January 29, 2003  

Countdown to HIPAA: Avoid The Crush By Being Prepared

Peter Greaney , MD
Board-Certified Occupational Physician
President, WorkCare

It's colossal.  It's awesome.  It's dominant.  It's HIPAA---a sweeping new federal regulation that is perhaps just as intimidating as the barrel-shaped, 2,500-pound amphibious mammal from Africa .

HIPAA will impact health care organizations, hospitals, physicians' offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations, and universities.  The deadline for compliance of HIPAA's privacy standards is April 14, 2003 , and for small health plans, April 14, 2004 .  However, industry experts state that the low response rate for earlier HIPAA deadlines indicates a lack of preparation by many entities covered under the law.

According to Amednews.com, a newspaper for physicians published by the American Medical Association (AMA), the weak response by the healthcare industry to file extensions for compliance with the electronic transaction provision underscores a lack of preparation by those affected by the law.  Only 550,000 healthcare organizations met the October 15, 2002 , deadline to file for an extension-which represents far less than half of the organizations covered by the rule.  Those practices that did not file for an extension should have effectively been in compliance since October 16, 2002 .

According to sources at Amednews , many physicians find HIPAA complex and are struggling with it.  Just over half of the physicians surveyed by the AMA stated they have a good understanding of HIPAA's privacy requirements.

These sentiments were validated by government sources.  In a letter from the National Committee on Vital and Health Statistics (NCVHS) to U.S. Department of Health and Human Services Secretary, Tommy G. Thompson, the NCVHS stated:   "There is an extremely high level of confusion, misunderstanding, frustration, anxiety, fear and anger as the April 14, 2003 , compliance date nears."

So if you are a bit overwhelmed by the HIPAA hype, you're not alone.

If your organization is affected by HIPAA, a compliance plan should be well underway. If you're a little behind the curve, this article will provide essential information on the new law, and resources needed to develop a plan.

Background

HIPAA, the Health Insurance Portability and Accountability Act, was created in 1996 as a means of improving the efficiency and effectiveness of health care systems by increasing the use of electronic data interchange.  The law also requires the adoption of security and privacy standards in order to protect personal health information. The law will affect nearly every American and over 600,000 entities.

The Privacy Rule component of HIPAA has the most immediate impact on those affected by the legislation, as the compliance deadline of April 14, 2003 , is fast approaching.  The Privacy Rule provides f ederal protections for the privacy of protected health information, creating new national standards to protect individuals' medical records and other personal health information.

According to The United States Office of Civil Rights, which enforces HIPAA, these standards include:

• Greater control by patients over their health information;
• New boundaries on the use and release of health records;
• Safeguards that health care providers and others must apply to protect the privacy of health information;
• Civil and criminal penalties for those who violate patients' privacy rights
• Provisions to disclose personal health data under specific conditions, such as the need to protect public health.

Specifically, the Privacy Rule will enable patients to find out how their personal health information may be used, and about certain disclosures of their information that have been made.  It will limit release of information to the minimum reasonably needed for the purpose of the disclosure.  It generally gives patients the right to examine and obtain a copy of their own health records and request corrections.

There are serious civil and criminal penalties for HIPAA noncompliance.  General noncompliance with some of HIPAA's rules include a $100 charge per violation, and up to $25,000 per person for all identical violations in a calendar year.

To understand how this law applies to your organization, you first must determine if you are a Covered Entity, what transactions are covered, and how the rules apply to your situation.  Although there is a vast amount of information on the Internet about HIPAA and voluminous "boilerplate" approaches, health management professionals warn that much of this material is overly broad, and in some cases may not adequately meet your compliance requirements.  The following information and resources provide a good jumping off point to get up to speed on HIPAA and develop a plan.

1.       Determine If You Are A Covered Entity

An entity that is one or more of these types of entities as shown below is referred to as a Covered Entity in the Administrative Simplification regulations and must comply with HIPAA.

HIPAA applies to any entity that is:

• a health care provider that conducts certain transactions in electronic form (called here a "covered health care provider"),
• a health care clearinghouse, or
• a health plan.

