HIPAA was created from the simple concept of protecting patient privacy and to preserve patient rights in their selection of healthcare, and has concluded with complex legislation and legal jargon difficult to interpret. After years of regulatory turmoil, there are only a few weeks remaining until the April 14, 2003 HIPAA Privacy Compliance Deadline becomes effective. HIPAA is a law, and you must be compliant.
Many providers have procrastinated because of the difficulty in understand what the requirements of HIPAA are, or they believe that HIPAA does not pertain to them, as patient privacy has always been addressed in their practice, however; all providers must institute changes to meet the letter of the new privacy law. Providers must have documented policies and practices clearly stating patient privacy and protected health information security, even if you are a solo practitioner with no employees. Patients must receive policies from you regarding consent, authorization, disclosure and rights.
No, there will not be a HIPAA Mod Squad storming your clinic on April 14th, however, enforcement will be complaint driven by other healthcare providers, payers, business associates and patients; to the Department of Health and Human Services and the Centers for Medicare and Medicaid Services. Patients and business associates will notice if your processes and services differ from other providers, and you will be reported. There is no escaping HIPAA, it does apply to you.
If you are in HIPAA violation, you will face civil and/or criminal prosecution resulting in excessive monetary penalties and possible imprisonment. Notwithstanding, privacy advocates are eager to expose delinquent providers with negative publicity that would quickly threaten your reputation, your livelihood, undermine public confidence with your profession, and alter your acceptance in the healthcare marketplace.
HOW TO GET STARTED
Designate a Privacy Officer, and a Security Officer One person may be designated for both functions. This individual must have authority for decision-making. The quickest, most effective way to achieve privacy rule compliance at this late date may be to assume that you meets none of the regulatory standards and go from there.
Determine Data Flow Be aware of how data flows from you system to third parties, (business associates); such as your clearinghouse and payers. Use a clearinghouse that is HIPAA compliant and uses transaction software that is X12 compliant. Ask the clearinghouse if they will be able to transmit the transactions in HIPAA standard format on your behalf, if not, ask what you need to do to ensure you get the transmission capabilities required. Ask similar questions to your billing system vendor. Verify that your identifiers and codes, (ICD-9 CM and CPT-4,) are current with vendors and payers. If the vendor has developed a HIPAA-compliant release, update your system if you have not already done so.
Establishing Disclosure-Tracking The only way long-term compliance with accounting of disclosure provisions will be possible is if a disclosure of protected health information is recorded from day one. Covering known security vulnerabilities by installing needed measures to protect data confidentiality e.g., firewalls, passwords, logon/logoff procedures, and workforce training in privacy and security awareness.
Document Policies and Procedures All requirements must be met by the compliance deadline. Verification of having HIPAA requirements met is to have written documentation of the processes of the HIPAA policies and practices. Some provisions affect patient confidentiality more immediately than others and the absence of some may also create greater legal risks for covered entities. Implement first the policies and practices that are visible to the patient (such as the Notice of Privacy Practices, Patient Rights, Policies on Treatment Records, Record Amendments and Restriction of Access, Account of Disclosures, Staff Conduct and Standards.) Consider jump-starting the policy process by investing in a high-quality set of privacy policy templates that can be tailored to your practice. The research and development of a comprehensive set of original HIPAA policies and operational manual can take up to a year or more to develop, and cost several thousand dollars. Customization of an authoritative set of templates can be accomplished in less than a month. Once you have everything in place, you will need to audit your practice every 90 days to ensure compliance is maintained. Think you're ready now and you don't have a HIPAA assessment form developed? Email providersolutions@earthlink.net and request a HIPAA Internal Audit Form.
HIPAA REGULATIONS SIMPLIFIED
All health care providers will have at all times, appropriate administrative,
technical, and physical safeguards to protect the privacy of protected health
information and comply with The Health Insurance Portability & Accountability
Act of 1996, which includes Administrative Simplification, requiring:
• Improved efficiency in healthcare delivery by standardizing electronic
data interchange, and
• Protection of confidentiality and security of health data through
setting and enforcing standards
• Standardization of electronic patient health, administrative and financial
data
• Unique health identifiers for individuals, employers, health plans
and health care providers
• Security standards protecting the confidentiality and integrity of
"individually identifiable health information," past, present or
future.
All health care providers will comply with HIPPA regulations with all healthcare organizations, including healthcare providers, even if it is a 1-physician office; health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
Effective compliance requires all health care providers to implement the
following steps prior to April 14, 2003; and maintain all policies, procedures
and process for the duration of the practice existence, with periodic review
and monitoring of:
• Staff awareness of HIPAA.
• Comprehensive assessing and ongoing monitoring of information security
systems, technical, and management infrastructure policies and procedures.
• Develop an ongoing action plan to monitor methodologies of HIPAA compliance.
• Implementing a comprehensive action plan, including documented policies,
processes, and procedures.
