|
HIPAA
101
CMA's Updated HIPAA Compliance Manual is available
and on CD-ROM format. For details, call SBCMS (909) 825-6526
The Health Insurance Portability and Accountability Act of 1996,
or HIPAA, contains a wide range of health care regulations. Physicians
and other individuals and entities are currently concerned with
Title II, Subtitle F of the Act, entitled "Administrative
Simplification," which mandates national electronic transmission
standards and specific protections for individual health information.
This article has been prepared to provide a brief overview of
what HIPAA's "Administrative Simplification" will require
of physicians, identify useful sources of information on the detailed
requirements and suggest some first steps toward accomplishing
HIPAA compliance.
Who Must Comply With HIPAA?
HIPAA requirements apply to "covered entities," which
include:
1. health plans
2. health care clearinghouses, and:
3. physicians and other health care personnel who transmit certain
financial and administrative transactions electronically,
including: claims for reimbursement; remittance or payment advice;
claims status inquiries, eligibility inquiries; enrollment information;
referral certifications and authorizations for treatment; and
coordination of benefits or health plan premium payments.
Electronic transmission of health care information is broadly
defined to include transmissions through the medium of tape, CD,
diskette, leased or dial-up phone lines, Internet, extranet, and
virtual and private computer networks. This includes the physical
transfer of a diskette or other media containing health information
from one computer to another. HIPAA also applies to physicians
that contract with outside entities who perform these functions.
Once an individual or entity is determined to be a "covered
entity" under HIPAA, all of the provisions of HIPAA listed
below will apply.
Deadlines for Compliance
Uniform Electronic Transaction Standards: 10/16/03
These standards create requirements for electronic transmission
of health care data. Compliance is required by October 16, 2003,
provided that a form is submitted by October 16, 2002 requesting
an extension on the compliance deadline by one year (see further
information on the deadline extension below).
Privacy Standards: 4/14/03
These standards are regulations to protect individual health information.
Compliance is required by April 14, 2003.
Security Standards: within 2 years of final regulations
These standards will create regulations to protect electronically
maintained health information from improper access and disclosure.
Final regulations have not been issued. Compliance would be required
within two years after such regulations are adopted.
Unique Identifier Standards: within 2 years of final regulations
These standards will require development of unique identifiers
for physicians and other health care personnel, employers, health
plans and patients. Final regulations have not been issued. Compliance
would be required within two years after such regulations are
promulgated.
4 Key Provisions of HIPAA: An Overview
Uniform Electronic Transaction Standards
The Uniform Electronic Transactions Standards of HIPAA creates
uniform standards for electronic transmission of eight administrative
and financial health care transactions:
1. health claims and encounter information;
2. health plan enrollment/disenrollment processes;
3. eligibility verification;
4. health care payment and remittance advice;
5. health plan premium payments;
6. health claim status;
7. referral certification and authorization; and
8. coordination of benefits.
The format and coding systems for these transactions is to be
standardized, which should be beneficial to physicians because
it will eliminate unique coding requirements and formats currently
required among numerous public and private health plans. At present,
the code sets that are to become mandatory are: ICD-9 diagnostic
codes; HCPCS and CPT-4 procedure codes; National Drug Codes (NDC)
for prescription drugs; and CDT-2 codes for dental services. Local
codes developed by individual health plans, including Medicare
and Medi-Cal, will no longer be permitted. HIPAA specifically
prohibits health plans, including Medicare and Medi-Cal, from
customizing the claims submission requirements to meet their individual
desires. HIPAA also calls for standards to be promulgated for
the first report of injury forms in workers' compensation programs
and for claims attachments, but regulations have not yet been
issued.
The transaction standards and code sets may be the least burdensome
provisions of HIPAA for physicians, as the requirement to adhere
to uniform standards for electronic transmissions will fall most
prominently on claims processing systems of health plans. IPAs
and other organizations that perform these health care transactions.
The deadline for compliance with this standard originally was
October 15, 2002, but Congress passed legislation in December
permitting a one-year extension on the deadline, provided a federal
form (identified as a "Compliance Plan") is submitted
to the Centers for Medicare and Medicaid Services (CMS) by the
original October 15 deadline this year. (Information regarding
this form is provided below under "First Steps.")
Privacy Standards
The Privacy provisions of HIPAA generally do two things:
1. impose new restrictions on how "covered entities"
can use and share protected health information; and
2. create new rights for patients concerning their own health
information.
Protected health information is widely defined to include the
traditional medical record, physicians' personal notes and billing
information and any other information that identifies, or reasonably
can be used to identify, the individual to whom the health information
pertains. Compliance with these requirements is effective April
14, 2003. The general requirements are as follows:
1. Individually identifiable health information may not be used
or disclosed without the patient's permission, except in certain
circumstances (see exceptions below). The manner in which patient
permission must be obtained is divided into two categories, patient
consent and written patient authorization.
