HIPAA Compliance and Health Privacy
What You Need to Know About HIPAA Compliance!
By Jim Cavagnaro
HIPAA - the Health Insurance Portability and Accountability
Act - is a federal law developed, in part, to define and regulate
the use of healthcare information in the United States. Entities
that provide, pay for or supply health services, medications
or equipment, as well as their business partners and vendors,
are affected by this new set of regulations. This article summarizes
the work that needs to be done to meet requirements necessary
to become HIPAA compliant.
The Act defines and regulates
- how health information is identified and used, including
standard transaction forms and code sets for communicating
between providers and payers,
- what information, known as Protected Health Information
(PHI) is to be considered private and how it must
be handled, and
- security policies and procedures for protecting
These regulations all fall under Title II of HIPAA and are collectively
known as the Administrative Simplification Compliance Act (ASCA).
As the name implies, all entities covered by ASCA must be in
compliance by the deadlines set forth in the regulations. These
Standardized Transactions and Code Sets -- October
Privacy -- April 14, 2003
Security -- deadline has not yet been set.
Note, however, that the Department of Health and Human Services
will allow covered entities to apply for a one-year extension
to the Transactions and Code Sets deadline if they submit a
Model Compliance Plan form that includes a schedule showing
how they intend to become compliant during the extension period.
This application must be received no later than October 15,
In addition, certain small health plans have an additional year
to comply with all the deadlines. Much more detail on HIPAA
and the ASCA can be found at the Centers
for Medicare and Medicaid Services web site which also contains
links to further resources.
How does the ASCA affect my practice or institution?
Directly or indirectly, you will be affected if you provide
health services or support health services providers. Covered
entities that choose to transmit identifiable patient-related
information electronically are required to implement these standards.
In practice, this means any provider who sends bills directly
to third-party payers since ASCA requires that those bills be
sent electronically with a small number of exceptions.
Additionally, an entity falls under HIPAA if it is a health
plan, clearinghouse, third-party insurer, employer maintaining
health records, rehabilitation center, blood, sperm or organ
tissue bank, social worker or counselor, long-term care facility,
ambulance company or pharmacy.
However, many more companies and services are impacted, including
those who provide services or supplies to health service providers
or to patients under the direction of providers. They will need
new business agreements assuring HIPAA compliance and must implement
acceptable information privacy and security measures. If these
companies bill third-party payers directly, they will also need
to implement the transactions and code sets standards.
Outside technology vendors, transcription providers, accountants,
attorneys and anyone else who may come in to contact with patient
information in the course of normal business dealings will also
be affected. In short, if you create, maintain, manage or have
access to personal medical information, you should be concerned
about becoming compliant with HIPAA regulations.
To date, HIPAA implementation work has concentrated on defining
standard transactions for use by providers and third-party payers,
and creating standard definitions for health care providers,
employers, health plans and individuals to use in creating patient
record information. Code sets are being created to define standard
medical terms, diagnosis codes, diseases, injuries, etc. Medical
procedure codes are also being defined for actions taken to
prevent, diagnose, treat or manage diseases, injuries and impairments,
as well as for medications, equipment, supplies and other items
prescribed for treatment.
While many of these code sets are those familiar to providers
are some changes in the format of transactions and the codes
that can be used which may affect the transmission of information
between providers and payers. As an example, local codes can
no longer be used. Thus, if a specific insurer has asked providers
to append a national procedure code with a suffix to further
characterize the procedure, the insurer will have to develop
another way of obtaining the information it seeks. This will
mean that providers will have to learn a new procedure for coding
How do I become compliant?
The majority of work and cost will be in redesigning office
processes around patient privacy and in developing of a comprehensive
security program around patient information. Areas that will
need to be reviewed include written policies and procedures,
standards, staff training, technical and procedural controls,
risk assessments, auditing and monitoring of compliance. A provider
must also assign responsibility for ongoing management of the
information security program. Suppliers must agree in writing
to maintain the same level of security and privacy as the providers
with whom they work.
What do I have to do?
The first step is to perform a gap assessment to
determine what must be done in order to become compliant. Procedures,
processes and information management must all be reviewed in
light of the ASCA. For example, common office processes such
as a nurse asking a physician information about one patient
over an open intercom when another patient can overhear the
conversation have to be modified to assure patient privacy.
Once the scope of necessary change is understood, an implementation
plan should be developed.
The next major operational step is to fund and execute the implementation
plan. In addition, all staff and employees who handle patient
information or discuss it with outside parties must be trained
in how to keep the information private and secure. This training
should also include instruction on any new procedures that are
developed and implemented.
What about my computers and software?
An affected organization must implement measures, policies and
procedures to assure the security of any information systems
that contain individually identifiable patient health information.
These would be coordinated and integrated with other system
configuration management practices in order to assure system
integrity when changes to system hardware or software are made.
Any software purchased as a package from an outside vendor must
also be compliant.
In addition, affected parties must provide a contingency plan
that provides for responding to information system emergencies,
including periodic backing up of data, having and testing facilities
for continuing operations in the event of an emergency, and
developing effective disaster recovery procedures. Computer
controls and security measures should be documented in the same
manner as other policies and procedures.
Each organization is also required to have a policy on workstation
use. These documented instructions and procedures should delineate
the proper functions to be performed and the manner in which
those functions are to be performed (e.g., logging off before
leaving a terminal unattended).
Restrictions must be put in place to prevent unauthorized personnel
from accessing information stored on the entitys computers.
Facilities that use communications networks are required to
protect messages containing health information when they transmit
them electronically to prevent them from being intercepted and
read by parties other than the intended recipient. They must
also protect their information systems from intruders trying
to access information from external communication points.
This typically means that some form of encryption must be used
to protect this information. As well, there needs to be documented
policies and security features for the use of fax, e-mail, Internet,
remote dictation and transcription services.
Jim Cavagnaro is CEO of TCN, which provides educational, project
management and consulting services through TCN's HealthCare
solutions group. More information on HIPAA can be found at http://www.tcnus.com
or by calling 800.366.8353