Sweeping HIPAA regulations call for big changes in your office

Take steps now to make sure all bases are covered

Do you routinely leave patient files on your desk? Do you sometimes discuss patients with your colleagues on the telephone within earshot of anyone passing by your office? Is your fax machine out in the open, where anyone can see what is being faxed in? Do you discuss the medical condition of patients with their family members or other primary caregivers?

Any of these everyday scenarios could get you in hot water with the government when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations go into effect. (For information on how HIPAA came about and where it is headed, see "HIPAA tied to universal health insurance initiative," in this issue.)

Basically, to comply with HIPAA, virtually everyone in the health care industry will have to overhaul their methods of handling and transmitting medical records. HIPAA regulations cover health plans, health care clearinghouses, and health care providers who conduct financial and administrative transactions electronically. Don’t think that because you’re a case manager working for a larger entity you should ignore HIPAA and its implications for the way you conduct business.

"HIPAA is a sleeping giant for most clinicians, including case managers," says David Kibbe, MD, MBA, chief executive officer of Canopy Systems in Chapel Hill, NC. "Case managers don’t necessarily have to become experts, but they should be informed."

Case managers should familiarize themselves with HIPAA regulations, take steps to ensure they will be in compliance, and make sure they are represented on their employers’ compliance committees, experts advise. Payer organizations, providers, and hospitals — anyone who handles patient-specific health care information — will have to come up with policies and procedures for complying with HIPAA regulations. If you work for a large organization, you probably are assuming that other people will take care of a lot of the details of HIPAA compliance.

But case managers should get involved in their organization’s HIPAA compliance activities to make sure their voice is heard, Kibbe asserts. Kibbe suggests that case managers volunteer to sit on HIPAA compliance teams that will set up policies, procedures, training, and information system modification.

It might be easy to think that your security officer or information technology staff will take care of all the HIPAA details, but you might find yourself in the position of having to carry your files with you at all times or to make a paper record every time you access the computer to stay in compliance with your organization’s policies. "Case managers should become part of the team," says Kibbe. "Otherwise, they may find that they are subject to onerous regulations set out by someone who doesn’t understand their job."

In addition, case managers should be certain that their employer’s policies allow them the access they need to patient information, adds Janice Cunningham, an attorney with The Health Care Group, a Plymouth Meeting, PA-based health care consulting firm.

Communicating health care information is essential to the case manager’s job. You have access to and frequently share patients’ identifiable health care information, and you should make sure that your organization’s compliance plan isn’t going to be a hardship on you. "Case managers need access to clinical records, to billing and payment records, registration information, demographics — they need to see it all," notes Cunningham.

However, one concept in privacy regulations is that staff will be given access to the "minimum necessary" amount of information needed to do their job. If case managers aren’t given full access to patient information under their employer’s policies and procedures, it could affect their ability to do their job, Cunningham points out.

So far, three sets of HIPAA regulations have been proposed: transaction standards, privacy standards, and security standards. (For details, see "HIPAA standards to date: What you need to know," in this issue.) Final rules have been issued for transaction and privacy standards. Most case managers don’t have to worry much about the transaction standards because their information technology department will be responsible for implementing the changes.

Security/privacy regs are key

However, the security and privacy regulations will have a big effect on case managers’ activities. "Case managers manipulate and handle information in a lot of ways that probably don’t meet HIPAA privacy or security regulations," says Kibbe.

Look at anything you do that involves the security and privacy of a patient’s identifiable health care information. That’s sure to be affected by HIPAA, points out Pat Orchard, CCM, CHE, assistant vice president of Virtua Health in Voorhees, NJ. In addition to looking at electronic and web-based systems, case managers should increase their awareness of how they handle paper documents, Orchard says. "Independent case managers need to be well aware of HIPAA regulations for their own security and the security of their business. But case managers who work for large institutions should be just as aware of the privacy issue. In a large institution, you have access to more information, and this allows you more liability," Orchard says.

Here are some other steps that will help you prepare for HIPAA:

  • Familiarize yourself with HIPAA regulations, particularly those that will affect your practice.
  • Look at all the processes you handle that involve patient confidentiality, privacy, or security of the system.
  • Do a thorough assessment of your current practices for handling patient information.
  • Consider moving from paper records to electronic records.

"It is important for case managers to understand that their organization is under a lot of pressure to comply with HIPAA, and the only way to assure compliance is for case managers to move more of what they do into electronic formats," Kibbe says.

Don’t assume that because you’re not using an electronic system you’re OK. The regulations cover all information, whether written, electronic, or oral.