|
|
|
|
|
Health care transactions required under HIPAA
|
In the wake of the devastating events of this September, all things save family, friends and country seem trivial and the hardships we faced before are not so troublesome as they were. As we work through the weeks since, it is difficult to focus with our old intensity on the business of each day. Debate on the home front has turned to the balance between civil liberties and civil protection, and the words privacy and security have acquired new depth of meaning. Before Sept. 11, the health care community had begun to re-examine these concepts in preparation for new federal regulations that will be enforced in the coming years. In August of 1996, the Health Insurance Portability and Accountability Act was signed into law. Its most immediate objective was to protect American workers and their families from losing health coverage because of pre-existing conditions when changing employment. This “portability” section of the law went into effect in 1997, and since then, the health community has been waiting for the other shoe to drop. That shoe is the “accountability” portion of HIPAA, which is contained in a section called Administrative Simplification, but implementation of the measures under these rules will be anything but simple. |
|
The regulations are divided into three sections: standards for electronic transactions, standards to protect the privacy of patient health information and security standards to ensure the confidentiality of that information. All together, these regulations will require major changes in the way protected health information (PHI) is handled at all levels of care management. At this summer’s TAFP Annual Session and Scientific Assembly in Houston, physicians considered ramifications of HIPAA in committee and commission meetings as well as in casual conversation. Many voiced concerns about the probability of increased administrative hassles and the uncertainty of what the final regulations might call for. One doctor even predicted many physicians would throw up their hands in disgust and cease to practice. Like it or not, HIPAA regulations are just around the corner. The final rules for transactions and privacy have been published and the final security regulations are expected by early next year. Compliance deadlines for the transaction and privacy standards are set and the first is only a year away. Hopefully this article will explain the major requirements for physicians mandated by HIPAA and point to helpful resources so our members can begin to take the first steps toward compliance. |
|
First things first—HIPAA applies to health plans, health care clearinghouses, physicians and other providers who transmit health data electronically. Even physicians who deal only in paper but have relationships with health plans, billing services, hospitals or clearinghouses will be covered because those entities transmit standard electronic transactions on the physicians’ behalf. In today’s health care environment, it would be almost impossible to conceive of a practicing physician who could operate beyond HIPAA’a reach. The law is intended to regulate individually identifiable health information, which it calls PHI. This is defined as part of a health record containing a name, social security number or certain other demographic data that could be used to identify an individual. HIPAA details how records may be de-identified by removing certain pieces of information. According to HIPAA, covered entities must obtain patient consent to use or disclose PHI for purposes of treatment, payment and health care operations, or what the law calls TPO. All other uses or disclosures require the patient’s explicit authorization. (The difference between consent and authorization will be discussed in the section on the Privacy Rule.) The law contains some exceptions to this, like disclosures to public health officials. The term “health care operations” is broadly defined and includes such procedures as quality and performance assessments of plans and providers, licensing and accreditation, training future health professionals and renewing insurance among other tasks. State laws that are considered more stringent with regards to PHI treatment will not be pre-empted by HIPAA. This is because the federal law is intended to create a national floor for the protection of individually identifiable health information. For example, certain exceptions to the HIPAA Privacy Rule allow PHI to be used for some restricted marketing purposes, but the recently passed Texas medical privacy law by Sen. Jane Nelson (R-Flower Mound), Senate Bill 11, denies these exceptions. Since it is considered more stringent than the federal law, SB 11 will not be pre-empted. The Office for Civil Rights (OCR) has been charged with the enforcement of HIPAA regulations. OCR will publish guidance documents and other notices on their Web site, www.hhs.gov/ocr/. Criminal and civil penalties for violations vary widely, from a $100 fine per infraction to a $250,000 fine and as many as 10 years in jail for knowingly misusing PHI to inflict harm or for personal gain. |
|