Patient consent is required prior to using or disclosing information
for treatment, payment or health care operations purposes (such
as quality assurance and peer review, accreditation and licensing,
internal medical review, legal and auditing functions and business
management, customer services, etc.). The original standard adopted
by the Clinton Administration required that this consent be obtained
from the patient in writing, but the Bush Administration issued
new regulations in late March eliminating the requirement that
consent be in writing and replaced it with a requirement that
patients be given a form that informs them of how this information
may be used.
Written patient authorization is required for any disclosure
of health information beyond the three purposes listed above for
which the patient's consent is required. This authorization form
must be very specific, stating with whom information is to be
shared, how it is to be used and disclosed and the length of time
the authorization is to be effective.
Notably, HIPAA provides significant exceptions to the consent
and authorization requirements permitting, but not mandating,
disclosure for emergencies, to identify the body of the deceased
person or the cause of death, for public health needs, research,
oversight of the health care system, judicial and administrative
proceedings, limited law enforcement activities, and activities
related to national defense and security.
2. Policies and procedures must be developed and adopted to ensure
that disclosure of health information for non-treatment purposes
is limited to the "minimum necessity" to accomplish
the intended purpose of the disclosure.
3. Patients are granted the right to inspect and receive a copy
of their health information and may request amendments to such
information. Processes are established to address disagreements
between patients and physicians regarding the contents of the
records. Patients also have the right to receive an accounting
of disclosures of their medical information, with exceptions for
disclosure for purposes of treatment, payment or health care operations.
4. By the date of the first service after this rule becomes effective
(April 14, 2003), physicians must provide each patient with a
"notice of privacy practices," describing the patient's
rights and the physician's responsibilities for protecting health
information.
A written agreement must be executed with all "business
associates" with whom protected health information is shared
to safeguard the information. This does not apply to sharing information
with other health care providers for treatment.
Administrative practices must be adopted, including:
a. Designating a privacy officer to implement and monitor compliance;
b. Designating a contact person to answer questions about privacy
(can be the privacy officer above);
c. Developing written policies and procedures for protecting
health care information;
d. Conducting staff training to ensure compliance with Privacy
provisions;
e. Maintaining documentation of consents, authorizations, procedures
and policies, training, and other compliance activities.
Physicians must comply with the privacy rule by April 14, 2003.
Covered entities are not required to obtain prior approval from
HHS for their compliance activities and plans. Neither are they
required to submit compliance reports. However, if a physician
is investigated he or she will be required to provide documentation
of compliance, making documentation an essential part of compliance
activities. Violations of the rules may be substantial, civil
penalties of $100 per violation, up to a maximum of $25,000 per
year for each standard violated. For knowing, wrongful disclosures
of health information a criminal penalty may be imposed, which
is a graduated penalty that may escalate to a maximum of $250,000
for particularly egregious offenses.
Security Standards
Final regulations for implementing the security standards have
not yet been promulgated. Proposed regulations address the establishment
of mechanisms to ensure that all patient-specific information
stored and/or transmitted electronically is kept secure from improper
access or disclosure. The requirements are grouped into four general
categories:
1) Administrative Safeguards;
2) Physical Safeguards;
3) Technical Security Measures; and
4) Technical Security Mechanisms.
The following is an overview of these four categories:
Administrative Safeguards
Administrative policies and procedures must be developed to protect
health care information. This should include development of a
written manual containing security policies and procedures, such
as: records processing procedures, procedures for controlling
access to health information, personnel security policies and
procedures, plans for protecting health information from loss,
including routine back-up and storage of records at a different
location; computer maintenance contracts and use of back-up computers,
procedures for notification if information has been accessed by
an unauthorized party, and training procedures/materials. Physicians
may also execute "chain of trust partner agreements"
with entities with which health information is shared to ensure
that the information is protected, and if this includes a third
party who will process claims, this agreement should be incorporated
into the contract. Physicians must also obtain "certification"
of their security procedures/systems, which may be done by a knowledgeable
staff member in the practice.
Physical Safeguards
Physical safeguards must be implemented to protect against unauthorized
access to health information, such as: assigning an individual
to be responsible for security, developing formal procedures for
the receipt and removal of hardware and software into and out
of a facility, limiting physical access to a facility, securing
equipment containing sensitive patient information in locked rooms;
developing procedures for storing backed-up data, disposing of
unneeded data and logging off when leaving computer terminals
unattended, keeping workstations out of public areas and health
care information out of public view, and training staff on security
awareness.
