The trusted source for
healthcare information and
Are the medical charts for patients who have an appointment that day usually sitting out in your reception area? Do you sometimes discuss patients with your colleagues on the telephone in earshot of anyone passing by your office? When you hire a new billing clerk or receptionist with experience in other medical practices, do you give short shrift to informing her about patient confidentiality? Is your fax machine out in the open where anyone can see what is being faxed in?
Any of these could get you in hot water with the government when the Health Insurance Portability and Accountability (HIPAA) privacy regulations go into effect in 2003. The regulations cover health plans, health care clearinghouses, and health care providers who conduct financial and administrative transactions electronically. Signed into law by President Clinton in December, HIPAA mandates sweeping changes in the way most physician practices handle individually identifiable patient information.
The law is so new (published in the Federal Register on Dec. 28) and so lengthy (1,535 pages) that it will be several months before anyone can conduct a detailed analysis of all its provisions and implications. There’s also a chance that the Bush administration or Congress will make changes before the final rule goes into effect Feb. 28. Following that is a two-year compliance period.
When it is fully implemented, HIPAA could very well save money for health care providers because it standardizes the way transactions are conducted. In fact, while the Department of Health and Human Services projects that implementation of the privacy rule will cost $17.6 billion nationwide, it also projects savings of $29.9 billion over 10 years from implementation of other HIPAA standards.
The health care industry has a lot of work to do, however, before that happens. Even though all the minute details of the requirements aren’t yet available, physician practices are advised to start their preparation now so they’ll be in compliance by the Feb. 28, 2003 deadline.
"What we are telling clients now is that HIPAA is very real and that they should start assessing where they are and trying to determine the amount of work they have to do in the next two years, then work out a strategy to accomplish it, " says Peter Adler, a health care attorney with the Washington, DC, office of Foley & Lardner.
In a nutshell, the privacy regulations mean that physicians will have to protect the privacy of patients’ medical information, will have to inform patients in writing about how the practice will use their information, and will have to track and manage the information according to the way they told the patients they would. The regulations cover any individually identifiable information, whether it is disclosed during oral conversations, electronic transmission, or written documentation, whether it is by hand, by typewriter, or in a computer.
"The original rule applied only to information in digital form and it was confusing to determine what was covered. For instance, if a transcriptionist typed the physician’s notes on a word processor and printed it out, it would have been covered. But handwritten notes would not. The final rule covers information in any form," says Janice Cunningham, an attorney with The Health Care Group, a Plymouth Meeting, PA, consulting firm.
The final rule is the first comprehensive federal protection for the privacy of health information and the first to set out penalties for failing to maintain patient privacy. The federal regulations pre-empt state privacy protection laws unless the state laws are more stringent.
"Physicians have always been ethical about patient privacy. That is just being formalized. How they do what they say they are going to do to protect their patients’ privacy and proving that they did it are the critical elements of the HIPAA privacy regulations," says Jon Zimmerman, senior manager for HIPAA and e-business initiatives for Siemens Medical Solutions Health Services Co. (formerly Shared Medical System) in Malvern, PA.
The final rule establishes civil and criminal penalties for noncompliance. They range from $100 per person per incident for unintentional disclosure up to a $250,000 fine and 10 years in prison for selling medical information. The regulations do not give patients the right to sue providers but President Clinton has called on Congress to pass legislation allowing patients to hold health plans and providers accountable for inappropriate and harmful disclosures, and to extend privacy protections to life insurers, workers compensation programs, and others that routinely handle sensitive medical information.
The reaction of the medical community to the HIPAA privacy regulations has been generally favorable, particularly since the final rule eliminates a number of troublesome provisions of the proposed rule. (To learn more about the differences between the original and final rules, see table.)
Differences in the Proposed and Final Rules
|Type of information: The proposed rule covered only information in electronic form. The final rule extends coverage to include paper records and oral communication.|
|Requiring consent for routine disclosures: The final rule requires patient consent for routine disclosures of health records. The proposed version allowed routine disclosures for treatment, payment and health care operations, such as internal data gathering.|
|Minimum necessary disclosure: The final rule relaxes the "minimum necessary" requirements for the purposes of "treatment" which includes referral or consultation to other health care providers. For other disclosures, such as payment or general administrative operations, providers must disclose only the minimal necessary information needed to fulfill the purpose of the disclosure.|
|Protection against unauthorized use of records: The final rule prohibits companies that sponsor health plans from accessing personal health information from the sponsored plan for employment purposes without authorization from the patient.|
However, most feel, as the American Medical Association’s Donald J. Palmisano, MD, JD, put it: "the devil is really in the details this time. "We will be closely examining the new rules to make sure there are no dangerous loopholes or unexpected problems," says Palmisano, a member of the AMA’s board of trustees and a national expert on patient privacy and confidentiality issues.
Still to come are security regulations that will set out how you should secure your data, particularly when it is being transmitted electronically. Most experts expected that the security rules would be issued in conjunction with the privacy rules. Now they are anticipating that HHS will issue the final security rules by the end of February. Some people in the health care field speculate that the Clinton administration rushed to announce the privacy standards before the new administration took office. There are spots in the privacy regulations where the final security rules will be plugged in.
"From reading the proposed regulations, it appears that the security regulations are not blazing new trails. They are the best practices when it comes to keeping data secure," Adler says.
The Office of Civil Rights of the U.S. Department of Justice has been given the authority to investigate violations of the final privacy regulations. There is a whistleblower provision, which allows anyone who feels they have been hurt by violation of the privacy regulations to file a complaint. The regulations also allow the Office of Civil Rights to conduct general compliance reviews without a whistle-blower.