Getting A Handle on HIPAA

Jeanette C. Schreiber, J.D.
Wiggin & Dana, LLP

OVERVIEW OF HIPAA

• Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191, 42 U.S.C. §§1320d-2 et seq.
• "Administrative Simplification" provisions

BACKGROUND LEADING TO HIPAA

• Evolving technology, moving from paper to electronic communication
• Need for uniformity in coding and transmitting data
• New uses for personal health information
  
  
  • analyze cost and quality
  • clinical uses
  • marketing
• Heightened public concern for privacy, security

PURPOSE OF HIPAA

• Standardized coding, billing, electronic transactions
• Protect privacy and security of health information

ELEMENTS OF HIPAA STATUTE: INSTRUCTIONS TO HHS

• Standards to enable electronic interchange
• Standards for unique health identifiers (individual, employer, health plan, health care providers)
• Standards for code sets
• Security standards
• Standards for electronic signatures
• Standards for transfer of information among health plans
• Privacy standards

HIPAA TIMETABLE

• Final standards for electronic transactions
• Effective 10/16/00
• Final compliance by 10/16/02
• Privacy regulations
• Effective 04/14/01
• Final compliance by 4/14/03
• Security regulations
• Proposed 08/12/98
• Not yet final

WHO IS COVERED BY HIPAA?

Covered entities:

• Health plans
• Health care clearinghouses
• Health care providers that transmit information in electronic form

Indirect coverage:

• Business associates

WHERE WILL HIPAA AFFECT PHYSICIANS?

• Private physician office - individual and group practice
• Member of medical staff in hospital /health care facility/health system
• Employee of health care facility or health plan
• Medical director for nursing home or home health agency
• Member of IPA or PHO

IMPACT OF HIPAA

• More than Y2K
• Requirements will be ongoing
• Industry-wide culture change

ELECTRONIC TRANSACTIONS AND CODE SETS REGULATIONS

• Adopts standards for eight electronic transactions and for code sets to be used in those transactions
• Electronic Standard Transactions:
  
  
  • Healthcare claim or encounter
  • Claim payment and remittance advice
  • Healthcare claims standard
  • Coordination of benefits
  • Eligibility for a health plan
  • Referral certification and authorization
  • Enrollment & disenrollment in a health plan
  • Premium payments
• Future Electronic Standard Transactions
• First report of injury
• Healthcare claims attachment
• To be addressed in future regulations
• Five medical codes standards to be used initially under HIPAA
  
  
  • International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM)
  • Current Procedural Terminology, 4th Edition (CPT-4)
  • Health Care Financing Administration Common Procedure Coding Set (HCPCS)
  • Code on Dental Procedures and Nomenclature, 2nd Edition (CDT-2)
  • National Drug Codes (NDC)
• For each transaction specifies format, data elements, data content
• Uses industry consensus-based standards wherever possible
• ANSI - American National Standards Institute
• ASC X-12 Insurance Subcommittee
• WEDI/SNIP www.wedi.org/snip
• Covered entities must comply with standards, implementation guides
• HIPAA Implementation Guide by X12N Insurance Subcommittee available at http://www.wpc-edi.com/hipaa
• Payers must accept claims presented in standard format
• Medicare testing capability by late 2001?
• WHAT IMPLEMENTATION STEPS SHOULD PHYSICIANS TAKE?
  
  
  • Identify covered transactions
  • Contact your software vendors
  • Assess need for software conversions or upgrades
  • Review data collection practices to ensure all required elements are collected
  • Plan for synchronized testing
  • Review agreements with "trading partners"

PROPOSED SECURITY REGULATIONS

• Proposed August 12, 1998
• General security measures including administrative, technical and physical safeguards
• "Scalable"
• Technology neutral
• Apply to all individually identifiable health information that is electronically maintained or transmitted
• Each covered entity must assess potential risks and vulnerabilities to individual health data and develop, implement and maintain appropriate security measures

