HPII Regulatory Alert: Possible incentive for physician compliance

Reduced premiums could boost compliance

A security consulting firm that is providing security risk assessment and compliance review services for small health care related businesses says one way to increase incentives for physicians to come into compliance with HIPAA requirements would be for malpractice insurers to offer reduced premiums to those who have done a risk assessment and are moving forward on implementation.

Robert Aanerud, chief risk officer at St. Paul, MN-based HotSkills Inc., tells HIPAA Regulatory Alert there is precedent for such a move in the financial services field and other market segments, and he expects it to be offered by medical malpractice insurers within a year or so.

"I’m in discussions with several insurance companies," he says. "There are several insurers already offering that type of discount on professional liability insurance in the financial services and other fields."

That type of incentive, Aanerud says, is going to be important to get physicians and physician groups to think in terms of assessing their compliance level and moving forward.

He notes that many firms implementing compliance initiatives are too focused on technology, and many of those assessments don’t go far enough. Aanerud says his company is using a holistic, quality-based ISO standards approach that addresses all aspects of business risk, including physical, technical, personnel, and procedural.

"We involve the organization’s management team in this process to ensure they understand the business risks, and then they determine the degree of risk they’re willing to accept," he says. "Management’s involvement is a necessary and often overlooked measure to building a defensible security management program."

Some ignoring obligations

According to Aanerud, ISO17799/BS7799 is a management-driven process that can be implemented by businesses of all sizes. "Certification for information security can provide businesses with many competitive and operational advantages, including increased trust and credibility with customers, stakeholders, and business partners; more effective operations in other countries that use these standards; and reduced liability risk, which may result in lower business insurance premiums."

Aanerud says his sense is that many physicians and physician networks still are ignoring their obligation to comply with HIPAA. "Sometimes they’re in denial about whether it applies to them or really will be enforced," he says. "They also often don’t understand the requirements, don’t yet see the risk to themselves in not complying with the requirements, and are more concerned about patient care than complying with HIPAA standards."

Aanerud says the April 2005 deadline is creating a false sense of security because "businesses that release personal information can be liable right now for the complete scope of this regulation if they have not shown intent to protect that information." He says the first step in proactively addressing the standards is to conduct an overview risk assessment that, for many physician organizations, can take one to two days.

The fact that enforcement by the Department of Health and Human Services (HHS) currently is complaint-driven also is encouraging the false sense of security, Aanerud says. "HHS hasn’t yet identified the agencies that are going to perform compliance reviews," he says. "The need to comply with the requirements isn’t going to become real to many people until they do that. People have to see that the HIPAA cops’ are coming. But I think it’s going to be quite a while until the agency acts."

In the meantime, Aanerud and other consultants are urging covered entities to take their obligations seriously, perform a risk assessment so they will have a good sense of the gaps they are facing and the costs to address them, and then move into implementation.

For example, the Information Technology Solution Providers Alliance, a national organization established to help the nation’s small to medium businesses understand how local technology providers can help them, is devoting a lot of energy to HIPAA and offers the following tips for complying with the regulations:

  • Provide employee reviews and give all employees an opportunity to review and change, if necessary, their protected health information.
  • Distribute privacy notices that spell out HIPAA requirements for all employees.
  • Update health care documents to reflect current HIPAA regulations regarding permissible uses and disclosures of protected health information.
  • Put safeguards in place, such as assigning someone the responsibility of handling privacy issues and establishing methods for handling complaints.
  • Work with service providers to establish agreements with outside companies that help administer the organization’s health plan to ensure compliance with privacy rules.
  • Train employees in HIPAA privacy rules.
  • Lock up records and files that contain employee health care information, and use computer passwords and firewalls to protect on-line information.
  • Increase computer security features.
  • Ask an information technology solution provider for assistance.