As the first of the regulatory deadlines (April 14) draws near relative to the Health Insurance Portability and Accountability Act (HIPAA), many hearing care professionals are still trying to understand what might be required of them. This article provides a background on HIPAA and its two major sections (privacy and security), offers resources for gaining more information, and a perspective on formulating criteria for outsourcing HIPAA-related tasks.
On August 21, 1996, Congress passed the Health Insurance Portability Act (Public Law 104-191, also known as the Kennedy-Kassebaum Law) to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery and to simplify the administration of health insurance. In 1999, Congress amended and added to the Act, which then became known as the Health Insurance Portability and Accountability Act (or HIPAA). The two main provisions of HIPAA are:
- That individuals are able to have continuing access to health insurance (portability); and
- That standardized methods and procedures must be implemented by health care providers to ensure the privacy and security of a patients personal health information.
HIPAA is regulated by the Department of Health and Human Services (HHS), with the responsibility for implementation and enforcement of HIPAA privacy regulations delegated to the HHS Office for Civil Rights (OCR).
In its current form, HIPAA has information privacy and security ramifications for anyone involved in health care, including hearing health care practitioners and their business associates (eg, instrument manufacturers, billing services, etc), medical practices and other health care providers (eg, dentists, chiropractors, etc), hospitals, insurance companies, health plans, etc. Each of these entitiesmore than 4 million in totalmust comply with HIPAA regulations. Because of its comprehensive scope, HIPAA is the most significant Federal legislation affecting health care since the creation of the Medicare and Medicaid programs in 1965. The impact of HIPAA on all health care entities is underscored by its estimated implementation costmore than $25 billion.
HIPAA requires health plans, clearing houses, and health care providers that conduct certain transactions electronically to be compliant with HIPAA Administrative Simplification standards by October 16, 2002, unless the health care entity filed for a one-year extension on or before that date (health plans with revenues of less than $5 million have until October 16, 2004 to be compliant). It is reported that more than one-half of all covered entities did not apply for the extension. This does not mean, however, that those that did not apply for the extension had submitted certified compliance plans. Many health care entities were simply unaware of HIPAAs existence, didnt know that they should have filed an extension, or ignored the potential impact of HIPAA on their businesses/practices. Complicating the situation is the fact that health care entities that did not file for an extension cannot file a late application, as HHS is prohibited by law from accepting any more extensions and has removed the extension form from its Web site.
The question then is what should a hearing health care office/practice do if it did not file for the extension? There is, unfortunately, no clear answer to this conundrum. Health care entities that did not submit compliance plans or file for the extension are still required to be HIPAA compliant by April 14, 2003 and should be prepared to submit a Corrective Action Plan in the event a complaint is filed. The Centers for Medicare & Medicaid Services (CMS), which is responsible for enforcing the transaction and code set standards that are part of the administrative simplification provisions of HIPAA, has indicated that fines for failure to meet the extension deadline will most likely not be imposed on everyone who did not file for the extension, but rather enforcement will be enacted on those entities on a complaint-driven basis." (Authors Note: The Centers for Medicare & Medicaid Services (CMS) was, until June 14, 2001, known as the Health Care Financing Administration or HCFA.) Presumably, this could include monetary fines and other penalties.
Civil and Criminal Penalties for Failure to Comply
To assure compliance and accountability of those who have access to personal health information (PHI), HIPAA gives the Secretary of HHS the authority to impose monetary penalties for failure to act in accordance with the rules. The Secretary is required to impose penalties of not more that $100 per violation on any person or entity that fails to comply with any provision included in the rule. The total amount of monetary penalties imposed on any one person or entity in each calendar year may not exceed $25,000 for multiple violations of the same provision.
Penalties for failure to protect the confidentiality of personal health information results in the imposition of civil and criminal penalties that range from a $50,000 fine and up to a year in prison for wrongful disclosure of individually identifiable health information, to a fine of $250,000 and up to 10 years in prison for disclosure of individually identifiable health information committed under false pretenses with intent to sell, transfer, or use for commercial advantage, personal gain, or malicious harm.
These measures are designed to gain the serious attention of the health care field. However, the general counsel for HHS, Alex Azar, has attempted to allay fears by emphasizing that, in particular, the system of privacy regulation will be based on common sense, and he assures people that this will not be a game of gotcha! Azar says that the HHS intends to defer to states authority as much as possible, and that the HHS Secretary has the power to waive or reduce penalties.2
Covered entities: Health care providers who transmit health care information in any form or medium. The regulation lists 10 covered transactions including: 1) health care claim or encounter; 2) health care payment and remittance advice; 3) coordination of benefits; 4) health care claim status; 5) enrollment and disenrollment in a health plan; 6) eligibility for a plan; 7) health plan premium payments; 8) referral certification and authorization; 9) first report of injury, and 10) health claims attachments.
