Getting Hip to HIPAA

Judging from the repetitive nature of audience queries at each session, there were essentially two questions on the minds of the hundreds of attendees at the recent Health Insurance Portability and Accountability Act (HIPAA) Implementation Forum, sponsored by the Health Care Compliance Association (HCCA) and Advancing Health in America: How severe will the punishment be for noncompliance with the HIPAA privacy rule; and will the rule lead to a deluge of patient complaints and new lawsuits?

And while the keynote speakers and other session leaders at the conference, held in San Diego, on December 10-11, did not dispel these fears completely, they did provide comprehensive education about the rule and specific strategies to ensure successful integration of HIPAA compliance into existing programs.

The goals of the 2-day forum were to initiate dialogue on best practices of compliance by presenting case studies; develop benchmarks from which participants could evaluate compliance efforts; and help attendees identify strategies for working with key departments such as medical records, information services, nursing, billing, and registration to integrate compliance training, implementation, and monitoring.

HIPAA’s Impact
So what does HIPAA mean for audiologists and hearing instrument dispensers? “HIPAA will definitely affect all audiologists and hearing instrument specialists,” says Paul Rao, a speech-language pathologist and compliance officer at the National Rehabilitation Hospital, Washington, DC. “The final HIPAA privacy rule is so broad and inclusive that any provider must be vigilant in obtaining authorization for all disclosures that don’t involve treatment. And HIPAA brings the force of law and financial penalties for breaches of confidentiality.”

Specifically, HIPAA requires the use of a single standard format for the electronic transmission of patient-related information, with the privacy rule and electronic data interchange (EDI) standards intended to eliminate the current 400 different formats for electronic health care claims. Audiologists who transmit health information in electronic form become covered entities, and are subject to the EDI standards published in the Federal Register of August 17, 2000.

In addition, audiologists need to obtain a patient’s consent to use and disclose protected health information for treatment, payment, and health care operations. Patients also have the right to see and correct their health records, obtain a disclosure history, and receive an advance notice of policies regarding disclosure of protected information.

“The HIPAA rules and regulations are very clearly spelled out, and compliance should not be a challenge for the hearing health care industry, and audiologists specifically,” says David Woodbury, director of government relations for the Hearing Industries Association (HIA). “However, the major deadlines are fast approaching, and hearing care professionals should certainly not underestimate the consequences of failure to comply.”

Security, Covered Entities, and Research Several presenters at the HIPAA Forum in San Diego touched on lesser-known, but no less important, facets of HIPAA compliance. For example, Judy Noon, principal for Deloitte & Touche, Portland, Ore, and Linda Malek, partner with Moses & Singer, New York, led a session on how health care organizations can deal with business associates within the HIPAA framework. Among the main points touched on by Noon and Malek: A “covered entity” may be a business associate of another covered entity. A covered entity may not disclose protected health information to a business associate without a written contract. A covered entity retains liability if that entity knew of a violation by a business associate. The covered entity must also have substantial and credible evidence of a violation. If an entity has knowledge of a violation of an agreement by a business associate, then it must take reasonable steps to cure the breach and, if not successful, must terminate the agreement or report the breach to the HHS Secretary. In addition, the final modifications to the privacy rule were presented. One such modification gives covered entities up to an additional year to amend existing contracts with business associates. Among the other presentations at the forum, the most well-attended included a session on HIPAA and Research, a session on Privacy and Security, and a session on HIPAA web-based strategies. The first contained a detailed review of the sections of the rule related to research, as well as the research site’s perspective on HIPAA implementation. Research requirements that were covered included this information: Covered entities must provide detailed notices of their privacy policies and practices to study participants. They must provide physical, technical, and administrative security. They must allow data subjects to access and correct protected health information about themselves. n The August 14, 2002, revisions are practical and appropriate and will reduce HIPAA’s negative impact on research. The Privacy and Security session, led by Alan S. Goldberg, a partner with Goulston & Storrs in Boston, described the likely offenses and best defenses when HIPAA enforcement starts. The session also presented the federal sentencing guidelines and corporate compliance programs in detail. Goldberg gave the following advice on what organizations should do to avoid civil HIPAA penalties: Use reasonable diligence to know as much as you can about HIPAA. Establish policies that evidence a reasonable approach to prevention. Avoid being neglectful or reckless. Try to cure breaches within 30 days. Ask for extensions if necessary. Seek technical advice if necessary. Document everything.

Who Is Covered?
In general, the HIPAA rules state that any health care provider that maintain or transmits “individually identifiable health information,” referred to as “protected information,” about a patient or client is deemed a “covered entity” and is subject to HIPAA. In addition, “business associates” who view, manipulate, or handle this protected information on behalf of a covered entity are also subject to HIPAA.