Standards for electronic transactions Of all the HIPAA regulations, uniform standards and code sets for carrying out administrative and financial health care transactions online may prove to be the most helpful for doctors in their daily practice. There are currently about 400 different platforms for electronically transmitting health care claims. With the national standards described in the final rule, physicians will be able to send the same electronic claim to any health plan in the country. Health plan enrollment and eligibility, health care payment and remittance, referrals and coordination of benefits are all transactions included in the rule. The Department of Health and Human Services estimates these measures could save the health care community $20.2 billion over the first 10 years of implementation. The cost associated with these standards will vary greatly depending on how physicians handle these transactions currently. Many physicians will only need to contact their software vendors to make sure they will be ready to transmit data under the new guidelines. According to a recent article in Family Practice Management, most software vendors already use the standard formats. Physicians who don’t want to worry about complying directly with this rule may contract with health care clearinghouses to handle their transactions. The rule doesn’t require physicians to buy computers, but the expected savings and the prospect of reducing paperwork may be the carrot that brings many clinics into the digital age. According to HIPAA, a 60-day comment period begins once a final rule is published. At the conclusion of that period, the rule goes into effect. The industry will then have two years to comply. The transaction standards went into effect in October 2000, meaning physicians transmitting electronically must comply by October 2002. Covered entities can begin using the chosen standards, called ASC X12N, before that date. These standards were developed by a group of private sector standards development organizations accredited by the American National Standards Institute and designated for the task by HHS. You can get implementation guides from the Washington Publishing Company at www.wpc-edi.com/hipaa/. |
|
Standards for privacy of individually identifiable health information HIPAA gave Congress a deadline of Aug. 21, 1999 to pass comprehensive legislation governing the privacy of health information. Congress failed to meet that deadline, so the law directed HHS to promulgate rules for such protections. The department reviewed more than 52,000 comments it received from the public after publishing proposed rules and in December 2000, it released the final rule—all 400 pages of it. After a slight delay, the rule went into effect on April 14, 2001, making the compliance date April 14, 2003. According to HHS, the Privacy Rule:
Physicians will be required to establish privacy policies and administrative safeguards for the protection of patient-identifiable information. They must also maintain a log of all non-routine disclosures of that information, or disclosures having nothing to do with treatment, payment or health care operations. Physician offices will need to assign a designated privacy officer. In small offices, this may be a person who has other duties, like an office manager. Large physician group practices may need to assign the task to a full-time employee who has the support of a staff or committee. The American Health Information Management Association has among its many HIPAA resources a model job description for the position of chief privacy officer at www.ahima.org/infocenter.html. Any individually identifiable health information is considered protected under the Privacy Rule, whether communicated electronically, on paper or orally. This means doctors must be aware of how loud they are speaking when talking to patients in public areas or when giving lab results over the phone. The application of HIPAA privacy restrictions to oral and written communication is certainly a controversial topic, but a lot of misinformation is being batted about. Initially, some interpreted this regulation would require clinics to install sound proof rooms for patient consultation, and a recent family physician publication stated that calling a patient’s name in a clinic waiting room would be a violation. The Office for Civil Rights published its initial guidance on the Privacy Rule this past July and it dispels these and many other myths about the regulations. It states specifically that calling a patient’s name in the waiting room is not a violation and that there will be no need to retrofit clinics with special privacy rooms. Over and over the guidance states that covered entities should have in place “reasonable safeguards” against unintentional disclosures of PHI, but this does not mean they must guarantee that it won’t happen. Physicians should speak quietly to patients and families in waiting rooms, they should avoid using patient names in public hallways and elevators and they should include these and other reasonable safeguards in staff training policies. Below are some other ways the Privacy Rule will affect physicians’ practices. |
|
Patient access Patients have always had a right to see their medical records maintained by physicians, but now they will also be able to access their records held by health plans and hospitals as well. They will be free to obtain copies and they may also request amendments to their records, although physicians may deny this in some cases. Also, a history of non-routine disclosures must be made available to patients. Providers will have to give patients a clear written explanation of their PHI use and disclosure policies. Patients may request restrictions on the disclosure of PHI, and they will have the right to file a formal complaint with the provider and with HHS about violations of the Privacy Rule. Patient consent According to HIPAA, physicians must obtain written consent from patients before using or disclosing patient health information for TPO, except in the case of emergencies or substantial communication barriers. The consent document may be