PROPOSED SECURITY REGULATIONS

Categories of Standards

• Administrative procedures
  Physical safeguards
• Technical security services
  Technical security mechanisms

PROPOSED SECURITY REGULATIONS

Administrative Procedures

• Certification of system security
• "Chain of Trust partner agreements"
• Contingency plan
• Formal, documented policies and procedures for processing records, access control, internal audits, personnel security, security system management, incidents, risk analysis and management, access termination, training

PROPOSED SECURITY REGULATIONS

Physical Safeguards

• Use of locks, keys and administrative measures to control access to computers and facilities
• Control of possession and access to hardware, software, data
• Disaster recovery, emergency mode
• Workstation use and security
• Security awareness training for all employees, agents and contractors based on jobs

PROPOSED SECURITY REGULATIONS

Technical Security Services and Mechanisms

• Requirements to protect and control access to data/information
• Mechanism/process to guard against unauthorized access to data transmitted over a communications network

PROPOSED SECURITY REGULATIONS

• What are the practical implications for physicians?

FINAL PRIVACY REGULATIONS

• Issued December 28, 2000
• Accepted by Bush Administration

PRIVACY REGULATIONS

Office of Civil Rights Guidance

• HHS has delegated oversight and enforcement of the Privacy Rule to the Office of Civil Rights ("OCR")
• Guidance issued by OCR on July 6, 2001
• Clarifies variety of issues raised in comments and in questions submitted to OCR
• HHS has promised further guidance and modifications to the Privacy Rule to address "unintended" problems with the Rule

PRIVACY REGULATIONS

• What is Protected Health Information?
  
  
  • Includes all individually identifiable health information transmitted or maintained by a covered entity, whether electronic, paper or oral.
• What information will physicians need to protect?
  
  
  • Patients’ medical records
  • Health reimbursement claims
  • Appointment reminders - phone messages and postcard mailings
  • Patient information - in-office and telephone discussions
  • Office registration information
  • Faxing patient information
• Is HIPAA really any different than current practice?
  
  
  • Patient confidentiality has always been a basic component of the practice of medicine
  • HIPAA introduces new concepts and required practices
  • Will require some changes in office practices and staff education
  • Will require revisions of policies and procedures and new HIPAA compliant forms, policies and procedures

PRIVACY REGULATIONS

Use and Disclosure

• "Use" versus "Disclosure"
• New policies and procedures concerning how patient health information is disclosed and used
• "Minimum necessary" requirements

PRIVACY REGULATIONS

Consent and Authorization

• "Consent" required for "treatment, payment or health care operations"
• "Authorization" required for most other uses and disclosures (including release of psychotherapy notes)
• Opportunity to "Agree" or "Object"

Some uses and disclosures permitted without consent or authorization. Examples include:

• Public health and welfare
• Health oversight
• Required by law
• Judicial and administrative proceedings
• Law enforcement purposes

PRIVACY REGULATIONS

• What are some practical implications for physicians?
  
  
  • Development and implementation of "consent" and "authorization" forms
  • Documentation of "opportunity to agree or object"
  • New office policies and procedures addressing use and disclosure

PRIVACY REGULATIONS

Business Associate Requirements

• HIPAA obligations extend to contractors performing functions for providers using protected health information (such as billing, data processing, consulting)
• Written contract specifications
• Responsibilities concerning acts of business associates
• What are the practical implications for physicians?
  
  
  • Identify business associates
  • Develop or amend contracts
  • Ongoing review of business associates’ activities

PRIVACY REGULATIONS

Individual Rights

Right to:

• Notice of information use and disclosure practices
• Request restrictions on use and disclosure of PHI
• Access to own PHI and to make copies
• Obtain accounting of disclosures
• Request amendments

PRIVACY REGULATIONS

Administrative Requirements

• Designate a privacy official
• Training for all employees, volunteers, trainees
• Implement complaint process
• Develop and enforce internal sanctions for noncompliance
• Required policies and procedures

PRIVACY REGULATIONS

Clinical Research

• Distinguish research from health care operations
• No restrictions if use "de-identified" information
• Special authorization required for most clinical trials
• Permitted without authorization if:
  
  
  • IRB or Privacy Board Approval
  • Review preparatory to research
  • Research on protected health information of decedents
• How will HIPAA affect physician participation in clinical research studies?

