Did you arrive here by via search engine?
Click here to view the original version of this article

Click to Print This Page
(This section will not print)

HIPAA: What Is It and How Do You Comply?

Course Authors

Anne Maltz, Esq.

Anne Maltz practices law with the distinguished New York law firm of Herrick, Feinstein LLP. Ms. Maltz reports no commercial conflict of interest.

Estimated course time: 1 hour(s).

Albert Einstein College of Medicine – Montefiore Medical Center designates this enduring material activity for a maximum of 1.0 AMA PRA Category 1 Credit(s)™. Physicians should claim only the credit commensurate with the extent of their participation in the activity.

In support of improving patient care, this activity has been planned and implemented by Albert Einstein College of Medicine-Montefiore Medical Center and InterMDnet. Albert Einstein College of Medicine – Montefiore Medical Center is jointly accredited by the Accreditation Council for Continuing Medical Education (ACCME), the Accreditation Council for Pharmacy Education (ACPE), and the American Nurses Credentialing Center (ANCC), to provide continuing education for the healthcare team.

 
Learning Objectives

Upon completion of this Cyberounds®, you should be able to:

  • Identify who has to comply with the HIPAA regulations

  • Identify what is being regulated by the new HIPAA regulations

  • Discuss the electronic transmission and security standards

  • Discuss the new patient rights and the elements of a compliance protocol.

 

In 1996, the U.S. Congress passed the Health Insurance Portability and Accountability Act (the "Act").(1) Within the Act is a section called "Administrative Simplification." The goals of this section of the law, and the resulting regulations, are to improve the efficiency and effectiveness of the health care system. Moreover, the Act seeks to encourage development of health information systems by establishing standards and requirements to facilitate electronic transmission.

Administrative Simplification requires that the Health and Human Services Department ("HHS") create standards for all members of the health care community that dictate the format for the electronic transmission (computer sending) of medical information and the standards for the electronic security of such information. HHS was also empowered to create standards to maintain the privacy of individually identifiable health information (patient's records). The resulting regulations will require physicians to change or revise their billing software program and computer security protocols, as well as develop and institute a staff/office compliance protocol.

It is expected that the standards will be finalized over the course of this year. The time allotted to comply will depend on the size of your practice -- a very small practice has three years, while a larger practice has two. Compliance will be complicated and costly. Failure to comply will lead to large civil and criminal penalties. There really isn't a choice -- compliance is mandatory.

Who Has to Comply with the Regulations?

The proposed regulations encompass two basic components:

  1. electronic transfer of data and electronic security and
  2. privacy of individually identifiable medical information.

There are several concepts common to both components:

In general, the regulations are directed toward physicians, hospitals, pharmacies (service providers), billing companies and their business partners, who are electronically transmitting (sending via a computer or computer disc) medical information in the course of a "transaction." A transaction is defined as an exchange of information between two parties to carry out financial or administrative activities related to healthcare.

There are nine standard activities plus a "catch-all" that qualify as transactions: health claim, health claim attachments, enrollment/disenrollment in health plan, health plan eligibility, payment and remittance advice, premium payments, first report of injury, health claim status and referral certification authorization, plus any other transaction that the Secretary of HHS deems appropriate. What this means is that any medical or personal information provided by a patient to a doctor or his or her staff that is input into a computer and transmitted to another in order to obtain payment, enrollment information, payment status, etc., will be covered by these regulations.

Electronic Transfer of Data and Electronic Security

The electronic transfer of data and electronic security regulations are the first half of the compliance scheme. They were expected to be published in final form in June but as of August 7, 2000 have not been issued. Once these standards are adopted and finalized, they will be the required universal format for all the transactions discussed above. The benefit of implementation is that, ultimately, all computers will be talking in the same language. The downside, however, is that software will need to be altered to accommodate the change.

Standards are being set in five areas:

  1. Unique health identifier. In order to identify clearly each entity participating in a communication, each doctor, hospital, nursing home, etc., will have their own identifier on every communication.
  2. Code sets. Each data element of a transaction will have a specific set of required code sets. As a result, each type of transaction will have identical formatting.
  3. Electronic signature. This will be a standard method for authentication of the transaction.
  4. Electronic security of health information. These are the security standards within the computer system that protect the information before, during and after transmission. Such safeguards will have to protect health information from reasonably anticipated threats to security, unauthorized use and disclosure of information. A monitoring system to assure compliance will also be required.
  5. Transfer of information among health plans. Uniform standards for health plans to use will be established so that plans can easily communicate.

Privacy of Individually Identifiable Medical Information

Final privacy regulations, the second component of the compliance scheme, are expected to be published by the end of 2000. Essentially, these regulations will require that any medical information that is personally identifiable (contains name, social security number, etc.) and transmitted electronically (sent via computer or disc) in the course of a transaction is subject to new patient rights. The definition of transaction includes the nine plus transactions discussed above but is substantially expanded under these regulations to include 13 additional transactions, such as, for example, disclosure for public health activities, disclosure in emergency and disclosure for research.

What Are the New Patient Rights?

