October 2002 Bulletin

Ignore HIPAA’s Privacy Rule at your peril Physician involvement is key to successful compliance The rule will not go away

By Steven E. Fisher, MBA

The Health Insurance Portability and Accountability Act (HIPAA) will have a great impact on the operations of most orthopaedic practices. Thus, a significant portion of this issue of the Bulletin is dedicated to a discussion of the Act and one provision of the Privacy Rule.

In this issue, we cover the basics of the Privacy Rule, take a look at its implications for orthopaedic surgeons, discuss implemantation challenges and provide a twelve-step compliance strategy. In addition we provide important information regarding other HIPAA deadlines and a list of Web sites to visit for additional information.

The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. Titles I, III, IV and V of the Act–while they relate generally to the subject of health care and health care insurance–will not have much of an impact on the operation of your medical practice. Title II, however, which deals with what Congress terms "administrative simplification," will require you to implement changes in the way your office runs in virtually every arena.

The Department of Health and Human Services (HHS) is expected to implement nine sets of regulations relating to administrative simplification over the next few years. This article contains contains an overview regarding the final Privacy Rule. It reflects the amendments that were published in the Federal Register on August 14, 2002. Other rules for which final regulations have been issued include Transactions and Code Sets (TCS) and the Unique Employer Identifier. Proposed rules have been published for Security, the Unique Provider Identifier and Electronic Signatures. For more information regarding all of these regulations, consult the Other HIPAA deadlines and Additional resources articles.

The Privacy Rule creates national standards to protect your patients’ medical records and other personal health information. In addition, it gives them more control over their health data and limits the way that you, as a provider, may use the information and release it to third parties. Finally, it sets up guidelines that you must follow to protect the privacy of your patients’ "protected health information" (PHI) and holds you accountable for violations.

HIPAA applies to: (a) health plans, (b) health care clearinghouses and (c) health care providers who transmit certain kinds of health care information electronically. The covered transactions, which were specified in the final TCS Rules, include insurance claim and encounter data, payment and remittance notification, coordination of benefits information, referral certifications and treatment authorizations. For more information, see No. 5 in the "Additional Resources" sidebar (an American Health Information Management Association article that is entitled "Understanding HIPAA Transactions and Code Sets"). Keep in mind that you are a covered entity if you transmit the information electronically even if you do so now in a non-standardized format. Under the regulations, if you only send data by mail in hardcopy form, or transmit it by fax, you’re not a covered entity.

In principle, therefore, if you do not transmit the health care information specified in the TCS Rules to third parties electronically, you are not a covered entity and do not need to comply with HIPAA and the Privacy Rule. The Administrative Simplification Compliance Act (ASCA), however, prohibits HHS from paying Medicare claims that are not submitted electronically after October 16, 2003–unless your practice is very small and the Secretary grants you a waiver. Private payers are expected to follow suit for all practices regardless of their size.

Therefore, unless you’re prepared to stop participating in most–if not all–third-party insurance plans and you intend to require your patients to submit their own claims–the strong likelihood is that, even if you are not a covered entity now, you will become one in the not-too-distant future.

Furthermore, even in those instances in which you can avoid becoming a covered entity under HIPAA, you’ll have to assess whether pursuing this course of action is in your long-term best interests. On the one hand, not being a covered entity eliminates the need for you to make changes in your practice operations. On the other hand, transmitting and receiving information electronically could, in the long term, reduce your overhead and improve your collections.

Also, recognize that operating as a non-covered entity could have an adverse effect on your relations with patients given that, as was stated above, Congress’s purpose in passing the Privacy Rule in the first place was to create national standards to protect their medical records. Whatever your motivations might be in remaining a non-covered entity, patients may feel that you are not acting in their best interests. Trying to convince them that you are could prove to be a challenging and time-consuming task for you and your staff.

The Privacy regulations occupy hundreds of pages in the Federal Register. Describing your obligations under the Rule in detail is beyond the scope of this article. Following, however, is a very brief summary of your responsibilities. For more information, see "Additional Resources."

