Ignore HIPAAs Privacy Rule at your peril
Physician involvement is key to successful compliance
The rule will not go away
By Steven E. Fisher, MBA
The Health Insurance Portability and Accountability Act (HIPAA) will have a great impact on the operations of most orthopaedic practices. Thus, a significant portion of this issue of the Bulletin is dedicated to a discussion of the Act and one provision of the Privacy Rule.
It is important for you to familiarize yourself with the Act and the Ruleeven if you plan to delegate much of the work required to comply with the regulations to your staff. If you do not assume an active role, odds are that implementation of the Privacy Rule in your office will not be a successand this could have serious consequences.
In this issue, we cover the basics of the Privacy Rule, take a look at its implications for orthopaedic surgeons, discuss implemantation challenges and provide a twelve-step compliance strategy. In addition we provide important information regarding other HIPAA deadlines and a list of Web sites to visit for additional information.
The Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress in 1996. Titles I, III, IV and V of the Actwhile they relate generally to the subject of health care and health care insurancewill not have much of an impact on the operation of your medical practice. Title II, however, which deals with what Congress terms "administrative simplification," will require you to implement changes in the way your office runs in virtually every arena.
The Department of Health and Human Services (HHS) is expected to implement nine sets of regulations relating to administrative simplification over the next few years. This article contains contains an overview regarding the final Privacy Rule. It reflects the amendments that were published in the Federal Register on August 14, 2002. Other rules for which final regulations have been issued include Transactions and Code Sets (TCS) and the Unique Employer Identifier. Proposed rules have been published for Security, the Unique Provider Identifier and Electronic Signatures. For more information regarding all of these regulations, consult the Other HIPAA deadlines and Additional resources articles.
What is the Privacy Rule?
The Privacy Rule creates national standards to protect your patients medical records and other personal health information. In addition, it gives them more control over their health data and limits the way that you, as a provider, may use the information and release it to third parties. Finally, it sets up guidelines that you must follow to protect the privacy of your patients "protected health information" (PHI) and holds you accountable for violations.
Who is covered by the Rule?
HIPAA applies to: (a) health plans, (b) health care clearinghouses and (c) health care providers who transmit certain kinds of health care information electronically. The covered transactions, which were specified in the final TCS Rules, include insurance claim and encounter data, payment and remittance notification, coordination of benefits information, referral certifications and treatment authorizations. For more information, see No. 5 in the "Additional Resources" sidebar (an American Health Information Management Association article that is entitled "Understanding HIPAA Transactions and Code Sets"). Keep in mind that you are a covered entity if you transmit the information electronically even if you do so now in a non-standardized format. Under the regulations, if you only send data by mail in hardcopy form, or transmit it by fax, youre not a covered entity.
In principle, therefore, if you do not transmit the health care information specified in the TCS Rules to third parties electronically, you are not a covered entity and do not need to comply with HIPAA and the Privacy Rule. The Administrative Simplification Compliance Act (ASCA), however, prohibits HHS from paying Medicare claims that are not submitted electronically after October 16, 2003unless your practice is very small and the Secretary grants you a waiver. Private payers are expected to follow suit for all practices regardless of their size.
Therefore, unless youre prepared to stop participating in mostif not allthird-party insurance plans and you intend to require your patients to submit their own claimsthe strong likelihood is that, even if you are not a covered entity now, you will become one in the not-too-distant future.
Furthermore, even in those instances in which you can avoid becoming a covered entity under HIPAA, youll have to assess whether pursuing this course of action is in your long-term best interests. On the one hand, not being a covered entity eliminates the need for you to make changes in your practice operations. On the other hand, transmitting and receiving information electronically could, in the long term, reduce your overhead and improve your collections.
Also, recognize that operating as a non-covered entity could have an adverse effect on your relations with patients given that, as was stated above, Congresss purpose in passing the Privacy Rule in the first place was to create national standards to protect their medical records. Whatever your motivations might be in remaining a non-covered entity, patients may feel that you are not acting in their best interests. Trying to convince them that you are could prove to be a challenging and time-consuming task for you and your staff.
What must practices do to comply with the Rule?
The Privacy regulations occupy hundreds of pages in the Federal Register. Describing your obligations under the Rule in detail is beyond the scope of this article. Following, however, is a very brief summary of your responsibilities. For more information, see "Additional Resources."
Notice, consent and authorization: The Privacy Rule requires that you provide your patients with notice of their privacy rights and of your privacy practices. You must make a good-faith effort to obtain written acknowledgement that they have received this information. You no longer need to obtain a signed Consent Form to use or disclose PHI before engaging in "treatment, payment or health care operations" (TPO); however, before using or disclosing PHI for purposes other than TPO, you must obtain a signed Authorization Form.