Health care: The provision of care, services, or supplies related to the health of an individual. This includes, but is not limited to: 1) preventive, diagnostic, rehabilitative, palliative care, maintenance, counseling, service, or assessment procedures undertaken with respect to the physical or mental condition, or functional status of an individual, or that affects the structure or function of the body; and 2) sale or dispensing of a drug, device, equipment, or other item required by the above, in accordance with state laws.
Health care provider: Any provider of health care services (preventive, diagnostic, therapeutic, rehabilitative, maintenance, palliative, or counseling) including clinics and centers, physicians, licensed/certified health care practitioners and any other person or organization who furnishes, bills (via sale/dispensing), or is paid (via contractual services) for care related to the health of an individual in the normal course of business.
Health information: Any information, whether oral or recorded, in any form or medium (eg, tape, paper, diskette, fax, email, digital voice message) that is created or received by a health care provider in the normal course of business that relates to the past, present, or future physical or mental health condition of an individual; the provision of health care treatment to an individual; or, the past, present, or future payment for health care services.
Protected health information (PH): Individually identifiable health information that is or has been electronically maintained or transmitted by a covered entity, including such information when it is in non-electronic form or discussed orally.
Individually identifiable health information (IIHI): All information (electronic, written, or oral) collected from an individual that: a) Is created or received by a health care provider, health plan, employer, or health care clearinghouse; or b) Relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual or the past, present or future payment for the provision of health care to an individual, and 1) Identifies the individual, or 2) There is a reasonable basis to believe that the information can be used to identify the individual. Data elements that make information individually identifiable include: patients name, address, employer, relatives names, date of birth, telephone and fax numbers, email addresses, social security and medical record numbers, member or account numbers, credit card numbers, certificate/license number, voice/fingerprints, photos, or other number, code, or characteristics, such as occupation.
Business associate: Any person or entity who performs a function or assists a covered entity with a function or activity involving the use or disclosure of individually identifiable health information. Examples of functions include claims processing or administration, data analysis, utilization review, quality assurance, billing, benefit management, proactive management, and repricing; legal, actuarial, data aggregation and accounting; and, management, accreditation, consulting, or financial services. A covered entity may be a business associate of another covered entity.
Certification: HIPAA requires covered entities to certify that they have met the security standards [§142.08(a)].1 The regulations state that the certification can be done internally or by an external accrediting agency.
How HIPAA is Constructed
HIPAA currently consists of five components or titles:
- Title I improves the portability and continuity of health insurance coverage for millions of American workers and their families by 1) guaranteeing health insurance access, coverage, portability, and renewal; 2) eliminating some pre-existing condition exclusions; and 3) prohibiting discrimination based on health status.
- Title II provides for administrative simplification and the prevention of health care fraud and abuse by requiring: 1) rules to protect the privacy of an individuals personal health information; 2) the establishment of security requirements to protect that information; 3) the development of standard identifiers for the electronic exchange of health care information; and 4) medical liability reform.
- Title III deals with tax-related provisions of the Act, including medical savings accounts and health insurance tax deduction for the self-employed.
- Title IV defines group health plan requirements.
- Title V addresses the issue of revenue-offset provisions that stem from Administrative Simplification (AS) under Title II.
Title II, also known as the Administrative Simplification (AS) Rule, is the HIPAA component that has the most immediate potential impact on the hearing health care field at this time. The AS rule has four sets of regulations and standards: one for transactions and coding sets, another for privacy and confidentiality standards, a third for security and electronic signature standards, and a fourth for unique identifiers for provider organizations, payers, employers, and patients. Title II gives the federal government the ability to mandate how hearing health care practices maintain and transmit a patients personal health information so that, when fully implemented, a national floor of privacy protections for patient health information will have been created.
(Authors Note: It should be recognized that HIPAA is a continually evolving Federal law, wherein HHS has been granted the authority to substantially revise HIPAA once every 12 months. Since changes to the law were made in 2002, new substantial changes cannot be issued before August 2003. At this time, the Administrative Simplification and Privacy Rules are considered final; however, the Security rule, including the electronic signatures portion, remains subject to revision.)
State Patient Privacy Laws and HIPAA
Most, if not all, states already have privacy laws that apply to a patients identifiable health information, the provision of health care, and payment for health care services. In addition, most states have laws that address such areas as patient consent, access to records, and subpoena rights. In this situation, the general standard is that, if state law is more protective of the patient, then it takes precedence over HIPAA. If a state law is less stringent, then HIPAA takes precedence.
