By Linda Nadeau (Consultant – Practice Management Analyst)
Disclaimer: The information contained here is intended for informational purposes only and should not be construed as legal advice or a substitution for obtaining legal advice from an attorney licensed in your state.
HIPAA — It’s A Law… Are You Ready?
HIPAA was created from the simple concept of protecting patient Privacy and to preserve patient rights in their selection of healthcare, and has concluded with complex legislation and legal jargon difficult to interpret. After years of regulatory turmoil, there are only a few weeks remaining until the April 14, 2003 HIPAA Privacy Compliance Deadline becomes effective. HIPAA is a law, and you must be compliant.
Many providers have procrastinated because of the difficulty in understanding what the requirements of HIPAA are, or they believe that HIPAA does not pertain to them, as patient Privacy has always been addressed in their practice, however; all providers must institute changes to meet the letter of the new Privacy law. Providers must have documented policies and practices clearly stating patient Privacy and protected health information security, even if you are a solo practitioner with no employees. Patients must receive policies from you regarding consent, authorization, disclosure and rights.
No, there will not be a HIPAA Mod Squad storming your clinic on April 14th, however, enforcement will be complaint driven by other healthcare providers, payers, business associates and patients; to the Department of Health and Human Services and the Centers for Medicare and Medicaid Services. Patients and business associates will notice if your processes and services differ from other providers, and you will be reported. There is no escaping HIPAA, it does apply to you.
If you are in HIPAA violation, you will face civil and/or criminal prosecution resulting in excessive monetary penalties and possible imprisonment. Notwithstanding, Privacy advocates are eager to expose delinquent providers with negative publicity that would quickly threaten your reputation, your livelihood, undermine public confidence with your profession, and alter your acceptance in the healthcare marketplace.
HOW TO GET STARTED
Designate a Privacy Officer, and a Security Officer
One person may be designated for both functions. This individual must have authority for decision-making. The quickest, most effective way to achieve Privacy rule compliance at this late date may be to assume that you meet none of the regulatory standards and go from there.
Determine Data Flow
Be aware of how data flows from you system to third parties, (business associates); such as your clearinghouse and payers. Use a clearinghouse that is HIPAA compliant and uses transaction software that is X12 compliant. Ask the clearinghouse if they will be able to transmit the transactions in HIPAA standard format on your behalf, if not, ask what you need to do to ensure you get the transmission capabilities required. Ask similar questions to your billing system vendor. Verify that your identifiers and codes, (ICD-9 CM and CPT-4,) are current with vendors and payers. If the vendor has developed a HIPAA-compliant release, update your system if you have not already done so.
The only way long-term compliance with accounting of disclosure provisions will be possible is if a disclosure of protected health information is recorded from day one. Covering known security vulnerabilities by installing needed measures to protect data confidentiality e.g., firewalls, passwords, logon/logoff procedures, and workforce training in Privacy and security awareness.
Document Policies and Procedures
HIPAA REGULATIONS SIMPLIFIED
All health care providers will have at all times, appropriate administrative, technical, and physical safeguards to protect the Privacy of protected health information and comply with The Health Insurance Portability & Accountability Act of 1996, which includes Administrative Simplification, requiring:
- Improved efficiency in healthcare delivery by standardizing electronic data interchange, and
- Protection of confidentiality and security of health data through setting and enforcing standards
- Standardization of electronic patient health, administrative and financial data
- Unique health identifiers for individuals, employers, health plans and health care providers
- Security standards protecting the confidentiality and integrity of “individually identifiable health information,” past, present or future.
All health care providers will comply with HIPPA regulations with all healthcare organizations, including healthcare providers, even if it is a 1-physician office; health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.
Effective compliance requires all health care providers to implement the following steps prior to April 14, 2003; and maintain all policies, procedures and process for the duration of the practice existence, with periodic review and monitoring of:
- Staff awareness of HIPAA.
- Comprehensive assessing and ongoing monitoring of information security systems, technical, and management infrastructure policies and procedures.
- Develop an ongoing action plan to monitor methodologies of HIPAA compliance.
- Implementing a comprehensive action plan, including documented policies, processes, and procedures.
- Building a “chain of trust” agreements with service organization.
- Redesigning a compliant technical information infrastructure.
