HIPAA prep continues after deadlines pass

Policies, training, solutions need to be priorities

Quality improvement and peer review professionals must continue to focus on Health Insurance Portability and Accountability Act (HIPAA) compliance long after the deadlines pass, say experts, who caution that protecting sensitive data will be a constant worry even after you have the appropriate mechanisms in place.

The first deadline for complying with HIPAA was April 14, when health care providers were required to comply with the rule laying out standards for electronic health care transactions to "protect and guard against the misuse of individually identifiable health information." Small health plans — those with annual receipts of $5 million or less — have until April 14, 2004, to comply.

If you didn’t quite finish everything on your list for HIPAA compliance by April 14, don’t panic, says Jack A. Rovner, JD, partner and co-chair of the Chicago Health Law Practice Group with the law firm of Michael Best & Friedrich in Chicago. You’re not alone.

"The likelihood of everyone getting everything done by April 14th never was great because a lot of people were slow in getting to developing their policies and procedures," he says.

"Just hope that nothing really bad goes wrong with a privacy matter, because then you’ll have a problem if your program isn’t complete. But it’s not like the government is going to send people out to check your HIPAA compliance as soon as the deadline is passed," Rovner explains.

Don’t panic, but don’t stop working on HIPAA compliance either, he says. Ensuring the privacy of sensitive information will be an ongoing challenge, he says, and for now, you should at least be able to show that you have made a good-faith effort to comply.

"Can you show that you’ve allocated resources and allocated the budgets, and that you have an action plan for implementing what you need to?" Rovner asks. "If something happens and you have to show HIPAA compliance, that’s what will matter right now — whether you were working in good faith. The statute is even written to include reasonableness as a means to forgive HIPAA oversights in civil litigation."

Providers will continue to adjust to HIPAA for years, says Matthew Rosenblum, chief operations officer for privacy, quality management, and regulatory affairs at CPI Directions, health care consultants in New York City. He cautions that HIPAA compliance is "a marathon, not a hundred-yard dash." It took 20 years for health care providers to internalize Medicare and Medicaid regulations into their operations, he says, and the HIPAA regulations are as significant as those were back in the 1970s.

Accrediting bodies such as the Joint Commission on Accreditation of Healthcare Organizations may be the biggest motivation to move quickly on HIPAA compliance, he says. Even though government regulators aren’t likely to confirm your compliance any time soon, a surveyor from the Joint Commission or any other accrediting body might, he says.

"They have their own patient rights standards, and they will be the first ones to come in and start asking questions about the implementation of these HIPAA rules," he says. "They will ask staff, What if a patient has complaints about the privacy of information? Who do they go to?’"

Education of staff should be one of the biggest concerns with HIPAA now, Rosenblum says. Much of the preparation up to this point has concerned developing new policies and procedures, but staff education takes a long time. Be prepared for a long learning curve and a period of adjustment for the new policies and procedures.

Business associate agreements are another common problem for providers when organizing a HIPAA compliance program.

"We’re now seeing a battle of the forms," says Rovner. "Many of the associations that do business with health care providers have drafted business associate agreements that tend to favor them, then the hospitals tend to draft agreements that favor them. When they clash, you have to deal with that, and it will take time."

The best thing to do in the short run is to be sure you have policies and procedures in place, he says. Write your policies, implement them, and start training staff on how to comply. He cautions against letting a quest for perfection keep you from implementing policies immediately.

"You’re going to learn how well they work as you implement them, and you will have to improve them as you go along," Rovner says. "One big thing is writing your minimum necessary protocols for the routine and recurrent things that you send out — claims, customer service, dealing with other routine third-party vendors. You’ll have to constantly update those protocols so they make sense."

Rovner and Rosenblum recommend asking yourself if you have accomplished these tasks yet to comply with HIPAA:

  • Developed and distributed the notice of privacy practice.
  • Documented that you gave the notice to patients.
  • Produced an authorization form, or at least a template for one, for those uses and disclosures that may occur in your organization.
  • Tested your system.

Most covered entities have applied for the extension that will allow them to wait until October to have transaction and code sets (TCS) in place, but one of the requirements for filing that extension was to begin testing the systems by April 15.

  • Appointed a privacy official.
  • Developed a contact person in a privacy office who can begin to field questions and requests from patients regarding access to information.

Many health care providers get bogged down in the analyses and retrospective assessment of how they have handled privacy issues in the past, Rovner says. While that kind of analysis can be useful, don’t focus on it too much. What you did with private health information last year is less important than what you will do with it this year.

"People have avoided focusing on the hard work of drafting policies and procedures, and instead, they’re spending time on gap assessments — saying, This is what we used to do, and this is what we need to do,’" he says.

Thomas R. Walsh, principal consultant for CTG HealthCare Solutions in Overland Park, KS, says your HIPAA compliance program should include regular assessments, both internal and external. Once a year, you should have the system audited by an outside entity. "Without an audit, it’s just a veneer," he says.

Structure the system so security problems can be reported easily, he says. Make sure it is clear who they should be reported to and how. At the same time, set up a procedure to assure that there will be no retaliation for whistle-blowers.

He also urges providers to look for simple solutions to some everyday problems. Not all HIPAA compliance solutions have to be complicated or high tech, he says. For instance, there are a number of best practices providers can implement to prevent the overly curious from gazing at private patient information in an office setting. One solution is the use of privacy workstations, with a monitor set into the worktable or so that the information cannot be viewed except by the person who is using the computer. Anti-glare computer screens and privacy shields on monitors also can thwart the casual information thief.

A privacy concern in many health care settings is the availability to many office staff members of faxes. Faxed materials often sit around for anyone to see, and it can be difficult to make certain only the person who is being faxed confidential medical information sees it, Walsh says.

"Faxes are the lifeblood of health care, but there are many opportunities for privacy breaches. Many health care providers are learning that they may be better off buying their various computer systems — from billing to clinical — from the same vendor so that the systems work together, and they can avoid doing so much faxing," he points out.

Walsh also suggests using e-faxes, which arrive as an e-mail attachment or are accessible via a web site that can only be accessed with a special code, and fax machines that only print out the document if a security code is entered.

[For more information, contact:

Jack A. Rovner, Michael Best & Friedrich, 401 N. Michigan Ave., Suite 1900, Chicago, IL 60611. Telephone: (312) 222-0800.

Matthew Rosenblum, CPI Directions, 10 W. 15th St., Suite 1922, New York, NY 10011. Telephone: (212) 675-6367. Web site: www.cpidirections.com.

Thomas Walsh, CTG Healthcare Solutions, 800 Delaware Ave., Buffalo, NY 14209-2094. Telephone: (716) 882-8000.]