brief and general, and physicians only have to get it once for each patient. Many doctors already obtain consent to release information for billing, and the guidance states that consents obtained for one of the covered activities can be considered good for all covered activities. It is important to understand that a consent document is different from a release for treatment. The consent form should make patients aware that information may be used for TPO, and it should state the patients’ right to review the clinic privacy policy and to request restrictions on disclosures. It must also state the patients’ right to revoke consent, as long as it is done in writing. A physician may refuse to treat a patient who chooses not to give consent. As it is written, the Privacy Rule would require pharmacists to get consent before filling prescriptions for a new customer, disallowing the current practice of phoning in prescriptions for patients new to a particular pharmacy. Also, a doctor accepting a referral would need consent before scheduling an initial appointment. Secretary of HHS Tommy Thompson has said he recognizes that these implications of the law would be burdensome and he intends to propose appropriate changes to fix these and other problems that arise before the compliance date. Covered entities are prohibited from using or disclosing PHI for any purposes unrelated to health care without patient authorization. The Privacy Rule sets standards for non-routine disclosures, like those for insurance or employment purposes, and describes the necessary components for authorization. While consent is a general form for all TPO, an authorization must be specific to the disclosure. HHS should be releasing recommendations for consent and authorization forms in the next three to six months. |
|
Minimum necessary requirement In general, physicians will have to limit the use and disclosure of PHI for payment and health care operations to the minimum amount necessary to accomplish the intended purpose. According to the guidance, “the minimum necessary standard is intended to make covered entities evaluate their practices and enhance protections as needed to prevent unnecessary or inappropriate access to PHI.” The minimum necessary standard does not apply to disclosures or requests by a provider for treatment purposes, meaning physician-to-physician consultation and whatever else can be justified as a treatment purpose is not affected by this part of the regulation. The minimum necessary standard is also not applicable to uses or disclosures required for compliance with standardized transactions required by HIPAA. “Many folks will tell you that this is going to be the most expensive part,” says Elizabeth Rogers, a health law attorney and partner in the Health Industry Group with Vinson & Elkins in Austin, Texas. “[The Privacy Rule] doesn’t define what is the minimum amount and the preamble to the rule says this is a scalable requirement, meaning that if you have a sophisticated computer system that is able to limit access to particular individuals, to particular information, set up by fields, then the standard for you is going to be much more than a physician office that deals in large part with paper records.” Physicians will have to evaluate staff organization and their methods of record keeping to determine what persons or classes of persons need access to what level of information and the conditions appropriate for such access. This should be detailed in the privacy policy. A case-by-case review is not necessary for routine uses and disclosures, but non-routine disclosures and uses must be individually assessed. Also, the office privacy policy should state and justify under what circumstances the entire medical record would be used or disclosed. HHS plans to release more information clarifying the minimum necessary requirement in the coming months. Business associates HIPAA only applies to the defined covered entities, but PHI is used by a host of other businesses that contract with covered entities to carry out heath-related tasks, like billing. The Privacy Rule obligates covered entities to obtain, usually by contract, “satisfactory assurances that the business associates will use the information only for the purposes for which they were engaged by the covered entity.” Physicians won’t be expected to police their business associates to see what measures they take to abide by the contract. According to the guidance, violations of contracts do not necessarily constitute a violation of the Privacy Rule by the covered entity. The guidance says that if a covered entity becomes aware of a pattern of behavior constituting a breach of the contractual obligations, “the covered entity must take reasonable steps to cure the breach or to end the violation. Reasonable steps will vary with the circumstances and nature of the business relationship.” If that action doesn’t stop the behavior, the covered entity has to end the relationship and if that’s not possible, the covered entity must report the problem to HHS. |
|
Security and electronic signature standards Proposed security regulations are currently posted for review at the HHS Administrative Simplification Web site. The final rule is expected to be published either late this year or early next year, and the compliance date will be two years after the final rule goes into effect. Compliance with this rule will require physicians to take certain technical measures to safeguard electronically maintained and transmitted health information, like using firewalls, passwords, virus protection programs and digital signatures. Physical safeguards like locking the office and securing rooms where computer servers and fax machines are kept will also be a part of the security plan. Also, physicians will have to put in place contingency plans for the recovery of medical records in the case of a disaster. Some offices could achieve this by simply assigning an employee the task of backing up the records on disks or tapes and taking them home each night. Another measure could involve using sprinkler systems to protect records from fire. |