- Purchasing new, or adapting, information systems.
- Developing new internal communications.
- Training and enforcement.
All health care providers will comply with the four parts of Administrative Simplification including:
Electronic Health Transactions Standards
- Electronic Health Transactions includes health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.
- All health care providers will comply with the national standard format, thereby “simplifying” and improving transaction efficiency nationwide. The proposed rule requires use of specific electronic formats developed by ANSI, the American National Standards Institute, for most transactions except claims attachments and first reports of injury. (Proposed regulations for these exceptions are not yet out as of 011803).
- All health plans must adapt to the national standards, even if a transaction is on paper, phone, or fax.
- Providers using non-electronic transactions are not required to adopt the standards; although if they don’t, they will have to contract with a clearinghouse to provide translation services.
- All health care providers must adopt Standard Code Sets to be used in all health transactions (ICD-9CM, CMS Common Procedure Coding System (HCPCS), AMA Current Procedural Terminology (CPT-4), American Dental Codes, and National Drug Codes (NDC) J Codes. For example, coding systems that describe diseases, injuries, and other health problems, as well as their causes, symptoms and actions taken must become uniform. All parties to any transaction will have to use and accept the same coding.
Security & Electronic Signature Standards
- All health care providers will provide a uniform level of protection of all health information that is housed or transmitted electronically and that pertains to an individual.
- Electronic signatures, if used, will meet a standard ensuring message integrity, user authentication, and non-repudiation. No transactions adopted under HIPAA currently require an electronic signature, as of 12/05/02.
- The security standard mandates safeguards for physical storage and maintenance, transmission, and access to individual health information. It applies not only to the transactions adopted under HIPAA, but to all individual health information that is maintained or transmitted. However, the Electronic Signature standard applies only to the transactions adopted under HIPAA.
- As of 01/18/03, the security standard does not require specific technologies to be used; solutions will vary from business to business, depending on the needs and technologies in place.
Privacy & Confidentially Standards
In general, Privacy is about whom has the right to access personally identifiable health information. The HIPAA rule covers all individually identifiable health information in the hands of covered entities, regardless of whether the information is or has been in electronic form. The current Privacy standards include:
- Limit the non-consensual use and release of private health information;
- Give patients new rights to access their medical/treatment records and to know who else has accessed them;
- Restrict most disclosure of health information to the minimum needed for the intended purpose;
- Establish new criminal and civil sanctions for improper use or disclosure;
- Establish new requirements for access to records by researchers and others.
HIPAA regulations enforces the five basic principles more strictly defined as:
- Consumer Control: The regulation provides consumers with critical new rights to control the release of their medical/treatment information.
- Boundaries: With few exceptions, an individual’s health care information should be used for health purposes only, including treatment and payment. Under HIPAA, for the first time, there will be specific federal penalties if a patient’s right to Privacy is violated.
- Public Responsibility: The new standards reflect the need to balance Privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse.
- Security: It is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure.
- Review: Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. For many years, the confidentiality of those records was maintained by our family doctors, who kept our records sealed away in file cabinets and refused to reveal them to anyone else. Today, the use and disclosure of this information is protected by a patchwork of state laws, leaving large gaps in the protection of patients’ Privacy and confidentiality. There is a pressing need for national standards to control the flow of sensitive patient information and to establish real penalties for the misuse or disclosure of this information.
As required by HIPAA, the final regulation covers health plans, health care clearinghouses, and those health care providers who conduct certain financial and administrative transactions (e.g., electronic billing and funds transfers) electronically.
All medical/treatment records and other individually identifiable health information held or disclosed by a covered entity in any form, whether communicated electronically, on paper, or orally, is covered by the final regulation.
Consumer Control over Health Information
Under this final rule, patients have significant new rights to understand and control how their health information is used.
- Patient education on Privacy protections. Providers and health plans are required to give patients a clear written explanation of how they can use, keep, and disclose their health information.
- Ensuring patient access to their medical/treatment records. Patients must be able to see and get copies of their records, and request amendments. In addition, a history of most disclosures must be made accessible to patients.