Notice, consent and authorization: The Privacy Rule requires that you provide your patients with notice of their privacy rights and of your privacy practices. You must make a good-faith effort to obtain written acknowledgement that they have received this information. You no longer need to obtain a signed Consent Form to use or disclose PHI before engaging in "treatment, payment or health care operations" (TPO); however, before using or disclosing PHI for purposes other than TPO, you must obtain a signed Authorization Form.

Research and marketing authorizations: In general, the Privacy Rule requires that you obtain a signed Authorization Form from your patients when you wish to use or disclose PHI in connection with research and marketing. You are now permitted, however, to use a combined form for informed consent (for treatment) and the authorization too. The Rule also lays out limited conditions under which a signed Authorization Form is not required. The final Rule makes it very clear that you are prohibited from selling your patients’ PHI to a third party for the marketing activities of that third party without the patients’ authorization.

"The minimum necessary" standard, incidental use and disclosure: You may disclose PHI only to what the Act calls "the minimum necessary to accomplish the intended purpose." Your office must implement policies and procedures that limit what PHI is disclosed and with whom it is shared. "Incidental" uses and disclosures of PHI are not deemed a violation of the Rule if you’ve met reasonable safeguards and the "minimum necessary" standard.

Business associates: A "Business Associate" (BA) is person or organization that provides services to you or your group involving the use or disclosure of PHI. Examples of Business Associates may include billing and (depending on the way the information is transmitted) transcription services. In the future, your agreements with your BAs will need to be in writing. The final Rule provides a sample BA agreement; if you base your BA contracts on the sample one, you can be sure you’re complying with the regulations.

If you’re a covered entity, you must be in compliance with the Privacy Rule by April 14, 2003.

You may be fined up to $100 for every violation (with a cap of $25,000 per year) by the Office of Civil Rights (OCR) for each provision of the regulations that you breach unintentionally. The Department of Justice (DOJ) may impose criminal penalties including prison time if you or anyone in your group knowingly violates the Rule. Patients may file civil lawsuits if they feel their privacy rights under HIPAA have been violated.

There’s no question that implementing the Privacy Rule will involve an expenditure of time and effort on virtually everyone in your practice. Compliance also will require you to pay out a certain amount of money up-front and on an ongoing basis. As is stated in the companion Privacy Rule overview article, there may be a quid pro quo in terms of savings to be garnered by adopting the Transactions and Code Sets standards.

Nonetheless, many health care professionals continue to express hope that the Privacy Rule will be repealed or that it will not be enforced. A few physicians have been known to become angry at messengers who–in all good faith–are providing advice and council about how to become compliant with the Rule.

In fact, the Privacy Rule is unlikely to be repealed and it is very likely to be enforced, for two compelling reasons:

• In the first place, the Privacy Rule is just one of nine sets of regulations relating to administrative simplification that HHS plans to implement in the next few years. These standards were designed from the outset to work in tandem. HHS can’t and won’t repeal the Privacy Rule because this would make it difficult if not impossible to implement all the other ones. The benefits associated with the other Rules are too valuable to forgo.
• Second, the information that is being standardized as a result of the administrative simplification provisions of HIPAA is a small but important subset of the data that is already being transmitted electronically between health care-related organizations on a daily basis. Electronic data interchange (EDI) and what is being called "e-commerce" are becoming central to the way business is conducted in the health care industry. Standards are needed in this arena, just as they were needed in the banking industry years ago. Unfortunately, with increasing standardization comes an increased risk that data will be misused.

The bottom line is that while the Privacy Rule may be onerous to implement, it will not go away. Too many people, both inside and outside the government, have a stake in health care EDI and e-commerce and the Privacy Rule is critical to moving forward in both these arenas. It is therefore likely to be in your best interests to comply with the Rule.

It is also to your advantage to determine how you can benefit from the HIPAA standards in general. Developing a plan in this regard will permit you to avail yourself of e-commerce opportunities as they present themselves. An excellent discussion of the issues, costs and benefits relating to HIPAA can be found in HIPAA Compliance for CMA Members, a guidebook published by the California Medical Association, Center for Legal Affairs © 2001-2002. CMA’s phone number is (415) 541-0900.