PRIVACY REGULATIONS

Marketing

• Generally disclosures for marketing require an authorization
• Very limited exceptions allow some use of protected information for marketing of products/services of nominal value
• For example, solicitations must -
  
  
  • identify the physician as the party making the communication;
  • prominently state if the physician will receive direct or indirect remuneration for making the communication; and
  • explain how to opt out of future communications

If marketing targets a patient based on the patient’s health condition, the provider must also:

• make a determination that the marketed product/service may be beneficial to the health of the type of patient targeted; and
• explain in the communication why the patient has been targeted and how the product/service relates to the patient’s health.

PRIVACY REGULATIONS

Marketing

• How will physicians be affected?
• Be cautious of any arrangement involving use of patient’s identity or health information for marketing

PRIVACY REGULATIONS

Health Care Systems and Other Affiliated Entities/OHCAs

• Affiliated entities may designate themselves as a single covered entity.
• Benefits include using a single shared notice of information practices and consents and consolidating certain other functions.
• OHCAs: separate covered entities in a clinically integrated setting (e.g. medical staff) may combine notices and consents.

PRIVACY REGULATIONS

Oversight and Enforcement

• Role of Office of Civil Rights
• Civil
  
  
  • HHS vows assistance and cooperation through OCR
  • Office for Civil Rights investigation of complaints
• Criminal
  
  
  • FBI? Office of Inspector General?
  • Department of Justice
• Civil Lawsuits?

PENALTIES FOR NONCOMPLIANCE

• Civil penalties -- for violation of standards
  
  
  • Fines up to $100 per violation, $250,000 annual cap
  • Avoided if failure due to reasonable cause and corrected within 30 days
• Criminal penalties -- for wrongful use or disclosure
  
  
  • Up to $50,000 fines, 1 year imprisonment.
  • If for commercial advantage, personal gain or malicious harm, up to $250,000 fines, 10 years imprisonment

IMPACT ON STATE LAW

• Generally HIPAA supersedes contrary state law
• HIPAA privacy requirements do not preempt "more stringent" state requirements
• In many states more stringent mental health, HIV/AIDS and substance abuse protections will continue to apply.
• Need for detailed analysis of state confidentiality law

GETTING READY: STEPS TOWARD IMPLEMENTATIONS

• You now have 13 months to implement the HIPAA transaction and code set standards
• You have 19 months to implement the privacy standards
• Move forward with very basic security implementation in conjunction with privacy; not certain when final security rule will be issued
• You should start now

Getting Ready for HIPAA

• Designate someone to lead your HIPAA efforts
• Gather HIPAA resources
• Check in with your state and/or national associations for assistance
• Gap Analysis (Inventory and Assessment of HIPAA Readiness)
  
  
  • Inventory existing systems, policies, procedures and processes
  • Inventory software capabilities and security measures
  • Inventory contractual arrangements in light of business associate and "chain of trust" agreement requirements
• Develop work plan and timeline for implementation
• Develop budget
• Pool resources where appropriate

LINKS TO HIPAA RESOURCES

• aspe.hhs.gov/admnsimp
• www.hhs.gov/ocr/hipaa
• www.healthprivacy.org
• www.hipaaadvisory.com
• www.hipaacomply.com
• www.wiggin.com
• http://www.aha.org/aha_app/issues/HIPAA/index.jsp
• www.ama-assn.org/ama/pub/category/4234.html
• www.massmed.org/pages/hipaa_tip.asp
• http://www.osma.org/tools-resources/running-a-practice/data-privacy-and-security/hipaa
• www.wpc-edi.com