• Building a "chain of trust" agreements with service organization.
• Redesigning a compliant technical information infrastructure.
• Purchasing new, or adapting, information systems.
• Developing new internal communications.
• Training and enforcement.
All health care providers will comply with the four parts of Administrative
Simplification including:
Electronic Health Transactions Standards
• Electronic Health Transactions includes health claims, health plan
eligibility, enrollment and disenrollment, payments for care and health plan
premiums, claim status, first injury reports, coordination of benefits, and
related transactions.
• All health care providers will comply with the national standard format,
thereby "simplifying" and improving transaction efficiency nationwide.
The proposed rule requires use of specific electronic formats developed by
ANSI, the American National Standards Institute, for most transactions except
claims attachments and first reports of injury. (Proposed regulations for
these exceptions are not yet out as of 011803).
• All health plans must adapt to the national standards, even if a transaction
is on paper, phone, or fax.
• Providers using non-electronic transactions are not required to adopt
the standards; although if they don't, they will have to contract with a clearinghouse
to provide translation services.
Unique Identifiers
• All health care providers must adopt Standard Code Sets to be used
in all health transactions (ICD-9CM, CMS Common Procedure Coding System (HCPCS),
AMA Current Procedural Terminology (CPT-4), American Dental Codes, and National
Drug Codes (NDC) J Codes. For example, coding systems that describe diseases,
injuries, and other health problems, as well as their causes, symptoms and
actions taken must become uniform. All parties to any transaction will have
to use and accept the same coding.
Security & Electronic Signature Standards
• All health care providers will provide a uniform level of protection
of all health information that is housed or transmitted electronically and
that pertains to an individual.
• Electronic signatures, if used, will meet a standard ensuring message
integrity, user authentication, and non-repudiation. No transactions adopted
under HIPAA currently require an electronic signature, as of 12/05/02.
• The security standard mandates safeguards for physical storage and
maintenance, transmission, and access to individual health information. It
applies not only to the transactions adopted under HIPAA, but to all individual
health information that is maintained or transmitted. However, the Electronic
Signature standard applies only to the transactions adopted under HIPAA.
• As of 01/18/03, the security standard does not require specific technologies
to be used; solutions will vary from business to business, depending on the
needs and technologies in place.
Privacy & Confidentially Standards
In general, privacy is about whom has the right to access personally identifiable
health information. The HIPPA rule covers all individually identifiable health
information in the hands of covered entities, regardless of whether the information
is or has been in electronic form. The current privacy standards include:
• Limit the non-consensual use and release of private health information;
• Give patients new rights to access their medical/treatment records
and to know who else has accessed them;
• Restrict most disclosure of health information to the minimum needed
for the intended purpose;
• Establish new criminal and civil sanctions for improper use or disclosure;
• Establish new requirements for access to records by researchers and
others.
HIPAA regulations enforces the five basic principles more strictly defined
as:
• Consumer Control: The regulation provides consumers with critical
new rights to control the release of their medical/treatment information.
• Boundaries: With few exceptions, an individual's health care information
should be used for health purposes only, including treatment and payment.
Under HIPAA, for the first time, there will be specific federal penalties
if a patient's right to privacy is violated.
• Public Responsibility: The new standards reflect the need to balance
privacy protections with the public responsibility to support such national
priorities as protecting public health, conducting medical research, improving
the quality of care, and fighting health care fraud and abuse.
• Security: It is the responsibility of organizations that are entrusted
with health information to protect it against deliberate or inadvertent misuse
or disclosure.
• Review: Each time a patient sees a doctor, is admitted to a hospital,
goes to a pharmacist or sends a claim to a health plan, a record is made of
their confidential health information. For many years, the confidentiality
of those records was maintained by our family doctors, who kept our records
sealed away in file cabinets and refused to reveal them to anyone else. Today,
the use and disclosure of this information is protected by a patchwork of
state laws, leaving large gaps in the protection of patients' privacy and
confidentiality. There is a pressing need for national standards to control
the flow of sensitive patient information and to establish real penalties
for the misuse or disclosure of this information.
Covered Entities
As required by HIPAA, the final regulation covers health plans, health care
clearinghouses, and those health care providers who conduct certain financial
and administrative transactions (e.g., electronic billing and funds transfers)
electronically.
Information Protected
All medical/treatment records and other individually identifiable health information
held or disclosed by a covered entity in any form, whether communicated electronically,
on paper, or orally, is covered by the final regulation.
Consumer Control over Health Information
Under this final rule, patients have significant new rights to understand
and control how their health information is used.
• Patient education on privacy protections. Providers and health plans
are required to give patients a clear written explanation of how they can
use, keep, and disclose their health information.
• Ensuring patient access to their medical/treatment records. Patients
must be able to see and get copies of their records, and request amendments.
In addition, a history of most disclosures must be made accessible to patients.
