HIPAA Compliance and Health Privacy
What You Need to Know About HIPAA Compliance!
By Jim Cavagnaro
HIPAA - the Health Insurance Portability and Accountability Act
- is a
federal law developed, in part, to define and regulate the use of
healthcare
information in the United States. Entities that provide, pay for
or supply
health services, medications or equipment, as well as their business
partners and vendors, are affected by this new set of regulations.
This
article summarizes the work that needs to be done to meet requirements
necessary to become HIPAA compliant.
The Act defines and regulates
- how health information is identified
and used, including standard transaction forms and code sets
for communicating between providers and payers,
- what information, known as Protected
Health Information (PHI) is to be considered private and how
it must be handled, and
- security policies and procedures
for protecting PHI.
These regulations all fall under Title II of HIPAA and are collectively
known as the Administrative Simplification Compliance Act (ASCA).
As the
name implies, all entities covered by ASCA must be in compliance
by the
deadlines set forth in the regulations. These deadlines are:
Standardized Transactions and Code Sets -- October 16, 2002
Privacy -- April 14, 2003
Security -- deadline has not yet been set.
Note, however, that the Department of Health and Human Services
will allow
covered entities to apply for a one-year extension to the Transactions
and
Code Sets deadline if they submit a Model Compliance Plan form that
includes
a schedule showing how they intend to become compliant during the
extension
period. This application must be received no later than October
15, 2002.
In addition, certain small health plans have an additional year
to comply
with all the deadlines. Much more detail on HIPAA and the ASCA can
be found
at the Centers
for Medicare and Medicaid Services web site which also contains
links to
further resources.
How does the ASCA affect my practice or institution?
Directly or indirectly, you will be affected if you provide health
services
or support health services providers. Covered entities that choose
to
transmit identifiable patient-related information electronically
are
required to implement these standards. In practice, this means any
provider
who sends bills directly to third-party payers since ASCA requires
that
those bills be sent electronically with a small number of exceptions.
Additionally, an entity falls under HIPAA if it is a health plan,
clearinghouse, third-party insurer, employer maintaining health
records,
rehabilitation center, blood, sperm or organ tissue bank, social
worker or
counselor, long-term care facility, ambulance company or pharmacy.
However,
many more companies and services are impacted, including those who
provide
services or supplies to health service providers or to patients
under the
direction of providers. They will need new business agreements assuring
HIPAA compliance and must implement acceptable information privacy
and
security measures. If these companies bill third-party payers directly,
they will also need to implement the transactions and code sets
standards.
Outside technology vendors, transcription providers, accountants,
attorneys
and anyone else who may come in to contact with patient information
in the
course of normal business dealings will also be affected. In short,
if you
create, maintain, manage or have access to personal medical information,
you
should be concerned about becoming compliant with HIPAA regulations.
To date, HIPAA implementation work has concentrated on defining
standard
transactions for use by providers and third-party payers, and creating
standard definitions for health care providers, employers, health
plans and
individuals to use in creating patient record information. Code
sets are
being created to define standard medical terms, diagnosis codes,
diseases,
injuries, etc. Medical procedure codes are also being defined for
actions
taken to prevent, diagnose, treat or manage diseases, injuries and
impairments, as well as for medications, equipment, supplies and
other items
prescribed for treatment.
While many of these code sets are those familiar to providers today,
there
are some changes in the format of transactions and the codes that
can be
used which may affect the transmission of information between providers
and
payers. As an example, local codes can no longer be used. Thus,
if a
specific insurer has asked providers to append a national procedure
code
with a suffix to further characterize the procedure, the insurer
will have
to develop another way of obtaining the information it seeks. This
will mean
that providers will have to learn a new procedure for coding claim
transactions.
How do I become compliant?
The majority of work and cost will be in redesigning office processes
around
patient privacy and in developing of a comprehensive security program
around
patient information. Areas that will need to be reviewed include
written
policies and procedures, standards, staff training, technical and
procedural
controls, risk assessments, auditing and monitoring of compliance.
A
provider must also assign responsibility for ongoing management
of the
information security program. Suppliers must agree in writing to
maintain
the same level of security and privacy as the providers with whom
they work.
What do I have to do?
The first step is to perform a “gap assessment” to determine
what must be
done in order to become compliant. Procedures, processes and information
management must all be reviewed in light of the ASCA. For example,
common
office processes such as a nurse asking a physician information
about one
patient over an open intercom when another patient can overhear
the
conversation have to be modified to assure patient privacy.
Once the scope of necessary change is understood, an implementation
plan
should be developed.
The next major operational step is to fund and execute the implementation
plan. In addition, all staff and employees who handle patient information
or
discuss it with outside parties must be trained in how to keep the
information private and secure. This training should also include
instruction on any new procedures that are developed and implemented.
What about my computers and software?
An affected organization must implement measures, policies and procedures
to
assure the security of any information systems that contain individually
identifiable patient health information. These would be coordinated
and
integrated with other system configuration management practices
in order to
assure system integrity when changes to system hardware or software
are
made. Any software purchased as a package from an outside vendor
must also
be compliant.
In addition, affected parties must provide a contingency plan that
provides
for responding to information system emergencies, including periodic
backing
up of data, having and testing facilities for continuing operations
in the
event of an emergency, and developing effective disaster recovery
procedures. Computer controls and security measures should be documented
in
the same manner as other policies and procedures.
Each organization is also required to have a policy on workstation
use.
These documented instructions and procedures should delineate the
proper
functions to be performed and the manner in which those functions
are to be
performed (e.g., logging off before leaving a terminal unattended).
Restrictions must be put in place to prevent unauthorized personnel
from
accessing information stored on the entity’s computers.
Facilities that use communications networks are required to protect
messages
containing health information when they transmit them electronically
to
prevent them from being intercepted and read by parties other than
the
intended recipient. They must also protect their information systems
from
intruders trying to access information from external communication
points.
This typically means that some form of encryption must be used to
protect
this information. As well, there needs to be documented policies
and
security features for the use of fax, e-mail, Internet, remote dictation
and
transcription services.
Jim Cavagnaro is CEO of TCN, which provides educational, project
management
and consulting services through TCN's HealthCare solutions group.
More
information on HIPAA can be found at http://www.tcnus.com
or by calling
800.366.8353
|