|
First steps As broad and sweeping as the regulations are, they won’t require that you do the impossible. Language in the rules frequently describes their scalability and flexibility. For physicians in all practice environments, compliance will be a step-by-step process, and the first step is becoming familiar with the rules as they are. Appoint a privacy officer or a committee to begin research. HHS, OCR and AHIMA are good places to start. Experts are advising doctors to think of PHI as a valued asset that needs safekeeping. Take a look at your office and examine your use of PHI. How does it come in? In what places and formats is it stored and who has access to it? How could it be compromised? By answering these questions and comparing them to what you learn about the regulations, you can perform a gap analysis to see just how far from compliance you are. Contact your software vendors to make sure they are on schedule to comply with the transaction standards by next October’s deadline. Get in touch with your business associates to determine what contractual agreements need to be made to comply with the Privacy Rule. Begin writing a privacy policy that lists patient privacy rights and how their information can be used. Detail in the policy what steps you are taking to secure PHI, including disaster recovery plans and selective placement of X-ray light boards and fax machines away from areas where passers-by may easily view them. Define a hierarchy of access among the staff and describe in the policy who needs what information, and what measures you will take to implement restrictions, like using passwords. Decide under what circumstances an entire medical record would be used or disclosed and list those in the policy. You will also have to include a system for sanctioning employees who violate the privacy policy, and you need to establish a grievance procedure for patients who believe their information has been used improperly. One thing you certainly don’t want to do is to go out and buy the latest, greatest HIPAA-compliance-guaranteed computer system. Even though two of the rules are final and the third will be so soon, changes to HIPAA can still be made. No one can guarantee HIPAA compliance yet, but that doesn’t mean you should stand pat. Now is the time to take the first steps. |
|
Academy action The American Academy of Family Physicians is working on several fronts to make compliance easier. “We have committed ourselves to continuing advocacy work in Washington [D.C.] to identify and have changed regulations or statutes that might create difficult problems for family physicians,” says AAFP Director of Socio-economics, John Swanson, adding the academy is most concerned with the Privacy Rule. Through the academy’s news communications media, physicians can get the latest updates from the advocacy front. AAFP has published a series of very helpful articles detailing steps family doctors can take to prepare for the regulations in the academy’s member education magazine, Family Practice Management. More of these articles are planned for the near future, and they can all be accessed from the academy’s Web site. According to Swanson, AAFP is also working with compliance firms to write a compliance manual for office-based health care providers that should be available in the coming year. TAFP is also working to prepare members for the coming regulations. At this year’s Annual Session, the academy’s Commission on Health Care Services and Managed Care discussed the need to assist members in becoming familiar with HIPAA regulations. The commission recommended “that TAFP explore methods to disseminate information regarding HIPAA to physician members through PrimeCME and other avenues.” This action item was referred to the Commission on Continuing Medical Education for further development and the ball is already rolling. The academy is now coordinating speakers, material and sponsorship for HIPAA educational activities. “This is today’s hot topic,” says Jo Ann Kindinger, TAFP Director of Education. She anticipates members will hear much more about these activities in the coming year. Achieving compliance with HIPAA regulations will no doubt be a daunting task and require much concentration and effort, but the end result will be good for medicine and for the country. Americans believe they should be able to control access to their private health information and these regulations will instill a measure of trust in the health care system. At this time of national tragedy when Americans are being asked to move forward and press on, physicians need to carry that charge by examining privacy and security with renewed spirit and taking the first steps toward HIPAA compliance. |
| 1. Standards for Privacy of Individually Identifiable Health Information. Office for Civil Rights, initial guidance for privacy rule, July 6, 2001. |
(Standards
for the first report of injury and claims attachments will be adopted at a later
date) |
Transaction resources
Privacy resources
|
|
|
Standards for electronic transactions:
Standards for privacy of individually identifiable health information:
Security and electronic signature standards:
|
