While the burden of HIPAA implementation and compliance rests with healthcare providers, payors and information clearing-houses, many experts believe that behavioral health and human service organizations will face additional scrutiny from consumers, who now have the law behind them when pursuing possible medical records privacy breaches.
Meticulous records will be required to meet rigorous security standards, and also to respond to consumer requests. For example, patients will be en titled to a complete log documenting every occasion their records have been accessed, including names, dates and inquiry reason.
Healthcare organizations are mandated to develop, implement and enforce comprehensive policies, procedures and business practices that support total compliance with the law--and to provide documentation that employees have been trained on compliance with those policies, procedures and practices as well. They must also designate a privacy officer and security officer and establish a grievance process for patients to make inquiries or file complaints.
Easing into Compliance
Many HIPAA requirements represent actions that responsible healthcare organizations have been taking all along. For years, behavioral health and public health providers in nearly every state have been subject to stringent confidentiality and privacy laws. Protected classes of healthcare service information like mental health, substance abuse and communicable diseases already require special handling. The vast knowledge the industry has gained through compliance with these laws will help ease the burden of HIPAA compliance.
Consider what your organization is already doing to protect and maintain clinical records, implement quality assurance and improvement measures, and satisfy the staff training, documentation, and reporting requirements of accreditation authorities, licensing institutions and funding sources--and you could be well on your way toward HIPAA compliance.
By promoting the greater use of electronic data interchange and the elimination of inefficient paper forms, administrative simplification is expected to provide a net savings to the healthcare industry of nearly $30 billion over 10 years. Universal code sets and standardized forms for medical conditions, services and other industry-standard language and methodologies will greatly improve and streamline claims processing. This should significantly reduce the number of claims that are denied or returned for lack of data or failure to use proprietary codes.
In behavioral health, one of the greatest benefits to be realized is one that can't be measured in dollars, time saved or paper eliminated, and that is improved client confidence. By guaranteeing the security of confidential personal and medical information, trust and candor between patient and caregiver will grow, giving way to a more relaxed and productive relationship.
Meeting Requirements
Proposed security regulations apply to more than just providers. They require administrative procedures, technical security standards and physical safeguards to protect electronic data integrity, confidentiality and availability.
The keyword is 'electronic' and its reach is extensive. Any information about the physical or mental condition of a client receiving any form of healthcare services through an affected organization, or any information about payment for such services--past, present or future--is subject to HIPAA regulations.
Even seemingly innocuous demographic information is subject to the same security regulations. Once this type of health information has been transmitted, received or maintained electronically, original paper source documents and even verbal discussions that may change the content of the patient's record are also subject to these requirements.
While security regulations apply to entities maintaining or transmitting health information in electronic form, the privacy rules apply to all forms of individually identifiable health information--paper, oral and electronic. Privacy rules are based on the 'minimum necessary' disclosure principle and require that covered entities obtain a general consent from the client to use his or her personal health information for treatment, payment and healthcare operations.
HIPAA also applies to any covered entity's business partners--any person or organization to whom the covered entity discloses protected health information to carry out, assist, perform a function or activity on behalf of the covered entity. Examples include lawyers, accountants, auditors, vendors, consultants and billing firms. Even service providers such as computer maintenance services, temporary staffers and healthcare oversight agencies may legitimately be considered business partners.
HIPAA establishes criminal and civil penalties for non-compliance, and also provides a formal vehicle for consumer complaints and federal investigation of alleged violations. Make no mistake--the DHHS Office of Civil Rights is fully empowered to impose financial penalties of up to $250,000 or jail time of up to 10 years per incident if an investigation finds evidence of non-compliance, negligence or willful disclosure of personal health information.
Taking Action
What can you do--and should you do? Assess your software's capability for supporting electronic standards for HIPAA-related transactions. Perform a gap analysis and risk assessment to determine your vulnerabilities and potential liabilities.
Rally for executive support, assemble an appropriate team, begin the education and awareness process, identify your business partners and build the necessary infrastructure to support total compliance. Don't succumb to rumor and speculation. Get a grasp on what the regulations mean to your organization from both an information technology and an operational perspective. Expect to make a significant investment over the next two or three years. Plan and budget now.
HIPAA establishes the minimum privacy standards covered entities must meet, but leaves detailed policies and procedures for meeting these standards to the discretion of each covered entity. Security standards, though comprehensive, are technologically neutral. Implementation of the standards will be flexible and scalable, to account for the nature of each entity's business, its size and resources.
As of August 2000, the rules on standard transaction and data code sets were final. Some 15 months have passed since their enactment and yet much of the industry waits for a pardon, a miracle or a mistake to be announced.
By October 2002, you must be able to send and receive electronic transactions and healthcare information in accordance with HIPAA standards, or risk being in violation. The privacy rules governing protection of personal health information were released in April 2001 and the clock has already begun to tick towards a June 2003 deadline. Final security regulations are expected by year's end.
We all know how time flies. Get a plan and get it done. Software and consultants can take you so far, but the rest is up to you.
John A. Paton is president and CEO of CMHC Systems, Inc., a provider of information technology for behavioral health, public health and human services organizations, in Dublin, OH. Contact him at john@cmhc.com.
