All Health Entities Urged To Get Moving On HIPAA
You thought Y2K compliance was tough and costly?
Apparently it was nothing to what the entire health-care industry now faces. Doctors’ offices, employers’ human resources shops, insurers, clinics and hospitals face HIPAA compliance. HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
Nobody has a clue about the cost of compliance, but it will involve nearly 7 million people from candy stripers to cardiac surgeons and from claims processors to IT administrators.
A recent Ernst & Young Thought Center Web cast focused on the challenges health-care organizations face with HIPAA compliance, such as security and privacy issues and the need to implement new policies, procedures and training.
The first deadline is Oct. 16, 2002, for HIPAA transaction and code set compliance. The deadline deals with national standards for the electronic exchange of financial and administrative transactions involving health claims, payments, claim status, and health enrollment, disenrollment and eligibility.
HIPAA rules standardize the format, use and security of electronically transmitted health care information, thus impacting the legal and regulatory environment surrounding medical records management.
There has been litigation seeking to delay compliance and some further changes in HIPAA rules likely will occur. That’s the view of Doug Badger, a partner at Washington Council Ernst & Young who specializes in health care, budgets and Social Security.
But Bader said it’s clear neither the Bush Administration nor Congress is going to delay compliance further. And with only 18 months to go until the first compliance deadline, he thinks it’s time to get moving.
The second deadline — April 14, 2003 — deals with privacy standards that apply to all medical records and oral communications. Such standards purportedly protect personal health information, stipulating how organizations use the information internally and how they disclose it externally.
The regulations provide that patients must give permission to release medical information, must be told who is using the information and how, and must be able to view, copy and request changes to their records.
HIPPA, incidentally, will require employers who provide health coverage to designate a privacy officer.
There’s been a great deal of activity in the area of privacy regulation at the state level, and many states were out in front of the issue long before the federal government was, Badger observed.
“One of the real challenges in compliance is going to be the issue of whether a particular entity, with respect to a particular requirement, has to comply with their state’s standard or with the federal standard,” Badger said. “It’s going to take a long time for federal regulators to sort out which sets of standards apply in which states.”
The Department of Health and Human Services has yet to clarify other HIPPA components pertaining to standards for security and personal identification.
The proposed security standards focus on four components: formal administrative policies and procedures; physical safeguards; technical security services, and electronic network security.
And they make good business sense, according to Kenneth Vander Wal, a partner in Ernst & Young’s Information Systems Assurance Services practice and a national partner for the firm’s HIPAA advisory service program.
“Even if HIPAA didn’t exist, our organizations should be implementing many of these security mechanisms because we do have exposures right now,” Vander Wal said.
The initial perception in the marketplace was that HIPAA was merely an IT issue because the first rules finalized were transaction and code sets as they related to the IT side.
“Maybe to a certain degree it was wishful thinking that if organizations could just find a computer ‘fix,’ they’d solve all their HIPAA problems,” said Louis Feuerstein, partner in Ernst & Young’s Health Sciences Advisory Services practice and head of the company’s HIPAA privacy initiatives.
He explained the federal government never has governed privacy. Privacy has been a state-by-state, doctor-by-doctor, case-by-case, hospital-by-hospital policy issue, he said.
Jacki Huchenski, who specializes in HIPAA privacy regulations as a partner in the New York-based law firm of Moses & Singer, noted too that most of the confidentiality rules of previous state laws applied only to providers, not to health plans or clearing houses or business associates. This means HIPAA broadens the scope of entities charged with protecting health information.
Because life science, pharmaceutical and biotechnology companies are hybrid organizations that receive and hold protected health information, and in some cases, provide some of the health insurance, they fall under HIPAA’s purview as well.
“Now that the privacy issues have been finalized it becomes very apparent, very quickly that this is a business process issue,” Feuerstein noted. He said the tone has to be set at the top of the organization, with the board and senior management committing to becoming HIPAA compliant on an appropriate timetable and then pushing the commitment down through every level of the organization.
Health care organizations must impress upon executive management the impact HIPAA will have on the entire organization and the cultural change that will have to occur once compliance policies and procedures are implemented, Vander Wal said.
There will be a number of legal challenges, including liability and enforceability, as well as lots of new documents that will have to be drafted around compliance.
But foremost among challenges will be figuring out how the rules apply to different types of health organizations and their business associates, said Jacki Huchenski, who specializes in HIPAA privacy regulations for Moses & Singer.
The extent to which HIPAA regulations apply depend on the size and nature of the organization. Employers who offer employee health benefits are also affected by the rule but they haven’t received much attention in HIPAA compliance discussions as yet.
“As the employer your plan meets the definition of a health plan under the privacy rule and you will need to follow the rule to a certain degree if you’re fully insured and less so if you’re self-insured,” Huchenski observed.
An organization must dedicate resources to the compliance process and build a case for it through awareness and training, Feuerstein said. He said an organization initially must decide whether it wants to be minimally compliant or “compliance plus,” and then has to come up with an HIPAA strategy, Feuerstein said.
“Compliance plus means you’ll not only meet the requirements of HIPAA regulations, but you’ll tie your HIPAA initiatives to your business initiatives and imperatives,” he explained.
For many, particularly large, multi-location organizations, the road to compliance can be an opportunity to streamline system platforms and gain efficiencies, the panel agreed.
The process should begin with an analysis of where within the organization gaps have to be filled to meet HIPAA compliance. A gap analysis serves as a detailed implementation plan and roadmap to compliance.
The panel recommended the following start-up strategy:
- Appoint an executive sponsor to monitor progress and insure implementation stays on track.
- Establish an enterprise-wide HIPAA task force. Everyone within the organization that might have some effect on compliance needs to be involved.
- Educate and create awareness among employees.
- Assess the effect HIPAA will have on your business and your business processes and try to capitalize on that.
- Think about solution alternatives based on where the business is and where you think it will be in the future and layout what the alternatives are so you can make strategic decisions as a business.