- Receiving patient consent before information is released. Patient authorization to disclose information must meet specific requirements. Health care providers who see patients are required to obtain patient consent before sharing their information for treatment, payment, and health care operations purposes. In addition, specific patient consent must be sought and granted for non-routine uses and most non-health care purposes, such as releasing information to financial institutions determining mortgages and other loans or selling mailing lists to interested parties such as life insurers.
- Patients have the right to request restrictions on the uses and disclosures of their information.
- Ensuring that consent is not coerced. Providers and health plans generally cannot condition treatment on a patient’s agreement to disclose health information for non-routine uses.
- Providing recourse if Privacy protections are violated. People have the right to complain to a covered provider or health plan, or to the Secretary, about violations of the provisions of this rule or the policies and procedures of the covered entity.
Boundaries on Medical/Treatment Record Use and Release
With few exceptions, an individual’s health information can be used for health purposes only.
- Ensuring that health information is not used for non-health purposes. Patient information can be used or disclosed by a health plan, provider or clearinghouse only for purposes of health care treatment, payment and operations. Health information cannot be used for purposes not related to health care – such as use by employers to make personnel decisions, or use by financial institutions – without explicit authorization from the individual.
- Providing the minimum amount of information necessary. Disclosures of information must be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the transfer of medical/treatment records for purposes of treatment, since physicians, specialists, and other providers need access to the full record to provide best quality care.
- Ensuring informed and voluntary consent. Non-routine disclosures with patient authorization must meet standards that ensure the authorization is truly informed and voluntary.
Ensure the Security of Personal Health Information
The regulation establishes the Privacy safeguard standards that covered entities must meet, but it leaves detailed policies and procedures for meeting these standards to the discretion of each covered entity. In this way, implementation of the standards will be flexible and scalable, to account for the nature of each entity’s business, and its size and resources. Covered entities must:
- Adopt written Privacy procedures: These must include who has access to protected information, how it will be used within the entity, and when the information would or would not be disclosed to others. They must also takes steps to ensure that their business associates protect the Privacy of health information. Train employees and designate a Privacy officer. Covered entities must provide sufficient training so that their employees understand the new Privacy protection procedures, and designate an individual to be responsible for ensuring the procedures are followed.
- Establish grievance processes: Covered entities must provide a means for patients to make inquiries or complaints regarding the Privacy of their records.
Establish Accountability for Medical/Treatment Records Use and Release
Penalties for covered entities that misuse personal health information are provided in HIPAA.
- Civil penalties: Health plans, providers and clearinghouses that violate these standards would be subject to civil liability. Civil money penalties are $100 per incident, up to $25,000 per person, per year, per standard.
- Federal criminal penalties: There are federal criminal penalties for health plans, providers and clearinghouses that knowingly and improperly disclose information or obtain information under false pretenses. Penalties would be higher for actions designed to generate monetary gain. Criminal penalties are up to $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under “false pretenses”; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer or use it for commercial advantage, personal gain or malicious harm.
Balancing Public Responsibility with Privacy Protections
After balancing Privacy and other social values, HHS is establishing rules that would permit certain existing disclosures of health information without individual authorization for the following national priority activities and for activities that allow the health care system to operate more smoothly. All of these disclosures have been permitted under existing laws and regulations. Within certain guidelines found in the regulation, covered entities may disclose information for:
- Oversight of the health care system, including quality assurance activities
- Public health
- Research, generally limited to when a waiver of authorization is independently approved by a Privacy board or Institutional Review Board
- Judicial and administrative proceedings
- Limited law enforcement activities
- Emergency circumstances
- For identification of the body of a deceased person, or the cause of death
- For facility patient directories
- For activities related to national defense and security
The rule permits, but does not require these types of disclosures. If there is no other law requiring that information be disclosed, providers and hospitals will still have to make judgments about whether to disclose information, in light of their own policies and ethical principles.
Audit your practice every 90 days to ensure compliance is maintained.
Linda Nadeau became a CA in 1982, and has been a consultant and practice management analyst for both the chiropractic and medical industries since 1993. Linda is the author of DRS ADMIN, a HIPAA Compliant Operations Manual, templates of policies and forms designed for chiropractors to maintain HIPAA Compliance while assuming an effective leadership role in the administration of their practice. This work is a collaboration of 22 years of experience in the health care industry; which encompasses the private and public sectors, teaching facilities and political sub-divisions of state institutions.