Technical Security Measures
This pertains to development of specific protections for facilities
that transmit health information over a communications network,
such as: access controls, alarms (if data is accessed without
authorization), audit trails, encryption (if data is transmitted
over open networks), and mechanisms for confirming the identity
of each entity/person accessing information. Software would likely
have to be purchased to satisfy this requirement, as well as encryption
software (MedePass, as an example) for sending claims directly
to payors. Those physicians sending data to a clearinghouse via
a private wire or dial-up connection would need to confirm with
the vendor that required protections are in place.
HIPAA states that security measures are intended to be scalable,
meaning that small physician offices will not need to implement
the more extensive and technically sophisticated measures that
a large health system would be required to develop.
Unique Identifier Standards
To simplify the process of sharing health care information electronically,
HIPAA mandates the use of unique identifiers for health care providers,
health plans, employers and patients. For physicians, the Department
of Health and Human Services (DHHS) has proposed the use of the
National Provider Identifier (NPI), better known as your Unique
Provider Identification Number (UPIN), which has been issued to
all physicians enrolled as a provider in the Medicare program.
A lot of controversy surrounds the question of unique identification
numbers for patients, and consequently no regulations have formally
been adopted to implement this provision of HIPAA. Once the regulations
are adopted, "covered entities" will be required to
comply 24 months afterwards.
What to Do Now
1. Get more detailed information on HIPAA requirements. The
California Medical Association (CMA) has already published a booklet
titled "HIPAA Compliance for CMA Members" which provides
much more detail on HIPAA's requirements and some sample forms
to assist physicians in assessing what they need to do to be in
compliance with HIPAA and sample communications to send to software
vendors and other business trading partners to meet HIPAA requirements.
This booklet is available free of charge to CMA members by calling
CMA to request a copy or by downloading it from the CMA's HIPAA
Resource Center on its website at www.cmanet.org.
Other helpful sources of HIPAA information are as follows:
American Medical Association - the AMA has extensive information
on the requirements and recent developments in HIPAA implementation
on its website, http://www.ama-assn.org/ama/pub/category/4234.html.
California HealthCare Foundation - CHCF has published several
helpful "how to" booklets for physicians, which contain
sample forms and documents. Go to http://www.chcf.org/topics/index.cfm?topic=CLll106
The Centers for Medicare and Medicaid (CMS) is promulgating HIPAA
regulations. Go to http://www.cms.hhs.gov/hipaa/hipaa2/default.asp
for regulations, question and answer documents, and other guidance
and HIPAA compliance.
The Health and Human Services Department also maintains information
on HIPAA requirements, at http://aspe.hs.gov/admnsimp/Index.htm
The Office of Civil Rights, which will be responsible for enforcement
of HIPAA's privacy standards, has information on its website at
http://www.hhs.gov/ocr/hipaa/
The American Academy of Family Practice offers articles containing
practical information on HIPAA at http://www.aafp.org/fpm/hipaa.html
The Massachusetts Health Data Consortium, of which the Massachusetts
Medical Society is a member, offers useful HIPAA information at
http://mahealthdata.org/
2. Develop a HIPAA planning team in the medical office.
Bring together the physicians and key office staff, such as the
office manager, to start to identify what needs to be done and
assign responsibility for development of the compliance strategy
to an individual or individuals within the practice.
3. Conduct a preliminary evaluation of current compliance
with HIPAA security measures. A sample evaluation form is
provided in the CMA HIPAA booklet.
4. Review, complete and submit to the Centers for Medicare
and Medicaid (CMS) the federal "Compliance Plan," the
form that is necessary to qualify for the extension on the compliance
deadline from October 16, 2002 to October 16, 2003 for the "Electronic
Transactions Standard." The form may be completed online
at http://www.cms.gov/hipaa/hipaa2/default.asp (click on the heading
"Electronic Health Care Transactions and Code Sets Standards
Model Compliance Plan") or downloaded from the website and
mailed. If the form is completed online, an acknowledgement will
be sent back from CMA. If it is submitted by paper no confirmation
will be provided.
5. Contact practice management software companies or claims
processing clearinghouses to find out what steps they are taking
to ensure the practice management software, particularly claims
submission software, meets HIPAA requirements. Ask what the
timelines will be for completion, whether software and hardware
upgrades will be needed, and when training of office staff and
testing of the claims submission program will take place to ensure
HIPAA standards are met. If the software vendor is not knowledgeable
about HIPAA or does not intend to upgrade their system to be HIPAA-compliant,
then physicians will have to decide whether to purchase a new
system or use a clearinghouse to convert data into HIPAA-compliant
transactions.
Reprinted with permission courtesy of the Alameda-Contra Costa
Medical Association.
|