The final HIPAA privacy rule covers all individually identifiable health care information in any form—electronic or non-electronic—that is held or transmitted by a covered entity. This includes information in paper records that has never been electronically stored or transmitted, but could be. An entity that collects, stores, or transmits data electronically, orally, in writing or through any form of communication, including fax, is covered under the HIPAA privacy rule, as is the information itself. The electronic transmission of this information is governed by the HIPAA EDI format standards.

Within the speech, language, and hearing professions, this includes all identifiable health information generated and transmitted by those in private practice, and those practicing in schools, nursing homes, hospitals, and other institutional settings. Those professionals practicing as employees of covered entities are subject to the policies and procedures of those entities, which will themselves be in full compliance with HIPAA rules. It also includes any provider under contract with a covered entity, such as a nursing home or rehabilitation facility. In this situation, the speech, language, or hearing care professional would be considered a business associate of the facility and subject to the “business associates” provisions of HIPAA.

Web Resources The following Web sites contain comprehensive, up-to-date HIPAA information: [email protected]   HIPAA audiology discussion ListServe. www.hcca-info.org   The Health Care Compliance Association site. www.himss.org   The Healthcare Information and Management Systems Society site contains HIPAA information specifically for information technology administrators. www.hhs.gov/ocr/hipaa   This site offers the final privacy rule regulations. http://aspe.hhs.gov/admnsimp/bannertx.htm     The site offers links to the final transaction sets and codes along with an FAQ section on implementation. www.hiaa.org   The Health Insurance Association of America (HIAA) offers a HIPAA privacy primer with legal interpretations from a broad health care perspective. www.arrowprof.com/hipaaprograms.asp   A professional organization offers a series of articles on executing HIPAA regulations. www.regreform.hhs.gov/phoenixmaterials.htm    Secretary’s Committee on Regulatory Reform, Overview of HIPAA Privacy. w

Regulator Calms Enforcement Fears
But while Woodbury wisely cautions against laziness in regards to HIPAA, Alex Azar, general counsel of the US Department of Health and Human Services, offered a federal regulator’s perspective on privacy at the San Diego conference that was designed to calm fears . “This is a system of privacy regulation that is based on common sense,” Azar said of the rule. “And as a result, we are not going to have auditors sweeping down on hospitals and health care groups. It will be entirely a complaint-driven process. As an organization, we have limited resources, too. We will prioritize the enforcement. Complaints have to be well founded.”

In direct response to a question about civil monetary penalties, Azar said, “This won’t be a game of ‘gotcha!’ The providers who will have to worry are the ones with their heads in the sand on HIPAA—the ones that haven’t read the rule.” In addition, Azar said that the HHS intends to defer to states’ authority as much as possible, and that the HHS Secretary (currently Tommy Thompson) has the authority to waive or reduce penalties.

HIPAA Enforcement
Another speaker at the conference, Ira Pollock, JD, regional manager for the Office of Civil Rights (OCR), US Department of Health and Human Services, San Francisco, tried to reassure attendees that enforcement should not be overly feared. “Historically, most complaints to our organization have been informally resolved. We really stress voluntary compliance,” she said. However, her address went on to clearly spell out the consequences of noncompliance. Among her key points:

• The privacy rule will be enforced by complaints filed by patients who believe they have been discriminated against. OCR will look at compliance reviews from tips, and review any program that receives HHS funds.
• Complaints must be filed within 180 days of an incident.
• Complaints must be in writing.
• OCR has “delegation of authority to enforce the rule,” and to impose civil monetary penalties.
• Organizations are required to permit access without notice to their facilities, as well as access to the appropriate books, records, and anything pertinent to compliance.
• Clinicians who violate the privacy rule may face financial penalties and/or prison. In general, these are penalties of $100 per violation, with a $25,000 cap for each calendar year.
• However, the Department of Justice can impose up to $50,000 in fines and 1 year in jail for knowingly obtaining or disclosing information, or a maximum of $250,000 and 10 years in prison.

April Deadline
And while many people agree that health care practitioners should not fear HIPAA compliance, there is no argument about deadlines. “There are several major deadlines approaching,” says Jodi Chappell, director of health care policy for the American Academy of Audiology (AAA). “These are absolutely essential deadlines for audiologists.”

The biggest deadline: April 14, which is when “covered entities” must be in compliance with the Privacy Rule (April 14, 2004 for “small health plans”). By that date, to be in full compliance of the Rule requires:

• Providing information to patients about their privacy rights and how their information can be used.
• Adopting clear privacy procedures for practice, hospital, or plan.
• Training employees so that they understand the privacy procedures.
• Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
• Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Chappell adds: “Since many audiologists and dispensing professionals have small practices with few employees, training isn’t as big an issue as it becomes for larger providers, such as the big companies and hospitals. Still, it is important to be up to speed on the Rule and to know where you stand in relation to it.”

She also adds that every facility must have already filed a CMS model compliance plan. That deadline was mid-October.

Ben Van Houten is associate editor of The Hearing Review.

Associate Editor Ben Van Houten works out of The Hearing Review’s Los Angeles office. He can be reached at [email protected].