Privacy in the Information Age
Costs Could Surpass Y2K
By now, most home health providers and suppliers have heard rumblings regarding the government's issuance of regulations regarding the privacy of individually identifiable health information. The purpose of this privacy rule is to establish federal standards for the protection of personal health information. In order to achieve that goal, the law requires providers to adopt a comprehensive system of technical and administrative safeguards to protect information from both internal and external privacy and security threats. Given the scope of the privacy requirements, the costs associated with efforts expended toward compliance with the privacy rule will eclipse those associated with Y2K preparation, particularly if providers wait until the last minute to implement a program. Therefore, home health providers and their contractors should start planning now for implementation.
Home health providers and their contractors should start planning now for implementation of privacy regulations.
The privacy rule, published late last year by the Clinton administration, was authorized by Congress under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Most people recognize HIPAA as the statute that addresses portability of health insurance for individuals. In addition to the portability provision, HIPAA's accountability requirements were designed to address issues related to e-commerce and increasing use of the Internet to transmit health information. Indeed, HIPAA regulations include provisions for standardized electronic transactions to facilitate prompt payment of claims for providers. Hand-in-hand with these transaction standards, HIPAA mandates that privacy and security protections be in place so consumers will be confident that their personal health information is adequately protected in the age of Internet commerce.
Given the breadth of the privacy regulation and its impact on virtually every aspect of health care operations, providers hoped that the Bush administration would delay--if not altogether scrap--the rule before its April 14, 2001, effective date. To the surprise of many, however, Department of Health & Human Services (HHS) Secretary Tommy Thompson announced that the effective date would not be delayed and that providers would have to comply with the privacy regulations by April 2003. Because the law imposes both civil and criminal penalties for violations, providers began to consider HIPAA and appreciate its tremendous impact on their business practices.
The following highlights of the privacy rule should assist you in planning for HIPAA compliance.
The Privacy Rule
The HIPAA privacy rule is designed to safeguard individually identifiable health information or protected health information (PHI) maintained by health care providers that electronically conduct certain financial and administrative transactions. These health providers include home health agencies, hospitals and other traditional caregivers. In addition, health plans and clearinghouses are considered covered entities under the privacy rule. Yet, the reach of the privacy regulation is even broader: business associates of covered entities may have to implement privacy practices.
Privacy policies and procedures must focus on more than computer fixes.
Although the HIPAA statute and the privacy rule in its proposed form extended protection to information only in electronic form, the final rule extends coverage to personal health information in any form, including written or oral communications. Therefore, privacy policies and procedures must focus on more than computer fixes. An overall cultural change to adopt sound privacy practices must occur. Staff must be educated not to talk about PHI in situations where others can hear their discussions. Medical records cannot be casually left in places where anyone can read the contents. Staff should not share their computer passwords with anyone inside or outside the organization. HIPAA compliance, therefore, is more than implementing firewalls and password protections to computer systems.
Impact on Operations
The requirements of the privacy rule cut a wide swath across a covered entity's operations. Written privacy policies and procedures must be developed, and extensive employee training is required on an ongoing basis. A privacy officer must be designated and made responsible for such policies and procedures. Entities must identify a contact person to receive complaints about the handling of PHI. In addition, providers must supply patients with detailed information about their rights under the rule, as well as the ways in which their PHI can be used or disclosed.
With limited exceptions, people have the right to inspect and copy their own protected health information, including documentation concerning who else has accessed such information. People also have the right to request amendments to, or corrections of, incomplete or incorrect information. Therefore, covered entities must ensure that procedures are in place to accommodate such accountings and amendments. Further, entities must accommodate a person's reasonable request for alternative forms of confidential communication of their PHI. If a patient requests that you contact him or her only by mail and you agree to that restriction, you cannot call the patient about appointments.
