Radiology Plus-The Race to Get Ready for HIPAA is Under Way

By Julie Crawshaw

Those entrusted with data must protect them. that’s the point of hipaa, the federal health insurance Portability and Accountability Act, and the purpose is easy enough to understand.

It’s defining where that responsibility begins and ends that’s the hard part. Kerry Kearney, an attorney who specializes in telemedicine, says HIPAA poses a particularly large problem for radiologists working in centers like UCLA Harbor Medical, which provide radiology services to organizations that receive radiographs over the Internet from all parts of the country.

Kearney points out that as health care providers get larger, and as electronic transmission of medical records becomes more frequent, a patient’s records frequently wind up in another state. She says that the HIPAA regulations will provide a floor, not a ceiling, as many had hoped.

"You’ll have to comply with HIPAA, plus which you’ll have to comply with whatever laws your state might have. There’s no clarity about what your obligations are in regard to medical records."

A state like California, for example, has an extremely complicated set of privacy initiatives. Some states require public reporting of information that in other states must be kept confidential, as in Pennsylvania, where AIDS information cannot be obtained without a court order.

Because of inconsistencies in state laws, everyone had hoped that HIPAA would override those state regulations. It doesn’t, and probably couldn’t, because in those states with really stringent privacy laws going down a step on the privacy protection ladder would be too hard to sell. So, patients who live in New Jersey have a right to expect that New Jersey privacy laws will be enforced even when their x-rays are being reviewed on the other coast. "I think that people in the health care community would be much more willing to accommodate HIPAA privacy initiatives if they knew that’s all they had to do," Kearney says. "When they know they have to do that and comply with inconsistent state laws, it does present a pretty horrendous burden."

HIPAA does not broaden access to patient medical data, it simply clarifies the circumstances under which that access can occur. Kearney says the consumers commenting on HIPAA’s privacy component almost overwhelmingly expressed shock that the proposed regulations allow transfer of medical information.

"Consumers seemed to believe that under current law, access was not there and somehow there would be broader access once these regulations go into effect," Kearney says. She refers to a 1999 survey performed by the California Health Care Medical Foundation and Privacy and Confidentiality Survey, which showed that 41% of respondents mistakenly believed that their medical records are already protected by federal privacy law.

"Consumers are operating under the assumption that the law already protects them and that HIPAA is going to somehow diminish that protection," she says.

It’s About Business, Not Information Technology

"HIPAA is a business issue, not an information technology issue," Diana Haramboure says. "You have to look at how this affects your business relationships, strategies, your whole process first, then look at how it affects your information technology." Haramboure is vice president of health care consulting at Data Dimensions, a Bellevue, WA-based company that works with members of the health care industry to prepare for HIPAA implementation.

Though the soonest HIPAA’s privacy component can take effect is February 2002, Haramboure stresses that the time to get ready is now. She points out that under HIPAA, penalties for violating patient privacy range from $50,000 and one year in jail to $250,000 and 10 years in jail.

"The difference is intent," Haramboure says. "The minimum penalty might be for a sloppy mistake that causes something bad to happen. I counsel clients that the worst thing they ever want to have happen is for their HIPAA mistakes to be an employee problem as opposed to a systemic illness in the company."

She agrees that delineating responsibility is paramount. "That’s the part that all the attorneys are going berserk over. Any organization wants to limit its responsibility for protecting the data. For example, an insurance company may use another entity to process or collect claims on its behalf. Who is really responsible for that data? Is the insurance company responsible for it across corporate entities? The biggest concern of most of the attorneys I’ve talked with is defining where accountability for the organizations they represent begins and ends."

Kearney considers HIPAA’s criminal penalties redundant. "There are already remedies in place to deal with people who maliciously disclose medical information," she says, "and to add these kinds of penalties to an industry that is already scared to death of other kinds of criminal prosecutions is really overkill. There has been an enormous uptake in the number of health care fraud prosecutions. I think the public likes it, but it’s not advancing the interests of the public one whit."

The government received more than 40,000 comments following publication of HIPAA’s privacy piece in the Federal Register. Those comments are presently being digested and some decision will have to be made as to whether the proposed rules will be changed. The act does make exceptions to the privacy requirements when the good of society as a whole is involved, such as when a patient is hospitalized with an infectious disease that poses a threat to the community and health authorities must be notified. Individuals give up their rights to have that information protected under those circumstances. That’s also the case, for instance, if the National Institutes of Health are trying to find out how cancer treatment patterns have changed. "Some of the information they’d need is available in aggregate," Haramboure says, "but it’s pretty hard to do that without individual patient information if you want to know what drug is most effective."

