Guidelines for Physicians on Security and Privacy
Every medical practice, regardless of its size, has to comply with the Health Insurance Portability and Accountability Act (HIPAA or the "Act"), a law that was passed by Congress in 1996. The primary focus of the law was to ensure the portability of health insurance coverage for Americans changing jobs. However, the law was also designed to protect the privacy and security of patient records and to bring some uniformity to claims processing.
Every medical practice, regardless of its size, has to comply with the Health Insurance Portability and Accountability Act (HIPAA or the “Act”), a law that was passed by Congress in 1996. The primary focus of the law was to ensure the portability of health insurance coverage for Americans changing jobs. However, the law was also designed to protect the privacy and security of patient records and to bring some uniformity to claims processing.
The intent of this primer is to review the law’s basic mandates and to highlight the salient points relevant to health care providers (one of the three industry groups included in the Act under the definition of “covered entities”). A health care provider, defined as any person or entity that furnishes, bills for or is paid for health care in the normal course of business, needs to take the necessary steps to demonstrate HIPAA compliance. Physicians and other providers must educate themselves about three key mandates of the HIPAA regulations: (1) electronic transactions; (2) privacy; and (3) security. For each of the three mandates, the United States Department of Health and Human Services (HHS) is responsible for the standards set.
Electronic Transactions Standards
Vendors of software packages do most of the work to make computer systems HIPAA compliant. Under the HIPAA regulations, more than 400 different formats for transmitting to payors “standard” health care data such as benefits, eligibility and payment information are being consolidated into 20 standard “HIPAA-compliant” transaction standards. For each transaction, the standard dictates a certain set of required data elements, optional data elements, format and content.
What does this mean for medical practices? Medical practices must have policies and procedures in place to ensure the submission of the necessary data elements to complete each transaction. Physicians can ask for the format with the required data elements in advance. Medical groups will need to submit all the necessary data to complete the transaction and submit it in the appropriate format. In addition, practices will have to ensure that their software vendors build language into each contract to ensure compliance with the law. This can be done with an amendment to the existing vendor contract, but the better practice may be to leverage the opportunity for a comprehensive contract review.
One point of particular caution: if your medical practice uses a proprietary or unique electronic claims system, be careful before agreeing to spend thousands of dollars in upgrades, when it could be that a new state-of-the-art system could provide advanced features at less expense.
HIPAA privacy standards dictate how organizations must deal with “protected health information” (PHI) when they share patient information for treatment, payment and administrative functions. Under the final rules, patients have expanded rights to understand and control how their health information is used. Every practice deals with the impact of HIPAA’s implementing regulations on a daily basis. Controlling access to PHI using paper-based systems and processes is next to impossible. Why? Consider the treatment of paper documents in most offices — they are passed from one person to the next, photocopied, occasionally misplaced and often left out in public view. A major purpose of the HIPAA standards is to discourage this practice and encourage instead the computerization of all personal health information, regardless of who creates, stores or transmits it. Otherwise, it would be virtually impossible for providers to meet HIPAA’s requirements to document all releases of information, provide audit trails and be able to inform patients concerning who has accessed their medical information.
Security refers to a covered entity’s specific efforts to protect the integrity of the health information it holds and prevent unauthorized breaches of privacy such as might occur if data is lost or destroyed by accident, stolen or sent to the wrong person in error. Security measures can be physical (e.g., locking rooms and storage facilities), administrative (e.g., policies and procedures covering access to information, user IDs and passwords) or technological (e.g., encryption of electronic data and use of digital signatures to authenticate users logging onto a computer system).
Faxing is a prime example of the problems with the maintenance of confidential information that HIPAA seeks to minimize. Faxes are particularly vulnerable to ending up at the wrong place or in the wrong hands. If you are a health care provider, consider how often patient information in your office is left at the fax machine or sitting on a desktop for anyone to see. HIPAA security regulations discourage paper creation and require any faxes that are sent to be tracked carefully, especially those sent to parties outside the four walls of your practice or organization. The regulations require that you verify the identity of the party receiving the fax and provide ongoing monitoring of fax security practices.
Basic Steps for Compliance
How can you maintain HIPAA compliance? Some fundamental steps are outlined below. These steps do not demand a significant amount of your time and will assist you in optimizing risk management in the area of HIPAA compliance.
1. Learn as much as you can.
A good place to start is the American Health Information Management Associates Web site, ahima.org/hot.topics, or the Health Care Financing Administration site, hcfa.gov. Also, the Office of Civil Rights at hhs.gov/ocr has a privacy Web site to which inquiries can be e-mailed.
2. Assign responsibility.
Assign a team to manage HIPAA compliance or, if your practice is small, appoint a privacy officer. Place this individual in a leadership position or in a position to coordinate compliance responsibilities with outside legal counsel on facets of the rules that are unclear or difficult to understand.
3. Conduct organizational assessment (“gap analysis”).
Assess your practice’s compliance posture by performing a “gap analysis” to determine where gaps may exist between your current confidentiality and security practices and what HIPAA privacy and security regulations require. The items to evaluate in accordance with HIPAA regulations include:
– Internal and external information access, disclosure and release of information procedures against the “minimum necessary” requirement;
– The need to develop or update privacy and confidentiality consents, authorization forms, and practices and materials reflecting current organizational and legal practices and requirements;
– The existence of organizational policy for patient inspection of, amendment to, and restriction of access to, personal protected health information; and
– Practices related to marketing, de-identification of health information, and access to especially sensitive PHI such as psychotherapy notes.
Physicians are well advised to assume some form of heightened protection for the privacy of health records. For failure to comply with HIPAA, the general penalty is $100 for each violation up to a maximum penalty for all violations of the same kind within a calendar year not to exceed $25,000. One of the keys for physicians is to be sure the policies and procedures developed are reasonable and that your practice can ensure compliance by physicians and staff for the benefit of patients. Take the first steps. Educate yourself and your staff and, if needed, seek reliable counsel before problems arise.