In order to use any individual's health information for treatment, payment or other health care "operations," providers must first obtain that patient's written consent. Although most providers typically have patients sign consents for such purposes today, the privacy rule imposes detailed requirements regarding the content of a valid consent. With a valid consent in hand, providers are permitted to use the individual's PHI for a host of activities beyond treatment or payment for services: quality assurance programs, certain business planning activities or compliance activities, to name a few. While such patient consents are not to be coerced, health care providers and plans will generally be permitted to condition treatment or coverage on an individual's consent.
In the event a provider wants access to an individual's PHI for other uses--including research and certain marketing activities, for instance--the covered entity must first obtain a written authorization from the patient for that disclosure. The contents of an authorization also are specified in the privacy rule. Valid authorizations are for a defined time period and must identify the exact information needed. A proper authorization identifies the minimum necessary of information needed and typically should not be a request for wholesale release of medical records. Covered entities are expected to review authorizations to ensure that the minimum necessary standard is honored.
In addition to modifying procedures regarding the release of medical records to third parties, the privacy rule calls for modifications to everyday business practices within a provider. Providers will have to address how a patient's confidential information is handled within its internal operations: not every employee can be given free access to patients' PHI. For instance, employees working in the agency's billing department may need PHI related to a particular treatment in order to bill third-party payers. That employee, however, should not have unlimited access to all of the patient's records to accomplish the task. Policies limiting employee access to PHI must be in place to comply with the privacy rule.
Impact on Your Business Associates
In addition to the direct impact on covered entities, the privacy regulation expands HIPAA's reach to certain companies that do business with covered entities. Labeled "business associates," such companies perform services that involve the use or disclosure of PHI on behalf of covered entities, or otherwise perform certain specified services involving PHI for covered entities.
Providers will need time to educate themselves about the privacy rule, perform initial assessments of their practices and plan for implementation.
For example, attorneys who view patient medical records may be considered your business associates. Accountants performing financial services for covered entities also could be business associates. In order to comply with the privacy rule, covered entities will have to include terms in their vendor contracts to bind their business associates to certain aspects of the privacy rule.
Although a covered entity generally will not be held liable for privacy breaches of its business associates, the covered entity may have to act in the event it discovers that business associates have committed material privacy breaches. The covered entity will have to improve the effects of the breach, up to and including notifying HHS or terminating the business relationship. Only if a covered entity fails to take reasonable curative steps would it be considered in violation of the rule.
Providers are subject to both criminal and civil penalties for violation of standards. The responsibility for enforcing the privacy rule has been delegated to the HHS Office for Civil Rights. Regulations detailing how the Office of Civil Rights plans to enforce the regulations--by inspection or other methods--should be published shortly.
As you prepare for compliance with the federal privacy rule, don't overlook the need to address certain privacy issues now. First, it makes sense for businesses to ensure the confidentiality of medical information. In the event patient information is not protected and there is a breach, the impact on your business could be devastating. Would patients want to be seen by your providers? Consumers are increasingly aware of their privacy rights and expect providers to protect their confidential information. Sound privacy practices make business sense.
State Laws Affecting Privacy
Many states already have privacy laws in place that could affect your business practices. Although federal privacy standards will not be enforced until April 2003, state law cannot be overlooked. Indeed, even after HIPAA compliance is mandatory, the privacy rule does not preempt state laws that offer greater privacy protections than the federal standards. In planning to meet the requirements of the federal privacy rule, covered entities also will have to consider state constraints on health information.
Start Preparing Now
This article represents an overview of the major requirements of the privacy rule and the expected impact on providers. The privacy rule contains highly detailed specifications for handling PHI, and providers must carefully evaluate their business practices to identify specific changes needed.
Providers will need time to educate themselves about the privacy rule, perform initial assessments of their practices and plan for implementation. Introduction of the necessary policies and procedures will take time to fine tune to each provider and their staff. Staff training alone will take some time to accomplish. Therefore, providers need to be proactive and begin planning for implementation now. Indeed, if the Y2K experience is at all indicative, providers who wait until the last minute may be faced with enormous costs in implementation.
You may consider reviewing the following web pages to assist you in preparation for HIPAA implementation:
This article originally appeared in the September 2001 issue of HME Business.