New privacy rules could pose challenges for home care industry

More rigorous standard may affect patient data transmission

It may be easy, in the crush of the prospective payment system, to put off thinking about the new privacy standard announced earlier this year as part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

But it’s a good idea to now pull out the standard to see how your current privacy policies measure up to federal expectations, and to look for areas that may need beefing up in the two years before the enforcement of the new standard begins.

William Dombi, Esq., vice president for law at the Washington, DC-based National Association for Home Care (NAHC), says home health agencies may face special challenges in conforming to the new standard. In part, that’s because of the unique nature of home care, which raises privacy issues — dealing with family caregivers, transmitting electronic data from the field to the home office — not seen in other health care settings.

Making sense of it all

But there’s also the practical reality of coping with an entirely new payment system, while simultaneously trying to make sense of a complex new federal regulation.

"Because of this transition to prospective payment, Medicare home health agencies have been underwater, dealing with cash-flow problems and the like," Dombi says. "They haven’t had the luxury of time to spend looking at HIPAA already. We’ve talked to quite a few home health agencies who are just saying, If I know what the acronym means at this stage, then I’m happy.’"

While agencies always have had policies in place to protect the privacy of their patients, the new standard will require an unprecedented attention to protecting access to confidential information. It also addresses a new area of privacy concerns — the electronic transmission of data among agency personnel and from the agencies to vendors and other entities.

That’s why agencies will need to put their operations under a microscope to look for any possible cracks in the security of patient information, Dombi says. "Anyone who assumes that their system meets the HIPAA standards is making a big mistake."

New rules: Too costly?

The privacy standards were developed by the U.S. Department of Health and Human Services and passed in the final weeks of the Clinton administration. Originally intended to address only the dissemination of medical data electronically (via computer modems, etc.), the standard grew to include all disclosures of medical information to outside sources.

The announced privacy standard prompted criticism from health care providers who said the new rules would be too cumbersome and costly to be workable. In fact, some hoped that with the new Bush administration, the standard would be withdrawn and completely reworked.

But in April, HHS Secretary Tommy G. Thompson announced that the privacy standard would be allowed to go forward, albeit with some modifications.

Thompson says those changes would ensure that health care providers would be able to consult with physicians and other specialists regarding a patient’s care, and that care wouldn’t be unduly hampered by a confusing or overly bureaucratic consent process.

However, Dombi says that still leaves room for the standard to have a significant impact on an agency’s operations.

"Now they’ll have to revisit [their privacy policies] and say, Is this consent the kind of consent that HIPAA requires? Is it done at the right time with the right frequency that HIPAA would require? Are the security measures compliant with HIPAA standards?’

"Flexibility certainly is there in parts of HIPAA, but they still have criteria that have to be met," Dombi says. "What we’re advising is first do a gap analysis. Find out what does HIPAA require and second, find out what do you have in place as it relates to those requirements."

Dombi suggests paying close attention to certain areas of your agency:

Electronic security

Dombi says the standard is intended to be flexible and practical — no system is impervious to hackers, and the government wouldn’t expect an agency’s system to be hack-proof, either.

But it is important that the systems be reasonably secure, something that could be made possible with security software. In addition, Dombi says agencies need to look at their computer policies and procedures.

"Who has access?" he asks. "When do they have access? How do they have access? Is [patient information] something that’s easily accessible to anyone within a home care organization? Because you have to set those standards on access really on the basis of need."

As an example, Dombi points to the computer security within his own office. Many people in his organization know his computer access code since they’ve had to get information for him at times.

"A hacker actually would not have a hard time guessing what my code is," he says. "If I had patient information in here, I’d have to change the entire way that I deal with that."

The task of securing data becomes trickier when it comes to some of the newer technology being used in some agencies. Laptop computers and other point-of-care devices send data back to the agency via wireless transmissions, which are relatively easy to intercept.

"Now do we suspect that there’s going to be some cadre of privacy infiltrators sitting on neighborhood corners waiting to hear about the decubitus ulcer of a particular patient? No, we don’t," he wryly says. "But nonetheless, there will have to be some security measures taken on that."

