Dental

Life

STD

LTD

COBRA/State Admin.

Home & Auto Insurance

Retirement

Workers' Comp

Eyewear

Broker Protected Website

Employer Protected Website

International Trade Info

Surveys and Publications

Publications & Posters

Training & Programs

School Improvement

Preparing Students for the Future

Educators & the Workplace

Employer Involvement in Education

General Business Services

Lean Sigma Institute

Grant Funding

Workforce Development

The HIPAA Nightmare: A Legal Perspective for the Health-Care Employer

By John Letizia, partner, Letizia, Ambrose & Falls, P.C.

Author’s Note: This article was written months before the Oct. 16, 2002 deadline for filing an electronic compliance plan. The interpretations and opinions contained in these materials are the analysis of the law offices of Letizia, Ambrose & Falls, P.C. These materials are provided for informational purposes only. You are encouraged to consult with the appropriate legal counsel prior to relying on these materials in whole or in part.

More than 4 years ago, Congress passed a piece of legislation that was heralded to have as great an effect on the health-care industry as Medicare. So why is it that so many in the health-care field know very little about this wide-ranged initiative when they will be required to follow its requirements in less than a year?

The Health Insurance Portability Accountability Act (HIPAA) of 1996 creates and imposes privacy, electronic transactions, and security obligations on all health-care providers, health plans, and health-care clearinghouses. One of the key purposes of HIPAA is administrative simplification, intended to reduce paperwork and allow for more efficient administrative operations. But the word simplification has been widely misinterpreted. Rather, HIPAA requires a complete change in the way the health-care industry handles the personal information of its patients. And the clock is ticking for every hospital, provider, practice, plan, and clearinghouse to bring its organization into compliance.

Any employer who is reading about HIPAA for the first time should be alarmed. In fact, if your organization has not already designated a person or committee to address the HIPAA regulations, let this be a warning for you to do so immediately. Bringing your organization into HIPAA compliance will require an entitywide analysis of current practices in three areas: transactions and code sets standards, privacy, and security. This sweeping legislation will require the efforts of all of the health care employer’s employees, business associates, and even its patients to make it work. To make the situation even more complicated, there are dates of compliance that are relevant for each area, and the regulations regarding the security portion of HIPAA have not even been finalized.

Although it has been estimated that HIPAA may save the industry $146 million through the administrative simplification provisions, this does not take into account the great costs and resources that will be spent by the industry in becoming compliant with not only the administrative simplification provisions but also the privacy and security regulations. Several studies have indicated that small practices and home health agencies will spend anywhere from $10,000 to $100,000 to become compliant, whereas the costs for hospitals and other large entities may exceed $500,000. HIPAA will require changes to computer software, billing systems, employee job descriptions, policies and procedures, physical settings, overall practices, and more.

Have you ever received a phone call from your doctor to remind you of an upcoming appointment? Have you ever seen a patient’s medical chart hanging on the door of an exam room or lying on a counter? Have you ever heard two nurses discussing a patient in a hallway? HIPAA covers all these types of situations and more. In effect, the privacy requirements of HIPAA act as a patient’s bill of rights with regard to personal health information. HIPAA requires dramatic changes in some areas with respect to the handling of this information, from its use and disclosure to its access and even amendments requested by the patient. HIPAA allows patients to request or make changes to their medical records, similar to the process utilized for changing credit reports.

Health-care entities covered under HIPAA will be required to revise many of their policies and procedures regarding patients’ personal information. Furthermore, regulated forms will need to be used to ensure compliance. The Department of Health and Human Services has designated April 14, 2003, as the date of compliance for all the privacy requirements.

Overall, HIPAA requires that the confidentiality of a patient’s medical information, also known as protected health information, be maintained. In addition, the regulations provide patients with increased rights regarding how they can access, amend, and restrict the use and disclosure of this information, as well as know when this same information has been disclosed to others. Health-care entities will be required to inform their patients, in writing, of their rights regarding protected health information, including how and when the entity may disclose the patient’s information without prior consent and when the patient’s authorization is needed to disclose information. Although many of the patient rights under HIPAA will be uniform across the industry, every health care entity will need to assess and provide notice of entity-specific ways protected health information may be used and disclosed.

Many state and federal laws currently provide some guidance regarding confidentiality of and access to protected health information. HIPAA will compliment these laws in many areas and may even provide greater protections than are currently afforded. However, health-care entities will need to familiarize themselves not only with the new HIPAA regulations but also with existing state and federal laws to determine which laws will govern their practices. Furthermore, HIPAA requires health care entities to compare HIPAA versus state patient privacy laws to determine which laws provide more protection. If state law provides more protection, it applies; if less, then HIPAA overrides that law.

Privacy is only one of three areas covered by HIPAA. The transactions and code sets standards, or administrative simplification, is another area of HIPAA that requires immediate attention, because the date for compliance is October 16, 2002. The good news is that entities can apply for a 1-year extension for compliance. The bad news is that even with the 1-year extension, health care entities may have trouble being compliant if they do not quickly start taking steps toward compliance. This piece of legislation is designed not only to standardize the forms and code sets used by the health care industry but also requires electronic billing and communication to expedite transactions and reduce the need for paper copies. To become compliant, health-care entities will need to replace noncompliant computer software, update contracts with vendors and payors to include HIPAA requirements, train employees and other personnel to use the HIPAA-compliant software, and hire or contract with information technology (IT) consultants. If the software vendors you currently use decide not to provide HIPAA-compliant upgrades to your existing programs, you may be faced with investing in brand new software. Even if the existing programs are updated, there could be significant costs for upgrades.

The implications of HIPAA stretch even further. There is also the security aspect of HIPAA, which again has been enacted to ensure the confidentiality of protected health information. The security provisions will affect technology and physical settings. Complex passwords and job-related access restrictions will need to be placed into computer networks to protect information. In addition, file cabinets and workstations may need to be relocated if there is a potential for protected health information to be viewed by others without the proper authorizations. Although the security regulations have yet to be finalized, many of the provisions regarding security will need to be in place by April 14, 2003, as part of privacy compliance.

Of course, with any mandated changes, there comes a price for noncompliance and, unfortunately, the price can be costly if health care entities are not prepared. A health care entity can be fined $100 for every occurrence or violation of HIPAA and up to $25,000 for each occurrence or violation of the same regulation. This means that if an entity violates three different areas of HIPAA and does so with regard to all its files, it could be fined up to $75,000. In addition, the fines increase greatly for intentional violations and may even include imprisonment. The Department of Health and Human Services has designated the Office of Civil Rights to oversee the enforcement of HIPAA. Although it is not clear how these regulations will be enforced, complaints may be made anonymously by anyone.

Finally, health care employers and even noncovered entities may be required to follow the HIPAA regulations regarding privacy if they have any business relationships with any entity covered under HIPAA. On the flip side, all covered entities will be required to have business associate contracts with all entities that may be given protected health information, including possibly the cleaning staff.

As you can see, HIPAA involves a great deal more than simply respecting the privacy of individuals and making billing easier. To the contrary, it involves a wide-striking effect on every aspect of a health care entity’s business, from where computers are located in the office to the patient photos hanging in an office waiting room. HIPAA affects many areas not even touched on in this article. As the nightmare begins to develop in your mind, take the time to make a plan as to how your organization is going to tackle HIPAA. There are many resources out there to assist you in this daunting task, but there is no easy way out.