The Privacy Rule is confusing in many respects and even the final regulations leave numerous questions unanswered. The greatest challenge for you and your staff will be to sort through the regulations and obtain answers to your questions. See Step No. 2 in the companion article entitled "A 12-Step Compliance Strategy" for more information about how to accomplish this task. Other challenges include the following:

• Creating a compliance plan that is tailored to your practice location and environment. HIPAA does not automatically replace existing state privacy laws. This means the kinds of things that need to be done by practices in one state to comply with the Privacy Rule will not be exactly the same as those that need to be done by practices in other states. Also, beginning in January 2003, state legislatures are expected to start passing health privacy rules that go beyond HIPAA; when state privacy standards are more stringent than HIPAA, the former take precedence.

Finally, even within a given state there are major differences between orthopaedic practices, including number of physicians, level of subspecialization, private practice versus academic orientation, number of offices, level of interest in research, billing arrangements, ancillary service offerings and so forth.

As a result, there is simply no such thing as a one-size-fits-all-practices "how-to" compliance plan for the Privacy Rule. You will need to consult with your state orthopaedic society, your state medical society and your own legal counsel to be sure the plan you develop dovetails with your state’s laws and your specific working environment.

• Developing a plan that dovetails with the other HIPAA Administrative Simplifications Rules. As was stated in the companion overview article, HHS is expected to implement nine sets of regulations relating to Administrative Simplification over the next few years. See No. 4 in the Additional Resources sidebar.

Compliance dates already exist for Transactions and Code Sets and the Unique Employer Identifier; see the "Other HIPAA Deadlines" sidebar on page 27. While final Rules have not been issued in other arenas, including Security and the Unique Provider Identifier, they could be published at any time, and compliance dates established. When developing and implementing your compliance plan for the Privacy Rule, you therefore need to be mindful of all of these other Rules.

• Ensuring compliance on the part of all practice principals. If even one of your partners does not comply with HIPAA, the entire practice is at risk of incurring OCR fines and DOJ penalties. All principals must therefore do more than just give lip service to the Privacy Rule. Each needs to make a firm commitment to conform to both the letter and the spirit of the law. Early on, you and your partners should discuss and decide what sanctions will be applied to any individuals who disobey the law.
• Educating staff. The key to successful implementation of the Privacy Rule is employee education and training, but the person who functions as your compliance officer may not necessarily be a skilled teacher. If this is the case, you need to recognize the fact and take action to ensure that needed education and training occur.

Options include courses and assistance provided by a practice management consulting firm. Retraining will need to be undertaken at regular intervals given staff turnover, transfers, promotions and so forth.

Complying with the Privacy Rule won’t be easy or hassle-free–but it can be done if you move forward methodically and break the compliance process down into manageable pieces. For example, here’s a 12-step strategy:

1. Meet with your partners to discuss HIPAA and the Privacy Rule. Obtain a commitment from everyone that each will comply with it. Create an implementation team consisting of at least one doctor, your practice manager or administrator and other key people including supervisors, medical records staff and information systems personnel. The team–including the doctor–should meet at least monthly, and ideally every other week until April 2003.
2. Encourage team members to get (and stay) up to speed regarding HIPAA and the Privacy Rule. The "Additional Resources" sidebar contains references to several Internet sites. People should also take time to read the regulations in their entirety. Finally, team members should all subscribe to one or more of the many HIPAA-related "listservs" and consult the AAOS Practice Management Center on a regular basis (specifically, the News Dispatch and the Compliance sections). The team should periodically update physicians in the practice (orally and in writing) regarding HIPAA-related developments.
3. Charge your implementation team with determining whether a full-time privacy officer is needed or if Privacy Rule-related duties can be added to those of an existing employee. Factors the team should consider in this regard include your practice’s size, number of locations, current staffing levels, employees’ training and expertise and so forth. If a full-time officer is needed, a new position description will need to be developed. See the AHIMA privacy officer position description in the "Additional Resources" sidebar. If not, an existing position description will need to be modified. If the decision is made that someone new will need to be hired, start recruiting that person immediately.
4. Have the team develop a compliance budget and a project plan that contains tasks, responsibilities and completion dates. The budget should be presented to and approved by all practice principals. Keep in mind, this will not only have to be done for 2003–but in all future years as well. Physicians should also approve the project plan and make a public commitment to fulfilling their part in the plan.
5. Ask the privacy officer to start educating practice employees about the Privacy Rule. Have your administrator develop sanctions for non-compliance on the part of staff. When sanctions are established, include them in your office’s Employee Manual.
6. Schedule a meeting with your practice’s attorney to learn about existing and pending state laws that will not be replaced by HIPAA. Your administrator and privacy officer should both attend this meeting. Information about state laws will be critical in developing a compliance plan that is tailored to your needs.
7. Conduct a study to look at how PHI flows into, out of and within your office. As part of this study, your privacy officer should speak personally with every staff person in the practice and every physician, too. It’s important to find out who has access to what information and what they do with it. Wherever possible, create flow charts, showing where PHI is permanently stored (and maintained on a temporary basis) and how it moves from one location to another.
8. Undertake what is frequently being called by HIPAA experts "a gap analysis;" that is, determine which aspects of your practice’s current operation are counter to the Privacy Rule regulations that will become effective on April 14, 2003. Note: it’s a good idea to include as an appendix to the gap analysis an enumeration of the aspects of your practice’s current operation that are consistent with the Privacy Rule. This serves two purposes. First, you’ll be sure you haven’t left anything out; second, it will permit you to review how you do things in the future and verify that you’re still compliant. (continued on p. 30)
9. Draft your Notice of Privacy Practices and your Privacy Policies and Procedures. Both of these documents should be developed with care and reviewed by your attorney or someone who thoroughly understands both the federal and your state’s laws. The former document must be posted in your office(s) and on your Web site (if you have one) by April 14, 2003. Starting on that date, your patients must sign a form acknowledging that they have read and understood your Privacy Practices. Your Privacy Policies and Procedures will be very comprehensive, perhaps running to 50 or more pages. These need to dovetail with other operational policies and procedures that you have in place in your practice. An excellent source of information regarding policies and procedures you need to implement is the AMA’s Field Guide to HIPAA Implementation, which can be ordered from the Association’s Unified Service Center (800) 621-8335.
10. Train your staff regarding the specific Privacy Policies and Procedures you’ve developed. Be sure they understand what they need to do and not do on a daily basis. Training may occur in a variety of ways depending on the size of your practice, the number of staff, the number of offices and so forth. Although having staff view a video and read books will be of some value, the best approach is to conduct a class with a qualified leader. This will permit staff to ask questions and learn as a group. Remember, as stated in the Implementation Challenges companion article, you’ll have to schedule refresher classes on a regular basis.
11. Instruct your administrator to review the arrangements your practice has with outside organizations to determine if any of these organizations fit HIPAA’s definition of a business associate. If written contracts do not exist with any of your business associates, start drawing them up so they can be signed prior to April 14, 2003. Revise your existing written contracts with your business associates as soon as possible, but in no event later than April 14, 2004.
12. Integrate your plan to comply with the Privacy Rule with your plans to comply with the other HIPAA regulations, including Transactions and Code Sets (TCS), the Unique Employer Identifier and Security. Bear in mind that, even though you don’t technically have to be in compliance with the TCS Rules until October 16, 2003 (as long as you’ve submitted a Compliance Plan by October 16, 2002), you must begin testing by April 16, 2003.

Finally, and this is not a "step" per se but rather an ongoing process: be sure that everything you do regarding the Privacy Rule (indeed, HIPAA in general) is documented and maintained in a way that it can easily be retrieved. It does you no good to go through all the work to comply with the Rule if you cannot show that you’ve done so. Documentation will also help protect you against any civil claims filed by or on behalf of your patients stating you were a covered entity but did not comply with the Privacy Rule.