There are five:

  1. Patients will now have the right to written information about a physician's confidentiality policy.
  2. Patients will have the right to review their medical records.
  3. Patients will have the right to amend and correct their own medical records.
  4. Patients will have the right to an accounting for disclosures. While a doctor is no longer required to obtain a specific authorization for release of medical records in the case of treatment, payment or healthcare operations, a record of the release of information must be maintained. For example, physician must record disclosures for health oversight activities, public health reporting activities, research, judicial and administrative proceedings and law enforcement purposes. This record must be released upon request to the patient.
  5. Patients may request that their doctor restrict the disclosure of their record.

There are certain circumstances in which information may not be released at all without a specific authorization from the patient. For example, no disclosure of personally identifiable information, unrelated to a health care transaction in which the physician is to be paid, is allowed -- a provider couldn't sell a patient list, which included identifiable information, to a pharmaceutical company. If the provider did so, their act would be punishable as a crime if the provider had not received a specific authorization from the patient.

What's the Next Step?

How can you ready your office for compliance? The regulations require that the physician create and implement a compliance program. The program will need to be tailored to the size of the organization. A small doctor group of two or three doctors obviously has fewer resources than a large multi-specialty group and its burden will be less. What will be deemed sufficient will be a subject for interpretation.

There are four basic elements of a compliance program: a compliance officer, changes in office procedures, changes in interaction with the patients and contracts. First, designate a compliance officer. In a small office, the compliance officer may be the office manager or one of the physicians. In a hospital, it would be a person dedicated for that purpose. The responsibilities of the compliance officer include creation of the compliance program, handling complaints and grievances, monitoring compliance training programs and monitoring or conducting periodic updates and auditing.

The compliance officer's initial act will be to assess your office or organization. They should ask the following kinds of questions:

How does information flow throughout the organization?

Who has access to the charts?

Who has access to the file cabinets?

Are they locked up at night after everyone leaves, or are they left open?

How computerized is your office?

Why is a computer used and who has access to it?

Is access on a need to know basis or does everybody have access?

What protections are intrinsic to the computer program?

Once these questions are answered, the development of a compliance program can be begun. In developing the program, the next two steps, software development and security implementation, should be taken simultaneously. If you are using a clearinghouse or billing company, you will need to ask it some questions:

How does it intend to comply with HIPAA?

What assurances will it give?

If you do billing in-house, you will need to purchase or develop HIPAA compliant software and train staff in its use so that the nine plus covered transactions can be transmitted properly and your office can benefit from the improved ease in communications. You will need advice from your computer systems person, as well as legal advice regarding your system upgrade. You must make certain that the software purchased is compatible with your software, meets HIPAA requirements and that the software company is responsible for compliance.

While the regulations, currently, only pertain to electronic records, there is some discussion of expanding the regulations to cover paper records as well. Don't forget, once information is transmitted electronically, even if it is put in the file as a printout, it is still considered protected. In addition, state law often requires record security. You will need to make certain that computer files and your paper medical records are NOT accessible to anyone who does not have a need to know. The safeguards must be sufficient to protect the information from reasonably anticipated threats to security.

Next, the office will have to create or have created for it, the privacy compliance protocols that embody the patient's rights and guide how staff collects and releases patient information. Two examples of the types of protocols that will be needed under the regulations are: the physician's policy on protection of and access to information and a protocol for permitting patients to review and copy their records in a timely manner.

Finally, all contracts with business partners, in which medical information is being transmitted electronically, will have to be revised to include HIPAA compliance assurances.

HIPAA Is Federal Law, What about State Law?

The Administrative Simplification Rules provide for "floor preemption" which means that, in the absence of state law, the federal law will be controlling but if there is state law that is more protective of the person's individual information, then, the state law applies. The states will be left to meet with HHS to resolve preemption conflicts. In the mean time, doctors, other providers and their counsel are going to be left on their own to decide when state law is more protective and how to apply it.

What Happens If You Ignore HIPAA?

There are very significant civil and criminal penalties for failure to comply with the regulations. Pre-penalty, there is a complaint investigation and hearing process managed by HHS. The physician and his attorney may attend and participate in the process. Civil penalties will be incurred for violations that do not rise to the level of an intentional disregard of the regulations -- for example, incomplete compliance manuals or failure to complete the transaction codes. Each violation is set at a maximum of $100.00. It is unlikely that any violation would occur in isolation because computers do things repetitively. It is easy to imagine how a provider's practice could reach the maximum of $25,000 per violation in a year, as well as have more than one violation. The fines could quickly mount to over $100,000.

Criminal penalties will be levied where there is a wrongful and knowing disclosure of information. This could occur where no compliance manual was put in place, no training occurred, staff intentionally gossiped about a patient or if information was sold without a patient's specific written authorization. Penalties vary with the severity of the crime. The maximum punishment is $250,000 or imprisonment of up to 10 years or both.

Summary

The HIPAA rules are complicated, time consuming and expensive to implement. The electronic transmission and security rules will ultimately result in cost and time savings because they will enhance the ability of the providers to communicate, undoubtedly improving claims payment. The privacy regulations will protect patient information in its electronic form for the first time. This is positive because, on some level, we are all patients, deserving of privacy but, at the same time, the rules will be costly and difficult to implement.


Footnotes

1Health Insurance Portability and Accountability Act of 1996, Pub.L. No 104-91 (codified in scattered sections at 42 U.S.C. and 18 U.S.C.)