Edition: November 2002 - Vol 10 Number 11
Article#: 1354
Author: Laura Thill

For better or worse, HIPAA policy is pretty well set in stone. This summer, HHS released the final version of the HIPAA medical privacy rule, which closely follows the Bush administration’s proposed changes. And, the deadline for covered entities to apply for a one-year extension to comply with HIPAA rules on electronic transactions was October 15, 2002. At this point, it seems your customers have nothing more to worry about than understanding exactly how HIPAA will affect them, what kind of compliance costs to expect, and how to go about complying.

Fortunately, the process doesn’t have to be as overwhelming as it may initially appear.

How It All Began

Six years ago, when the Health Insurance Portability and Accountability Act of 1996 – dubbed HIPAA – was enacted, physicians and healthcare providers could only begin to imagine how it would affect them. Basically, HIPAA aimed to protect patients by enhancing their access to health insurance, reducing waste and fraud within the system, and protecting patient privacy. The new Act set forth to implement the following for providers:

· An electronic exchange of healthcare information, with transaction standards and code sets.

· Privacy legislation to protect patients.

· Security safeguards to protect patients against the unauthorized use of personal data.

Apart from coming to terms with the new set of requirements, physicians, clinics, hospitals and even larger healthcare entities faced a comprehensive cost of nearly $17.6 billion in compliance expenses over a five-year period. The cost for hospital systems and medical practices with at least 30 physicians was estimated at $3.1 million, according to Eden Prairie, MN-based consultant, HIPAAnswers. However, when fully implemented, HIPAA was expected to save providers as much as $9 billion each year, given the anticipated drop in paperwork, administrative overhead and fraud. Nevertheless, the upfront costs were daunting and health entities were unsure of where to begin.

Meanwhile, the Department of Health and Human Services (HHS) spent the next several years fine tuning HIPAA, taking into consideration proposals from legislators, as well as the Bush administration. Finally, in August 2002, HHS released its final version of the HIPAA medical privacy rule – a close parallel to the Bush administration’s proposed changes released the previous May.

The final privacy rule, which becomes effective April 14, 2003, will ensure the following, according to HHS:

· Patients must give authorization for healthcare entities covered by HIPAA to use or disclose protected information in non-routine ways. This includes sharing information with an employer or making it available for marketing purposes. The rule covers all doctors, health plans and other covered entities interested in using or disclosing patient health information.

· Patients require a written statement of their doctor’s, clinic’s or other covered entity’s privacy practices, including patient privacy rights. The statement should be helpful to patients choosing a health plan, physician or provider. Patients usually would have to sign for a receipt of the privacy notice.

· Pharmacies, health plans or other covered entities must obtain patient authorization before sending them marketing materials. Physicians and other covered entities, however, are permitted to communicate openly with patients about treatment options, disease-management programs and other health-related issues.

· Covered entities cannot use vague marketing language and business associate agreements to circumvent HIPAA’s marketing prohibition.

· Patients generally should be able to access personal medical records and request corrections of any errors. Patients also may request an account of non-routine uses and disclosure of their health information.

Under the final rule, parents’ access to their minor children’s medical records will be governed by the state, according to the California Healthcare Foundation. When the state law is unclear, the final decision will rest with the minor’s physician.

The final rule also enables medical researchers to use only one form to obtain informed consent and authorization to disclose medical records. While physicians may not sell patient names and information to third parties, they can accept payment from drug manufacturers to solicit patients to switch brands of medication, according to a report by the American Medical Association.

Privacy advocates and consumer rights groups are less than thrilled about these rules. But, their biggest bone of contention may be with the provision that frees providers from obtaining patient consent before using or disseminating protected patient information for treatment, payment or healthcare operations. Senator Edward Kennedy (D-Mass.) is considering legislation to overturn the rule. However, because many healthcare organizations and state laws already require consent – if only verbal consent – before disclosing patient information, and because providers will be required to present patients with their information practices policy, some believe this provision will not adversely affect patients.

Mixed Reviews

The healthcare community’s response to the final HIPAA ruling varies, but most of the buzz concerns the elimination of the consent rule. Hospital providers are satisfied, claiming that the original requirement for written patient consent would have been much too costly, according to a report by the California Healthcare Foundation. Nurses, on the other hand, are disappointed to see it omitted, as they are not convinced that providers will always obtain a written patient acknowledgement of the receipt of their doctor’s privacy practices.

Physicians are mixed: The American Medical Association said it has wanted an alternative to the original requirement for written consent, while the American College of Physicians/American Society of Internal Medicine supported it. Consumer advocates believe the final ruling denies patients the right to keep their personal lives private.

Regardless of how everyone feels about the final ruling, they had better start getting ready for the April 2003 mandatory implementation date for the new privacy regulation. The process may be expensive, but not complying could cost even more. Failure to comply with the new regulations could cost doctors and healthcare organizations as much as $25,000 in fines. Some criminal violations may carry a price tag of $250,000 and as many as 10 years in jail.

But, if physicians and other entities covered by HIPAA take it slow, they should manage to stay focused in their compliance efforts. The American Medical Association offers some tips for physicians and health groups working toward compliance:

· Designate an office person who can preside over privacy issues.

· Develop a strategy with legal advice.

· Implement a training program for all employees.

· Know how patient information is channeled in and out of the practice.

· Draft your notice of privacy practice.

· Track which patients have signed privacy documents.

· Have your business associates sign a contract agreeing to comply with the practice’s privacy regulations.

· Review your implementation efforts to ensure your practice is on task.

When training office staff, including all physicians, nurses and volunteers, Cleveland, OH-based consulting firm Expert System Applications, Inc. (ESAI) offers the following steps:

· Introduce the staff to HIPAA and the privacy rule.

· Explain what the privacy officer’s role and responsibilities are.

· Provide an overview of the office’s privacy policies and procedures.

· Explain all privacy forms used by the office, such as consent, authorization, request for restriction on uses and disclosures of protected health information (PHI), request to amend PHI, accounting of disclosures, complaint form, and request to inspect and copy PHI, and to implement access denial.

· Explain who can disclose PHI.

· Discuss job responsibilities as they relate to PHI.

· Explain the minimum necessary standard.

Your customers may have their work cut out for them this year, but the good news is there are many available HIPAA consultant organizations that specialize in helping groups comply. As far as your role goes, be patient with your customers while their nerves are fragile. And, come next April, well, it’s HIPAA HIPAA hooray!