Hang onto your hat: HIPAA is on the way
Hang onto your hat: HIPAA is on the way
It’s two years away, but start preparing now
John C. Gilliland, a health care attorney at the Indianapolis law firm Locke Reynolds, has years of experience in health care. He understands the jargon; he speaks the legal language; and he has spent the equivalent of $40,000 in billable hours over the last six months working on it.
But even someone as well-versed as Gilliland has had to read the Department of Health and Human Services (DHHS) rules regarding the Health Insurance Portability and Accountability Act (HIPAA) several times to even start getting his mind around it. Now, with two years until the requirements come into effect, he urges health care organizations to start preparing to meet those rules.
Part of HIPAA’s goal was to create some administrative simplification by standardizing the thousands of codes used for Medicaid programs. "There was just no standard format," he says. "Everyone thought that in the long run, after the costs of new systems are paid for, it would save a huge amount of money."
But while that was meandering its way through Congress, says Gilliland, people started worrying about the privacy of health care information. Privacy regulations were reported in the Federal Register — some 380 pages of them — on Dec. 28, 2000. Security regulations are due out at any time. "It took me several readings just to get the concepts down," he says. "And I’m used to reading this stuff."
Now, with so many perusals under his belt, Gilliland feels it is safe to say every health care organization is going to feel the impact of the rule in the method it collects and shares patient information. "Part of the burden will come in having to create contracts and policies for business associates," he explains. "The way the regulations read, when a patient becomes a patient, he or she has to consent to any use or disclosure of [his or her] health information. But regulators saw that any third party who got that information — a consultant, and accountant, an insurance company — could get around that. Unless we bind that associate to the same rules, then that information can be distributed on."
Now, every single associate with whom a health care organization has a relationship will have to have a contract that stipulates they won’t use or send on any of that data without a patient’s consent. The other issue is creating an inventory of individually identifiable health information. According to the regulations, that is any information — whether oral or recorded in any form or medium — that:
• is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse;
• relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual."
Don’t wait too long
There are 18 different identifiers in the regulations, and all of them have to be removed if you want to use the data by "de-identifying" it. Along with name and Social Security numbers, those include: geographic subdivisions smaller than a state, including, with certain exceptions, zip codes, telephone and fax numbers, URLs, e-mail addresses, health plan beneficiary numbers, and license plate numbers. "If you wait until March 2003, you won’t pull it off," he says. "It becomes law in August of that year. But if you start now and proceed in an orderly fashion, you can do it without staying up late. It will still be work."
Along with the inventory of that individually identifiable health information, you need to start working on policies and procedures. The requirements also include:
- having a privacy officer;
- having new written contracts for all business associates;
- creating a new consent form for patients to sign;
- creating new policies for patients who want to amend records;
- writing complaint procedures;
- establishing a policy for what to do when a police officer wants to see records;
- training all staff on the new policies and procedures;
- having a privacy policy hanging in your office visible to all patients;
- writing a handout to give patients outlining your privacy policy and procedures.
"At my count, I think there will have to be 25 different forms to make your life easier," Gilliland says. His firm is working on some templates for clients that should be ready in August.
The danger in not complying doesn’t really come from the penalties that could accrue. They are relatively small: $100 per incident of violation up to $25,000 per patient per year per standard violated. Criminal penalties are somewhat stiffer for those who improperly disclose information intentionally or for commercial purposes: up to $50,000 in fines and prison time.
"But they are relatively minor in the big picture and DHHS has said its intent is to work with providers," he says. "[The agency] wants to help you comply. The biggest potential liability comes from establishing a standard of care for tort purposes. If you release information against the regulations, the government might not enforce it, but the patient could sue, using the privacy regulations as the standard the physician has to meet. And since the public really cares about the privacy issue, do you want it in the paper that you didn’t abide by the rules?"
When Gilliland started looking at the HIPAA regulations, he thought it would be small, solo practitioners who would have the hardest time complying. "They run pretty lean and don’t have resources or people. But hospitals and larger providers have money to address the issue." Six months into studying HIPAA, his opinion has turned 180 degrees.
An endless problem for large systems
"Small providers will still have a resource problem of who will worry about this when there is no fat in the practice," he says. "They’ll have to spend some money for help, but there isn’t a whole lot of complication. There is a finite amount of protected health information in your practice. For a hospital system, there are resources, but the problem seems endless. Data permeate the walls of a hospital. How do you find everything that is impacted?"
Hospitals also are more likely to be involved in data-sharing enterprises for benchmarking purposes. Starting in 2003, they will not only have to get a standard consent from patients, but a consent that they can use the information externally for things like fundraising, marketing, or benchmarking. "You have to figure out everything you use data for and figure out how to fit them into your consent form without it being overly long."
One of Gilliland’s clients has created a sizeable committee just to figure all this out, he says. "There are issues in a health system about patients amending records. If they do that, then the change has to be sent to everyone who received the record previously," he says. "That’s huge in a large bureaucratic organization that is part of a large bureaucratic industry."
Virtually every health care organization will have to hire a lawyer to help with this, says Gilliland, admitting that it sounds self-serving. But considering the time he, as an expert, has spent trying to get a grip on HIPAA, he doesn’t think there’s a way around it.
In addition to the complication of the regulations themselves, Gilliland says there is an additional consideration: "HIPAA provides a national floor of privacy protection. If your state has stronger regulations, based on either legislation or case law, then that will take precedence." And chances are your state will have its own rules. Gilliland says privacy protection is the most popular topic of legislation in state legislatures this year. "It’s not enough to figure out what you need to do for HIPAA," he says. "You have to know all your state’s case law and legislation on this issue, too. This isn’t something where you can sit down over a weekend and comply."
And more is yet to come. The issue of security regulations is still pending and could have a great impact, particularly on the information systems in health care organizations. "For instance, let’s say a physician at the office keeps health information on a computer," Gilliland says. "But he wants to do some work at home, so he puts some information on a floppy and takes it home. It’s a security issue because of the floppy, and it’s a security issue because of who has access to his computer at home. And lets say he wants to play with the data, so he puts them on his hard drive.
"He can encrypt them, but maybe he surfs the Net a lot at home and has a DSL or cable modem. His computer is always on and open to hackers who can get in and see the data. Now there is a technical issue that has to be addressed."
Gilliland says he already knows of technical companies that are already gearing up for this work. Security issues will also surround data sharing. "It can be great for patient care, but you have to ensure the information is safe. The important thing for this is not to wait. If you wait until late next year, you won’t be able to find the help you need."
The final rule and comments are available at the Department of Health and Human Services web site at: aspe.os.dhhs.gov/admnsimp.
[For more information, contact:
• John C. Gilliland, c/o Locke Reynolds Counselors at Law, 1000 Capital Center South, 201 N. Illinois St., Indianapolis, IN 46204. (317) 237-3214.]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.