April 2000 Bulletin

HIPAA is coming; get busy

Confidentiality of electronic records regs likely to be tough

By Janice G. Cunningham

Protecting patient confidentiality has always been imperative in health care. Increasingly, patients’ medical records are created in, converted to, and stored in digital format, making them vulnerable not only to deliberate attacks by data raiders and hackers, but also to mistakes made by well-meaning practice members.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its answer–to require the Department of Health and Human Services (HHS) to implement regulations–is likely to be inconvenient, costly and unavoidable for your orthopaedic practice. And, the clock is running.

HHS issued proposed regulations regarding the confidentiality of electronically transmitted medical records on Nov. 3, 1999. The proposed regulations, which call for sweeping safeguards against improper access, distribution and use of "protected" health information, are expected to become final this spring. Your practice will need to have these safeguards in place within two to three years of their publication.

The regulations are open to comment now and the final version should include few changes, although the deadline for health care entities and providers to become compliant may be extended.

Assuming that your orthopaedic practice is a "covered entity" under HIPAA (i.e., you store or transmit health information in an electronic medium), what are the implications of these regulations, as they now stand?

Generally, you will need to obtain patient authorization to disclose protected health information. The authorization must include, among other things, sufficient detail about the scope of information to be used or disclosed, the reason for disclosure and the persons or entities permitted to receive the information.

The HIPAA regulations also recognize certain situations in which protected health information may be used or disclosed without patient authorization. The regulations are very specific as to the scope of information permitted and circumstances under which information may be disclosed without authorization. Primarily these include disclosure:

The regulations also require that patients have access to their medical records at any time. Your practice will be required to give patients the opportunity to amend records for inaccurate or incomplete information. The procedure for doing so must be contained in a written notice to patients, along with your policies regarding disclosure of protected information and circumstances under which information may be used or disclosed without patient authorization.

Your practice will need to develop and document procedures to safeguard protected information. These include having procedures to verify identification of individuals seeking information and those authorizing its release.

You will be required to appoint a "Privacy Official" and establish a standard method for handling internal reports of violations and for sanctions.

Your staff members will be required to undergo specific training in the practice’s policies and procedures to protect improper use or disclosure of information. They will also need to sign a form verifying that they have received such training and will comply with the policies. Recertification is required at least once every three years.

Documentation of a plan for HIPAA compliance is required. Similar to a fraud and abuse compliance plan, a HIPAA compliance plan should include a clear statement of policies and procedures, as well as an ongoing record of staff education, internal audits, and complaint management, including corrective measures taken.

To be HIPAA compliant, you will need to restrict access to your practice’s computer equipment. Thus, you should not maintain computer terminals in public areas.

In addition to physical security, you will need to set up your information system so that it will allow access to only the "minimum necessary" information required to perform the task at hand. For example, your system should deny your billing clerks access to detailed clinical information, which they should rarely, if ever, need.

You will need to develop levels of internal security and password protection so that not all staff members have access to all information. Limiting access to information helps ensure that no one has altered or added information without authorization. Your system will need to internally track, based on user names, who accesses what part(s) of which record(s) on what date(s).

Beyond internal controls, you will need to ensure security across the Internet. Encryption of information must be used to minimize unauthorized access. Authorization and authentication mechanisms should be installed to verify the source of information received by a covered entity, as well as to verify the recipient before information is transmitted.

The HIPAA regulations do not cover all parties (for example, third party administrators, researchers, employers and marketing firms) that might potentially have protected health information. However, they do cover your "business partners," by way of required contractual arrangements. For example, if you use a billing service or collection company or if you contract for management services and the like, those business partners may also be required to comply with HIPAA regulations. Your practice must require each of your business partners of this type to sign a contract to that effect.

In addition, the business partner must contractually agree to bind any of its subcontractors to the same terms, establish its own internal safeguarding procedures, report any internal violations to you and return protected information to you at the end of the contract.

The regulations are so far-reaching that they are likely to include almost all medical practices. Penalties for non-compliance include civil and criminal fines and possibly even jail time.

If your practice maintains any protected health information electronically –even if it is entirely for internal use–the HIPAA requirements apply to you. Hence, if you use a computerized scheduling module, maintain billing records in computer files or keep a database of patient demographics, your practice is covered by the regulations.

The regulations are intended to create savings over the long run. For example, the regulations require claims to all third party payers to be handled in the same manner. This includes uniform procedures for verification of benefits, requests for referrals, authorizations for treatment and submission of claims. Denials and the need for re-submissions should be greatly reduced. Analysts predict that the cost savings for providers could be $9 billion annually.

Janice G. Cunningham, JD, is a Health Care Group consultant and Health Care Law Associates attorney.

Home Previous Page