HIPAA Affects Everyone

Rules for the first component of HIPAA’s administrative simplification are supposed to be final this June, after which all affected parties—virtually all health care companies—will have two years to implement the final provisions. However, cautions Haramboure, "you can’t wait a year and a half and then decide you want a strategic approach to HIPAA. You have to start doing it now."

HIPAA guidelines define electronic data as data stored or transmitted electronically or computer (paper) output. About the only things that aren’t included are a doctor’s handwritten notes that are not then put into an electronic medium. Proposed rules call for standardizing the format for electronic transactions involving medical records to American National Standard Institute (ANSI) standard version 4010, a major change for many healthcare companies now using their own proprietary formats.

"The expectation is this will create a common language," Haramboure says. "Not only are they standardizing where you put data within a transaction set, they are defining the data as well. It’s like saying We’re going to speak English, and our word for restroom is restroom, not men’s room or ladies’ room.’"

However, when it comes to releasing a patient’s medical records, the guidelines don’t tell you how to do it, just that you must protect the patient’s privacy in the process. Haramboure counsels her clients to develop a good policy that meets the requirements, using components and criteria based on her company’s experience. "Ultimately," she says, "the organization has to determine the level of risk exposure it’s willing to have."

The most conservative approach to releasing patient information to the patient is to do so only with written, signed requests and require personal pickup with a photo ID and signature for release. A middle-of-the-road tactic would be to allow the patient to call or write a request, but retain the in-person, signed-for pickup. The least conservative procedure would be to accept phoned or written requests and mail the requested information, but only to an address already on file for the patient.

Haramboure says it generally takes her about 12 weeks to get a company ready for HIPAA. "The challenge for our clients is, based on the level of risk and the way they do business, defining the specific things they need to do to protect the organization and its officers. Let’s say the company never provided employee training on how to safeguard information and the bad things that can happen if it’s disclosed. That, to me, would mean the company hadn’t taken the minimum steps, which would cause the organization to be viewed unfavorably."

She counsels that, at minimum, all companies require their employees to:

Sign a form that says "I understand that if I disclose this information I could have to pay a $50,000 fine and spend up to one year in jail and I may be terminated immediately if I disclose a subscriber’s medical information."

Attend a mandatory sign-in training class once every six months.

She advises her clients that by starting early, they can gain business value from this. "It doesn’t have to be something you did just because the government told you to do it," she says. For example, if an organization is considering using the Internet, the standardization of electronic data interchange (EDI) transactions makes it a lot easier to take that next step. It’s almost like the foundation’s been poured.

"You can figure out how to leverage it to your benefit," Haramboure says. Some of the organizations she works with have a provider number problem, especially if they’ve done mergers or acquisitions. A company might have one system with a five-position number that always begins with a letter, another may have an eight-position number. HIPAA is potentially an opportunity to clean up all the numbers across all those systems.

HIPAA May Result in Mergers

Small offices with, for instance, one doctor, one nurse, and an admitting staff person obviously can’t implement the same procedures as a larger organization. Haramboure thinks that HIPAA may result in a decrease in independent physician practices. "It may force some practice consolidation," she says. "It’ll be interesting to see, looking back on it, if there’s a trend line that shows that changing over’ line."

The government will release a request for proposal and award a contract for a national provider system that will function essentially like the Social Security Administration: people will submit a form and receive a number that will be theirs forever. Under HIPAA, when the transactions go back and forth they will have a new 10-digit, all-numeric number. "Providers are worried about this because their whole revenue stream is based on their ability to get claims paid," Haramboure says. "They can’t bill insurance companies until they have this new number assigned, so there will be a mad dash for people to get numbers."

One important HIPAA security requirement concerns developing procedures for terminating IDs and passwords when employees leave. Another requests audit trails of log-in attempts. "You’ll also need to develop disaster recovery procedures and contingency plans for data," Haramboure points out. Though specific about the kinds of things organizations should do, the guidelines do not specify encryption methodology, thus avoiding the risk and liability associated with specific procedures. HIPAA’s security guidelines are available on the Internet at www.hcfa.gov.

Sources

1. Diana Haramboure, 1969 Sevilla Blvd. West, Atlantic Beach, FL 32233. Telephone: (904) 371-3070. E-Mail: diana-haramboure@data-dimensions.com.

2. Kerry A. Kearney, Reed Smith Shaw & McClay, 435 6th Avenue, Pittsburgh, PA 15219. Telephone: (412) 288-3046. E-Mail: kakearne@rssm.com.