Research and marketing authorizations: In general, the Privacy Rule requires that you obtain a signed Authorization Form from your patients when you wish to use or disclose PHI in connection with research and marketing. You are now permitted, however, to use a combined form for informed consent (for treatment) and the authorization too. The Rule also lays out limited conditions under which a signed Authorization Form is not required. The final Rule makes it very clear that you are prohibited from selling your patients PHI to a third party for the marketing activities of that third party without the patients authorization.
"The minimum necessary" standard, incidental use and disclosure: You may disclose PHI only to what the Act calls "the minimum necessary to accomplish the intended purpose." Your office must implement policies and procedures that limit what PHI is disclosed and with whom it is shared. "Incidental" uses and disclosures of PHI are not deemed a violation of the Rule if youve met reasonable safeguards and the "minimum necessary" standard.
Business associates: A "Business Associate" (BA) is person or organization that provides services to you or your group involving the use or disclosure of PHI. Examples of Business Associates may include billing and (depending on the way the information is transmitted) transcription services. In the future, your agreements with your BAs will need to be in writing. The final Rule provides a sample BA agreement; if you base your BA contracts on the sample one, you can be sure youre complying with the regulations.
When must covered entities be in compliance?
If youre a covered entity, you must be in compliance with the Privacy Rule by April 14, 2003.
What are the penalties for non-compliance?
You may be fined up to $100 for every violation (with a cap of $25,000 per year) by the Office of Civil Rights (OCR) for each provision of the regulations that you breach unintentionally. The Department of Justice (DOJ) may impose criminal penalties including prison time if you or anyone in your group knowingly violates the Rule. Patients may file civil lawsuits if they feel their privacy rights under HIPAA have been violated.
Implications of the Rule
Theres no question that implementing the Privacy Rule will involve an expenditure of time and effort on virtually everyone in your practice. Compliance also will require you to pay out a certain amount of money up-front and on an ongoing basis. As is stated in the companion Privacy Rule overview article, there may be a quid pro quo in terms of savings to be garnered by adopting the Transactions and Code Sets standards.
Nonetheless, many health care professionals continue to express hope that the Privacy Rule will be repealed or that it will not be enforced. A few physicians have been known to become angry at messengers whoin all good faithare providing advice and council about how to become compliant with the Rule.
In fact, the Privacy Rule is unlikely to be repealed and it is very likely to be enforced, for two compelling reasons:
The Privacy Rule will not go away
The bottom line is that while the Privacy Rule may be onerous to implement, it will not go away. Too many people, both inside and outside the government, have a stake in health care EDI and e-commerce and the Privacy Rule is critical to moving forward in both these arenas. It is therefore likely to be in your best interests to comply with the Rule.
It is also to your advantage to determine how you can benefit from the HIPAA standards in general. Developing a plan in this regard will permit you to avail yourself of e-commerce opportunities as they present themselves. An excellent discussion of the issues, costs and benefits relating to HIPAA can be found in HIPAA Compliance for CMA Members, a guidebook published by the California Medical Association, Center for Legal Affairs © 2001-2002. CMAs phone number is (415) 541-0900.
The Privacy Rule is confusing in many respects and even the final regulations leave numerous questions unanswered. The greatest challenge for you and your staff will be to sort through the regulations and obtain answers to your questions. See Step No. 2 in the companion article entitled "A 12-Step Compliance Strategy" for more information about how to accomplish this task. Other challenges include the following:
Finally, even within a given state there are major differences between orthopaedic practices, including number of physicians, level of subspecialization, private practice versus academic orientation, number of offices, level of interest in research, billing arrangements, ancillary service offerings and so forth.
As a result, there is simply no such thing as a one-size-fits-all-practices "how-to" compliance plan for the Privacy Rule. You will need to consult with your state orthopaedic society, your state medical society and your own legal counsel to be sure the plan you develop dovetails with your states laws and your specific working environment.
Compliance dates already exist for Transactions and Code Sets and the Unique Employer Identifier; see the "Other HIPAA Deadlines" sidebar on page 27. While final Rules have not been issued in other arenas, including Security and the Unique Provider Identifier, they could be published at any time, and compliance dates established. When developing and implementing your compliance plan for the Privacy Rule, you therefore need to be mindful of all of these other Rules.
Options include courses and assistance provided by a practice management consulting firm. Retraining will need to be undertaken at regular intervals given staff turnover, transfers, promotions and so forth.
A 12-Step Compliance Strategy
Complying with the Privacy Rule wont be easy or hassle-freebut it can be done if you move forward methodically and break the compliance process down into manageable pieces. For example, heres a 12-step strategy:
Finally, and this is not a "step" per se but rather an ongoing process: be sure that everything you do regarding the Privacy Rule (indeed, HIPAA in general) is documented and maintained in a way that it can easily be retrieved. It does you no good to go through all the work to comply with the Rule if you cannot show that youve done so. Documentation will also help protect you against any civil claims filed by or on behalf of your patients stating you were a covered entity but did not comply with the Privacy Rule.
Steven E. Fisher, MBA, is manager of practice management affairs, AAOS health policy department. He can be reached at (847)384-4331 or firstname.lastname@example.org.