HIPAA Regulatory Alert: Software can ease authorization process

Electronic records keep facilities connected

As with many areas of health care, new approaches in technology have been sought to ease the way into compliance with HIPAA. One example is the HIPAA GUARD program from Monterey, CA-based Integritas Inc.

The program, which can be used either as a stand-alone or in concert with the STIX occupational health suite, was created in anticipation of the new HIPAA requirements, says Mary Stroupe, MA, MBA, vice president of sales for Integritas.

"We anticipated it would be needed," says Stroupe. "We were clear that HIPAA was going to apply to all our clients — both to freestanding occupational health and rehab organizations, and in the hospital-based environment, where we see an even greater need."

Authorization is the linchpin

While HIPAA GUARD addresses a number of concerns, including privacy notice acknowledgement and consents, authorizations, patient access requests, patient complaints, and accounting of disclosures, patient authorizations seemed to be an overriding concern for a number of clients. "Fundamentally, we saw that according to the law as we read it, the release of information to the employer for the purpose of a physical or a drug screening would require an authorization from the patient," Stroupe explains. "In a health system, if you go to three or four different places, should you have to be given three or four different privacy agreements? In the scheme of all issues, that’s No. 1."

Evelyn S. Miller, CPA, executive vice president-finance for Medway Health Inc. in Dallas, agrees. "You don’t want it to look to your clients like you don’t know what you’re doing," she notes. "If they come into your clinic and sign a privacy agreement, then get referred to the hospital, which is owned by the same company [and get asked to sign another], they think you are clueless."

Miller has just such a situation. "We have two freestanding locations, each with three distinct treatment departments," she says. "It’s helpful for us to know whether a patient has already signed an authorization form; it not only eliminates paperwork, but we are perceived as being more professional." Miller says this is one of the primary reasons she decided to integrate HIPAA GUARD with her STIX software.

There are other reasons managing HIPAA compliance with software can be beneficial. "We anticipate that whether you are a freestanding facility or a hospital, because the occ-med department is the department that routinely releases information to the employer, this could potentially be a source of weakness in the whole system," notes Stroupe. "Plus, even though the law does not require authorization for purposes of workers’ comp, it does require you to document and keep track of disclosures made for workers’ comp. If you’re a small operation, you can just pull out the chart and see it; but in a large one, where you have many disclosures in many different places, having no single place to keep track of all of them is a huge problem."

Miller sees other reasons for the electronic record keeping the software facilitates. "When we get audited, surveyors want to see your compliance with HIPAA and how you track it," she notes. "We are getting ready for our accreditation by CARF [the Commission on Accreditation of Rehabilitation Facilities], and they want to see how we are complying with HIPAA, as well as logs of where we have done the accounting, whether people are receiving proper notice, and so on."

Not a performance change

Both Stroupe and Miller agree that the new Privacy Standard may change the way certain processes are handled, but not the way care is given.

"The general thinking is that HIPAA allows health care providers to do things that in the past they couldn’t do, but that’s just not true," Stroupe asserts. "It requires providers to tell people what is happening. What I anticipate is this: in the past, patients haven’t asked to see their records; and in most cases, it probably never occurred to them to ask.

"Now they’re being given a document that tells them there’s a new law that says what their rights are," she continues. "Soon, a certain percentage of people will start to request their records just because they can. This can cause real headaches, because the law requires you to reply to these requests within a certain amount of time. The software keeps track of when this has been done, what is pending, and so on. Even in the absence of any breach this is important."

"I agree," says Miller. "We’ve not yet seen any increase in the number of requests for medical records. We already had a response system in place; this is just making it more standardized. Basically, for us, it’s just creating more work to document what we already do."

[For more information, contact:

  • Evelyn S. Miller, CPA, Executive Vice President-Finance, Medway Health Inc., 2915 LBJ Freeway, Suite 102, Dallas, TX 75234. Telephone: (972) 241-9271. E-mail: evelynmiller@medwayhealth.com.
  • Mary Stroupe, MA, MBA, Vice President-Sales, Integritas Inc., 2600 Garden Road, Suite 112, Monterey, CA 93940. Telephone: (800) 473-6309.