The most likely fix: Encryption software, which scrambles the signals being transmitted so that anyone intercepting them won’t be able to understand them. Dombi says there are several very effective encryption programs already available to the public.

Measuring up to standards

Business partners

This is the term the standard uses to describe any entity that receives patient information to assist a health care provider in its functioning. Business partners can include consultants, data processing firms, billing firms, and other vendors.

An agency will have to ensure that its vendors have the same airtight privacy practices required of the provider.

Dombi says the vendors themselves will probably take the lead here, walking the agency through the privacy safeguards required, especially if data are to be transmitted over the Internet.

"I know we’ve put an emphasis on this with our technology partners, the various vendors who exhibit and advertise and sell their wares to our membership," he says. "We’ve had a strong relationship with them over the past several months focusing in on this particular issue of HIPAA compliance."

But it will be up to the agency to review contracts with all of its vendors and ensure that they will be compliant with the privacy requirements.

Consent forms

Dombi believes the new HIPAA privacy standard won’t lead to an escalation of paperwork, but could require that current consent forms be updated.

"If you look at the HIPAA standards, they set out specific criteria on what’s an acceptable consent, what’s an appropriate authorization," he says. "Agencies will just have to examine whether they meet them. I’ve looked at a few (forms) so far, and I’d say that they’re either close or already sufficient."

Research

As more agencies increase the use of benchmarking in their quality improvement efforts, it’s important to note the difference between uses of data that require additional patient consent and those that don’t.

The main factor, Dombi says, is removing any details from the database that would identify a specific patient. Without that patient specific identifier, he says, an agency generally doesn’t need extra patient consent for use of his information in a research role.

This can sometimes create problems, because one of the privacy standard’s lists of patient identifiers is geographic data.

He says some providers currently using OASIS data to do benchmarking with other agencies now are going through the process of extracting patient identifiers so they can share information without obtaining special patient consent.

"If they can’t get to that point and still make the information useful, then they’ve prepared an authorization form for signature by the patients who are being admitted so they authorize the use of that data for that purpose," Dombi says.

"In some cases, the patient is going to say no; but I think in most cases, the expectation is that the patient will say yes," he says. "You can resolve a lot of these things with those authorization forms."

The new standard is not expected to interfere with the new ORYX initiative of the Joint Commission on Accreditation of Healthcare Organizations (JCAHO), says Lynette Rimkus, media relations specialist for JCAHO.

"[JCAHO] doesn’t foresee any significant impact with relation to HIPAA because whenever we aggregate data, it’s not identified by the patient," she says.

Special home care concerns

There will be privacy issues raised as a result of providing care directly in the home that don’t come up in other health care settings, Dombi says.

For example, home care nurses are required to leave a care plan in the home. Dombi says the agency will either have to get the patient’s permission to leave the care plan in the open where someone else in the household might see it, or devise some other way to deal with the liability for a possible disclosure of information.

Patient consent and authorization forms will have to address the question of passing patient information along to family caregivers, he says.

"When you look at the standards, you certainly can’t see any recognition of some of these special aspects of home care," he says. "You just have to recognize where the risk areas are.

"I think home health is going to have some very special challenges as it relates to the privacy standard," Dombi says. "While the home health agencies have long recognized a need to protect the privacy and confidentiality of health care information regarding their patients, I think that the new rule for HIPAA will give a special focus on privacy unlike anything they’d seen before."

William Dombi, Esq., Vice President for Law, National Association for Home Care, 228 Seventh St. S.E., Washington, DC 20003. Phone: (202) 547-7424. Web site: www.nahc.org.

Lynnette Rimkus, Media Relations Specialist, Joint Commission on Accreditation of Healthcare Organiza-tions, One Renaissance Blvd., Oakbrook Terrace, IL 60181. Phone: (630) 792-5000. Fax: (630) 792-5005. Web site: www.jcaho.org .

• The Office of Civil Rights will be responsible for enforcing the new privacy standard. For the latest information on changes to the standard or plans for its implementation,

visitwww.hhs.gov/ocr.