to store and transmit medical records, there was inconsistent knowledge of how widespread this was and whether HIPAA mandated procedures were being followed.

To conclude the survey, respondents were all asked, “How confident are you that someone at your business is actively ensuring your business’s compliance with HIPAA?”

Only 38% of the respondents said that they were “very confident” that someone is actively ensuring compliance with HIPAA regulations. 44% were somewhat confident, while 19% were not confident. This is a troubling conclusion, since OCR audits will start in 2015. However, the survey does a good job of indicating to respondents the common misconceptions of HIPAA compliance. The authors also noted that the Department has already delayed their audits, and that this could happen again. At the same time, however the time for medical practices and billing companies to get ready is now.


View the Survey Results at