HIPAA Privacy Regulations
Privacy is defined by HIPAA as the patients right to control access and disclosure of their protected or individually identifiable health care information (IIHI). The issues of privacy and security are often mistaken as being the same. They are not. HIPAA privacy rules provide persons receiving treatment for hearing loss (and/or other audiologic services) with safeguards to ensure their health care information is adequately protected and appropriately used by the hearing care professional as a condition of quality patient care. HIPAA security regulations address the practitioners specific efforts to protect the integrity of the health information acquired/developed and provide methods and procedures to prevent unauthorized breaches of privacy.
Under HIPAA privacy rules, the hearing health care professional is required to inform the patient as to how their personal health care information will be used; provide guidance regarding the patients privacy rights; and limit (to the minimum required) the use and disclosure of any personal health-related information obtained. In addition, the hearing health care patient has the right to:
- Receive a notice of the health care practitioners privacy practices;
- Access, review, and receive a copy of their personal medical record or health care information on file;
- Request a change or correct an error in the medical record;
- Know how, when, and to whom medical information is disclosed;
- File a grievance with regard to a privacy concern; and
- Provide written instructions regarding their personal preferences regarding use and disclosure of their personal health information.
Permissible uses of personal health information include treatment, payment for services provided, and activities such as patient billing or appointment scheduling. A hearing health care patients personal health information may also be disclosed to other hearing care professionals, as well as primary care physicians, ear surgeons, counselors, etc, who may need access to private health information to provide optimal hearing/general health care. HIPAA prohibits hearing care professionals from sharing the patients personal health information with outside sources for marketing, research, or any other reason without the patients knowledge and written consent.
HIPAA privacy regulations call for each hearing care professional to create privacy-conscious business practices, which must include the requirement that only the minimum amount of health information necessary is disclosed. The privacy rule also contains provisions allowing covered entities to implement reasonable safeguards that reflect their particular circumstances. According to HIPAA, the raison dêtre for the privacy regulations is to ensure that the health care providers primary consideration is the appropriate treatment of their patients.
Finally, HIPAA privacy regulations do not intend privacy-conscious business practices to prohibit oral communications, such as calling out a patients name in the waiting room, or discussing a patients condition over the phone with the patient, a provider, physician, or family member. Nor do the rules require hearing care professionals to make structural changes, such as building private rooms, retrofitting existing offices for soundproofing, or installing encryption systems for telephone communications. As in all things, the hearing care professional should use good judgment and common sense in attempting to meet the privacy regulations.
HIPAA Security Regulations
Security is defined in the HIPAA regulations as the health care providers responsibility to control the means by which individually identifiable health care information remains confidential. Implementation of the Security Rule encompasses the following four elements:
Administrative procedures to guard data integrity, confidentiality, and availability: Intended to ensure that organizations provide a structure in which an information security program can be developed and implemented.
Physical safeguards to guard data integrity, confidentiality, and availability: Intended to ensure the protection of computer systems (and related physical structures in which these systems are housed) from fire, other natural and environmental hazards, and intrusion. These safeguards include the use of locks, keys, and administrative measures used to control access to computer systems and facilities, as well as back-up systems (eg, off-site duplicate data storage) for the recovery and utilization of health care data in the event of a natural (or man-made) disaster.
Technical security services to guard data integrity, confidentiality, and availability: Intended to protect, control, and monitor information access.
Technical security mechanisms to guard against unauthorized access to data that is transmitted over a communications network: Intended to protect health information that are electronically transmitted over open networks against interception or interpretation by parties other than the intended recipient. These mechanisms are also intended to protect information systems from intruders who attempt to gain access through external communication points.
There are numerous methods available to secure the patient health information maintained by the hearing health care practice. Many of these are likely to already be in place (eg, rooms/facilities secured with locks, security cameras, card access control systems, security awareness training for employees, etc). Data management systems can be secured through single sign-on systems, user IDs, passwords, firewalls, and intrusion prevention systems, such as the use of digital signatures to authenticate users logging onto computer systems. The Hearing Industries Assocation, hearing instrument manufacturers, and related suppliers have been working on this challenge (eg, see Scott Petersons article on eTONA on p. 38).
Recommended HIPAA Resources
The following Web sites contain comprehensive, up-to-date HIPAA information:
Getting Started on the Path to Compliance
It would be unwise for hearing care professionals to continue to delay and/or underestimate the scope, rigor, and effort that the new HIPAA regulations require. There are legal, regulatory, process, security, and technology aspects to each proposed rule that should be carefully evaluated before developing an appropriate implementation plan. Above all, however, the very first step is to accept the fact that there is a need to become responsive to HIPAA. Once that pill is swallowed, hearing care professionals can: 1) Begin to clarify their understanding of the HIPAA regulations; 2) Identify which aspects of the rules apply to their offices/practices; 3) Provide resourceshuman, technical, and financialto ensure timeline compliance.
