The trusted source for
healthcare information and
When Dennis Melamed talks to health care professionals about the Health Insurance Portability and Accountability Act (HIPAA) he likens it to talking to his son about cleaning his room.
"HIPAA is something you have to do in order to do something else," he says.
The complexity of HIPAA has confused people and promoted a lot of misconceptions. But while the HIPAA regulations may change the way you do business, there’s no reason to panic, adds Melamed.
He is co-author of The HIPAA Handbook: What your Organization Should Know about HIPAA, commissioned and published by Washington, DC-based American Accreditation HealthCare Commission (URAC), and the editor and publisher of Health Information Privacy Alert, the oldest newsletter dealing with HIPAA.
"In my view, nobody is going to go to jail because of HIPAA. Health care organizations aren’t going to be shut down if they are trying to protect data and there is a lapse. There are no strict liability standards for accidental releases," Melamed says.
HIPAA’s privacy and security regulations are merely a re-negotiation of the confidentiality of health care data that patients share with their physicians, he points out.
"Before computers and HMOs, there was an implicit contract of confidentiality between patient and doctor. But now with our new models, there are scores of people who have a vested interest in patient data," Melamed says.
Under HIPPA, covered entities, which include providers, insurers, and clearing houses must provide reasonable protection of patient confidentiality and privacy, Melamed says.
Consent typically is focused on the provider. The patient has to give consent for treatment, payment, and health care operations. Typically, the provider is the only one who is going to get that.
"A lot of the work that case managers do clearly falls under treatment. The odds are that when a case manager becomes involved, the consent for treatment already has been obtained by the doctor who made the diagnosis," Melamed says.
For instance, if you are a case manager working for an insurer and a patient is referred to you for disease management, that would be covered by consent.
The exception might be a population-based disease management program, he says. However, he added, in most cases, the company, not the case manager, would deal with population based disease management.
Case managers are unlikely to face any kind of criminal penalties under HIPAA unless they’re selling their patient data or otherwise acting in a criminal fashion, Melamed says.
However, as a case manager, you do have the responsibility for authenticating and protecting the data you use. You should focus more attention on the security of your data and more attention to people who are taking care of sensitive data.
Case managers should start looking toward HIPAA by looking at what they do from a data integrity point of view.
Who has access to your data?
What program could affect your data?
When you submit data, how can you be sure it’s accurate data?
"One of the best ways to protect accuracy is to protect that data and who has access to it," he says.
For instance, if you use a laptop computer for your work, don’t take it home and let your kids use it for homework. "If a family has only one computer and the kids use it for homework, it’s not a good idea for a case manager to use it for patient sensitive data," Melamed says.
Since laptops are easily stolen, make sure the data are encrypted, he says.
Make sure people at work don’t use your computer. Make sure the data is secure and that you don’t leave disks out.
"These are the everyday kinds of things that people often don’t pay attention to," he says.
If you are collecting health information on your computer and you have been using it for anything else, you would be wise to get a new computer.
"The biggest threat is not going to lapses in privacy or security per se. It’s going to be a threat to the integrity of the data," he says.
For instance, if you install a computer game, it could possibly corrupt all your data. "It’s not fraud. You’re not likely to be put in jail for it, but the federal authorities are going to start looking at your company’s data policies if something like that happens," he says.
Melamed offers one other tidbit on HIPAA: Right now, there are no restrictions on data sharing by anyone. "People who say HIPAA prevents your from sharing data now are wrong. The privacy rule does not take affect until April 2003 and anybody who tells you they can’t share data under HIPAA is telling you they don’t want to share it," Melamed says.
Under HIPAA the US Department of Health and Human Services has the authority to defer the deadlines, including the April 2003 deadline for the privacy regulations compliance
But don’t wait until the last minute, he advises.
"If you wait until the last minute you may put yourself at risk. HHS will require that providers have made good faith effort to comply, " he adds.
For more information, contact Dennis Melamed at firstname.lastname@example.org. To order the book, contact Order Fulfillment, URAC (202) 216-9010.