If you are not sure if your organization meets the definition of a covered entity, use the decision tree produced by the Centers for Medicare & Medicaid Services (CMS) to determine applicability.  This decision tree provides critical definitions on HIPAA applicability.  For example, your company may be considered a covered entity, yet if the company does not engage in activities as described in the HIPAA law, such as "covered transactions," it may not have to comply with HIPAA.

Some organizations fall in a gray area because the healthcare component is not their primary business.  If your organization is qualified as a Covered Entity, but the company's functions are not its primary functions, your organization may fall into the category of "Hybrid Entity."  In this case, the privacy regulations only apply to the healthcare component activities of the entity.  If your company falls under this definition, it will be necessary to research all compliance requirements of Hybrid Entities.

If your organization conducts transactions with a covered entity, your company may be considered a business associate and thus required to have a business associate agreement.  The CMS provides additional resources to determine your covered entity status.

How HIPAA May Affect Employers

If your company operates a health plan, on-site health clinic or provides direct medical services to its employees, the company may also fall under the HIPAA Privacy Regulations as a Covered Entity and should consult with its legal counsel to determine its HIPAA compliance requirements.

Employers with unionized employees that offer health and welfare benefits using labor management trusts may be subject to HIPAA compliance as a health plan.  Many employers will be affected by HIPAA based upon their relationship with the health plans they offer.  For instance, an employer that is a self-insurer of a health plan is covered under HIPAA.

All employers will experience new barriers to obtaining employee health records in any form; therefore it's important to become aware of the HIPAA Privacy Regulations and its impact on organizations and company operational policies and procedures.

2.  Assign a HIPAA Point Person

If you are a Covered Entity or Hybrid Entity, the CMS advises you to assign a staff person to be your HIPAA Point Person.  Provide that person the authority, resources, and time to prepare for HIPAA changes and to develop a compliance plan.

3.      Be Aware of the Following HIPAA Compliance Deadlines

4.       Dig In-Determine Applicability of HIPAA

This step may require extensive research time and analysis to determine how HIPAA is applicable to your business and what you need to do to comply.  In addition to a HIPAA point person, you may choose to use a consultant(s) to provide training, legal opinions and technical support.  Ideally, the consultant you select should have a sound track record for providing services in related compliance areas.  The HIPAA Consultant Checklist by Expert System Applications provides criteria for evaluation.

5.       Communicate with Health Plans and Payers of Service

If you are a Covered Entity, the CMS advises you to talk to the health plans and payers you bill (especially the ones you bill most frequently).  The CMS suggests the following approach:

• Ask them what they are doing to get ready for HIPAA and what they expect you to do.
• Ask them if they will have a HIPAA companion guide that specifies their coding and transaction requirements that are not specifically determined by HIPAA (while HIPAA mandates standard transactions, some health plans may not require data elements for every field). For instance, ask your payers for billing instructions on how to code for services that were previously billed using local codes (under HIPAA local codes are eliminated).
• Ask them whether they will have "Trading Partner Agreements" that specify transmission methods, volumes, and timelines as well as coding and transaction requirements that are not specifically determined by HIPAA.  These may also specify how HIPAA compliance testing and certification are to be done.
• Ask them about testing your software to make sure, for instance, that they will be able to receive a claim you submit with your updated software.
• If you use software or systems provided by the health plan / payer (such as on-line direct data entry) to conduct transactions, ask whether they intend on continuing to support these systems.

6.        Access Authoritative Resources to Learn More

The following links and check-off list will provide you additional information and resources to help you better understand your obligations under the law and avoid feeling crushed by a HIPPO.

Check off List

• Determine if your organization is a Covered Entity.
• Determine the exact relationship between the employer and its health plan-as the relationship is critical in determining coverage under HIPAA.
• Assign a point person to perform a gap analysis that outlines those areas that need to be brought into compliance.
• Use CMS resources, counsel, consultants or in-house expertise to develop a compliance plan.
• Implement the plan.
• Make sure all your compliance endeavors are well documented, as this will be key in demonstrating compliance.

HIPAA Resources As Complied by Osh.Net Editors