The following is an abridged list of the activities the hearing care professional should undertake in order to achieve compliance with HIPAA regulations:
- Obtain copies of the rules from the Department of Health and Human Services HIPAA Web site (http://www.cms.hhs.gov/hipaa/);
- Determine which of the sections should be included in your implementation guide to meet the minimum necessary standards;
- Identify the differences that exist between your states patient privacy regulations and those contained in HIPAA;
- If you are not a sole-practitioner office, determine who will be responsible for HIPAA compliance;
- Educate your staff about HIPAA;
- Conduct a risk assessment to evaluate potential risks and vulnerabilities to health care information;
- Compare current procedures for disclosure of health information with the proposed privacy standards; and,
- Determine if you are using the standards outlined in the electronic data information (EDI) transaction standard.
In-house Compliance Effort vs Contract Compliance Services
Compliance with HIPAA is not rocket science. It is, however, a demanding undertaking with no foreseeable opportunities for a quick fix or easy solution. If a hearing care professional does not have the time or other resources (eg, staff) to research HIPAA and provide the necessary effort to bring the practice into compliance, it may be necessary to outsource HIPAA compliance to a reputable consultant. It is advisable that, when obtaining outside assistance, the hearing care professional consider the following:
Does the consultant understand the practice of hearing health care? It is important the consultant has an understanding of the professional practice of providing treatment for hearing loss and associated disorders.
Is the consultant capable of being on the job? Who will actually be doing the work? What happens if the consultant is unable to perform the work required? Is there back-up staff available? What are their qualifications? Does the consultant have legal and/or administrative systems support (ie, is the consultant full service or an area specialist?).
Does the consultant provide start-to-finish continuity? The consultant should be able to perform all of the tasks related to the HIPAA compliance process, including gap analysis, remediation, policy/procedure development, recommendations on security systems, staff training, etc.
Has the consultant provided a detailed scope of work and implementation timeline? To keep compliance effort cost effective, the consultant should be able to provide an expedited implementation schedule due to their familiarity with developing compliance programs.
What is the total cost for the consultants services? The hearing health care practitioner should be cognizant of the pricing of consultants and what the average cost for a HIPAA consultant should be. You do not want to pay more than you have to, but you should also be wary of low bids looking for your business.
Always get a clear, explicit understanding (preferably in writing) relative to what will be provided by the consultant.
The mandate to achieve HIPAA health information privacy and security compliance occurs at a time when identity theft ranks as the most common form of consumer fraud. Additionally, insurance companies and HMO business practices relative to patient information have come under increased scrutiny in recent years. There are few situations wherein more information is collected about an individual than in a health care practice. HIPAAs comprehensive approach to ensuring the privacy and security of personal health information can substantially limit the incidence of identity theft and abuse of health-related information.
It is probably an understatement to say that there are still some hearing care professionals who have little or no knowledge of HIPAA. Based on our analysis of the HIPAA legislation and experience with compliance implementation projects, the authors can summarize the most salient feature of HIPAA in one sentence: Every hearing care practice, regardless of size, should comply with the HIPAA security and privacy regulations; HIPAA is mandatory, not optional.
What makes HIPAA compliance most challenging is the absence of clear direction as to just what has to be done to be compliant. This situation is compounded by the work-in-progress syndrome that persists regarding the nature and scope of HIPAAs provisions. Despite this fact, we believe there are some benefits to be realized from the absence of a rigid implementation structure. Primary among these is the flexibility HIPAA allows for hearing care professionals to create plans and procedures that are both scaleable and reasonable in relation to the unique character of their practice.
It is anticipated that, when all health care providers are in compliance with HIPAA regulations, substantial benefits will be realized by patients, health care providers, and the public at large. Patients will have greater assurance that their personal health information is secure from accidental disclosure and misuse. Providers will benefit from the lowered cost of doing business that results from standardizing the forms and format for the electronic exchange of health-related data. Finally, the public at large will benefit as computerization of personal health information allows de-identified data to be more readily available for use in the development of national health care policy.
|Paul Popp, PhD, is president of the North American Institute for Auditory Prosthetics and a management consultant based in Centerville, Ohio, and Beth Lane is executive director of Hearing Hearingcare Providers (Calif and Ariz) and president of Beth Lane & Associates, a consulting business that deals with HIPAA compliance, located in Tustin, Calif. They have written a publication entitled, HIPAA Privacy and Security Manual: Policies and Procedures for Your Practice to Achieve Compliance.|
Correspondence can be addressed to HR or Paul Popp, 7771 OBryan Place, Centerville, OH 45459; email: [email protected]; or Beth Lane, Beth Lane & Associates, 12722 Charloma Drive, Tustin, CA 92780; email [email protected].
1. Health Privacy Project. Implementing the Federal Health Privacy Rule in California: Update and Supplement to the Guide for Health Care Providers, Available at: www.healthprivacy.org. Accessed December 10, 2002.
2. Van Houten B. Getting hip to HIPAA. Hearing Review. 2003;10(2):36-39.