• Receiving patient consent before information is released. Patient
authorization to disclose information must meet specific requirements. Health
care providers who see patients are required to obtain patient consent before
sharing their information for treatment, payment, and health care operations
purposes. In addition, specific patient consent must be sought and granted
for non-routine uses and most non-health care purposes, such as releasing
information to financial institutions determining mortgages and other loans
or selling mailing lists to interested parties such as life insurers. Patients
have the right to request restrictions on the uses and disclosures of their
information.
• Ensuring that consent is not coerced. Providers and health plans generally
cannot condition treatment on a patient's agreement to disclose health information
for non-routine uses.
• Providing recourse if privacy protections are violated. People have
the right to complain to a covered provider or health plan, or to the Secretary,
about violations of the provisions of this rule or the policies and procedures
of the covered entity.
Boundaries on Medical/Treatment Record Use and Release
With few exceptions, an individual's health information can be used for health
purposes only.
• Ensuring that health information is not used for non-health purposes
Patient information can be used or disclosed by a health plan, provider or
clearinghouse only for purposes of health care treatment, payment and operations.
Health information cannot be used for purposes not related to health care
- such as use by employers to make personnel decisions, or use by financial
institutions - without explicit authorization from the individual.
• Providing the minimum amount of information necessary. Disclosures
of information must be limited to the minimum necessary for the purpose of
the disclosure. However, this provision does not apply to the transfer of
medical/treatment records for purposes of treatment, since physicians, specialists,
and other providers need access to the full record to provide best quality
care.
• Ensuring informed and voluntary consent. Non-routine disclosures with
patient authorization must meet standards that ensure the authorization is
truly informed and voluntary.
Ensure the Security of Personal Health Information
The regulation establishes the privacy safeguard standards that covered entities
must meet, but it leaves detailed policies and procedures for meeting these
standards to the discretion of each covered entity. In this way, implementation
of the standards will be flexible and scalable, to account for the nature
of each entity's business, and its size and resources. Covered entities must:
• Adopt written privacy procedures: These must include who has access
to protected information, how it will be used within the entity, and when
the information would or would not be disclosed to others. They must also
takes steps to ensure that their business associates protect the privacy of
health information. Train employees and designate a privacy officer. Covered
entities must provide sufficient training so that their employees understand
the new privacy protection procedures, and designate an individual to be responsible
for ensuring the procedures are followed.
• Establish grievance processes: Covered entities must provide a means
for patients to make inquiries or complaints regarding the privacy of their
records.
Establish Accountability for Medical/Treatment Records Use and Release
Penalties for covered entities that misuse personal health information are
provided in HIPAA.
• Civil penalties: Health plans, providers and clearinghouses that violate
these standards would be subject to civil liability. Civil money penalties
are $100 per incident, up to $25,000 per person, per year, per standard.
• Federal criminal penalties: There are federal criminal penalties for
health plans, providers and clearinghouses that knowingly and improperly disclose
information or obtain information under false pretenses. Penalties would be
higher for actions designed to generate monetary gain. Criminal penalties
are up to $50,000 and one year in prison for obtaining or disclosing protected
health information; up to $100,000 and up to five years in prison for obtaining
protected health information under "false pretenses"; and up to
$250,000 and up to 10 years in prison for obtaining or disclosing protected
health information with the intent to sell, transfer or use it for commercial
advantage, personal gain or malicious harm.
Balancing Public Responsibility with Privacy Protections
After balancing privacy and other social values, DHHS is establishing rules
that would permit certain existing disclosures of health information without
individual authorization for the following national priority activities and
for activities that allow the health care system to operate more smoothly.
All of these disclosures have been permitted under existing laws and regulations.
Within certain guidelines found in the regulation, covered entities may disclose
information for:
• Oversight of the health care system, including quality assurance activities
• Public health
• Research, generally limited to when a waiver of authorization is independently
approved by a privacy board or Institutional Review Board
• Judicial and administrative proceedings
• Limited law enforcement activities
• Emergency circumstances
• For identification of the body of a deceased person, or the cause
of death
• For facility patient directories
• For activities related to national defense and security
The rule permits, but does not require these types of disclosures. If there is no other law requiring that information be disclosed, providers and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.
Audit your practice every 90 days to ensure compliance is maintained. Email providersolutions@earthlink.net and request a HIPAA Internal Audit Form.
Linda Nadeau became a CA in 1982, and has been a consultant and practice
management analyst for both the chiropractic and medical industries since
1993. Linda is the author of DRS ADMIN, a HIPAA Compliant Operations Manual,
templates of policies and forms designed for chiropractors to maintain HIPAA
Compliance while assuming an effective leadership role in the administration
of their practice. This work is a collaboration of 22 years of experience
in the health care industry; which encompasses the private and public sectors,
teaching facilities and political sub-divisions of state institutions. For
more information, contact Linda Nadeau at providersolutions@earthlink.net
or www.majors.com keywords HIPAA DRS AMIN.