The trusted source for
healthcare information and
By John C. Gilliland II
Locke Reynolds LLP
In late December 2000, as required by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the U.S. Department of Health and Human Services published its long-awaited final rule concerning "Standards for Privacy of Individually Identifiable Health Information."
The privacy rule covers health care providers, health care clearinghouses, and health plans (collectively called "covered entities") that conduct certain financial and administrative transactions electronically (e.g., electronic billing and funds transfers). It provides extensive and comprehensive federal protection for the privacy of health information addressing these areas:
The rule’s impact is anticipated to far exceed that of Y2K, both in time and expense, but unlike Y2K, it will not be a one-time effort and expense — privacy compliance will be an ongoing obligation. Health care providers must comply with the many requirements of the rule by April 14, 2003. However, the Bush administration reopened the comment period for the rule until March 30, 2001, and some efforts are under way in Congress to modify or even repeal the rule.
Changes to the rule’s requirements may or may not be made as a result of those actions, but it seems clear the basic thrust of protecting individually identifiable health information will continue. As the saying goes, "The devil’s in the details," not in the goal. Although there may be changes forthcoming as a result of the reopened comment period or congressional action, there are several things hospital-based home health agencies should do now to prepare.
Much of the effort to comply with the privacy rule probably will be borne by your hospital, but, as often is the case for hospital home care, hospital management may not be aware of the rule’s complete impact in the home care setting. Taking the following actions now is the first step to helping your agency and hospital comply:
• Obtain a copy of the final rule and comments. The final rule and comments were published in the Dec. 28, 2000, issue of the Federal Register (it is more than 380 pages).1,2 It can be obtained on-line from the government’s administrative simplification page at aspe.os.dhhs.gov/admnsimp.
• Identify the key individuals in your agency to spearhead HIPAA compliance efforts. Include management, in addition to representatives of each of your agency’s operational areas. You need the input of every area of your agency that deals with individually identifiable health information.
• Inventory all individually identifiable health information your agency uses or maintains. You need to know what and where the information controlled by the privacy rule is in your agency. Do not think "medical records." Think "health information." Do not forget personal computers and laptops, both at work and at home. Individually identifiable health information means: ". . . any information, whether oral or recorded in any form or medium that:
Health information becomes "individually identifiable" if it identifies the individual or there is a reasonable basis to believe the information can be used to identify the individual. The privacy rule provides specific requirements to determine whether or not information is individually identifiable.
De-identification of health information may occur if all of 18 specific identifiers stated in the regulation are removed (e.g., geographic subdivisions smaller than a state, including, with certain exceptions, zip codes; telephone and fax numbers; URLs; e-mail addresses; health plan beneficiary numbers; license plate numbers).
• Collect together all of your agency’s existing policies and procedures that deal with identifiable health information and organize them into the subject areas addressed by the privacy rule. This will save you a great deal of time in the future.
• Inventory all the entities who are "business associates" of your organization. Under the final privacy rule, a covered entity may disclose protected health information to a business associate and may allow a business associate to create or receive protected health information on its behalf, only if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard the information. A covered entity must document those assurances through a written contract or other written agreement or arrangement with the business associate. The privacy rule states what must be included in the contract.
A "business associate" is ". . . a person, other than in the capacity of a member of the covered entity’s work force, who performs or assists in the performance of either:
— a function or activity involving the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, processing or administration, utilization review, quality assurance, billing, benefit management, practice management, and repricing, or any other function covered by HIPAA;
— provides legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity, or to or for an organized health care arrangement in which the covered entity participates, where the provision of the service involves the disclosure of individually identifiable health information from such covered entity or arrangement, or from another business associate of such covered entity or arrangement, to the person."2
• Begin to educate supervisors and staff concerning the privacy rule. As you learn about the privacy rule’s requirements, share that information with the supervisors and staff of your agency. Supervisors and staff can be very helpful in assessing the rule’s impact on your agency. Besides, it is much better for them to be part of planning for the rule’s impact rather than to have it be thrust upon them with little warning two years from now.
• Develop a work plan to address and implement the privacy rule’s requirements. Two years may seem like a long time, but when you learn all of the rule’s requirements, you will see there is a great amount to do. It will take months to accomplish all that is required, but it can be done without undue turmoil if you are proactive in identifying what you must do and proceed in an organized way without putting it off until the final few months.
(Editor’s Note: The HIPAA privacy rule was reopened for additional comment during March 2001, and some members of Congress were taking actions to try to change its requirements or even to repeal it entirely. At press time, it was unclear whether or not any changes to the HIPAA privacy rule would occur. If changes do occur, they will be addressed in a future issue of Hospital Home Health.)
1. 65 Fed Reg 82,804 (Dec. 28, 2000)
2. 65 Fed Reg 82,798 (Dec. 28, 2000)