Coping With HIPAA New Regulations Pose Challenges,Opportunities

When asked to identify those parties impacted by HIPAA, the Health Insurance Portability and Accountability Act, David Levenstein, privacy officer for Baystate Health Systems, said it’s much easier to list who isn’t.

 

“Being part of a regulatory environment is a large commitment — it cuts across so many areas, from billing to patient care … it effects everyone,” said Levinstein, who called the act “the most comprehensive health care legislation since Medicare.”

Handling HIPAA has become an intriguing exercise for area health care providers, large and small. Those assigned to lead these efforts say HIPPA has presented them with both challenges and opportunities. Coming into compliance with the act’s many dictates has brought some headaches for administrators, as well as some hefty additional costs, which come at a time when most providers are struggling with the bottom line.

But there are benefits, as well.

“What HIPAA does is require safeguards,” said Tom Drapeau, director of Information Systems at Holyoke Medical Center, “administrative, physical and technical safeguards. These are just good business practices.”

HIPAA was passed into law on August 21, 1996, and was designed to standardize electronic data in health care facilities, create health identifiers for individuals, employers, health plans, and health care providers, and impose security standards protecting the confidentiality of patient health information.

The Healthcare News looks this month at how area health care providers are coping with HIPAA, and how the act has brought positive change to the industry.
HIPAA-cratic Oath

The primary goals of HIPAA are to improve efficiency, augment security, and protect confidential information in the health care sector. In turn, HIPAA has set standards that all health care organizations must comply with, or else face severe civil and criminal penalties including fines and imprisonment. The Web site HIPAAdvisory.com, which keeps tabs on the law’s deadlines, updates, and developments for health care professionals, offers a ‘HIPAA primer’ for those just trying to understand the basics of the complicated regulations.

Rules regarding security, electronic transactions, privacy, unique ‘identifiers’ for providers (EIDs), and enforcement of each regulation have been drafted and put into effect, and more are proposed. What health care organizations are most concerned with is achieving compliance with each of the rules as they are set by the Department of Health and Human Services.

After the various regulations of HIPAA are published, all organizations are given an average of 24 months from the effective date to comply. The first rule to be published, the Transactions Rule, went into effect on August 17, 2000. It was followed by the Privacy Rule, which reached its compliance date in 2003, and the final set of EID regulations, which reached its compliance date just a few months ago.

This final rule established a standard for employer identification nationally, and also set forth a list of requirements concerning its use by health plans, health care clearinghouses, and health care providers. In short, EIDs are meant to streamline electronic transactions that, in turn, are safeguarded by the Privacy and Security Rules.

With the Privacy Rule in place, EIDs in use and practices in keeping with the Security Rule being introduced, health care providers are now focused on maintaining compliance as well as getting their facilities up to speed — the compliance deadline for the Security Rule is less than a year away, slated for April 21, 2005.

The expansive nature of HIPAA has undoubtedly caused a few headaches, but the current consensus among health care workers is that while the law’s infancy was full of kinks, organizations are now finding compliance less of a challenge and more of a goal. Further, though costs have undoubtedly been generated by this unfunded mandate, many in the Western Mass. health care sector are beginning to see the cost effectiveness of some of the HIPAA measures, and say that many of the costs associated with compliance would be accrued anyway, as new technology changes the health care landscape.

Lastly, with the shock of new rules and regulations beginning to wane, many affected by HIPAA in the region are realizing that some of the rules are easy to comply with, because their facilities are already almost there when the rules are published. To them, some of the newer HIPAA rules are just common sense and good business.

Levenstein was designated as Baystate’s privacy officer prior to the HIPAA Privacy Rule’s compliance deadline. Now, with that deadline behind him, he said the bulk of his work with HIPAA goes into fielding questions and concerns from employees and the public and ensuring that patients’ rights have been afforded them. Still, he wouldn’t say he has time to rest on his laurels after compliance dates pass.

“The rules are expansive,” he said. “This is the first national law that deals with health information privacy.”

Levenstein said some of the greatest administrative challenges, such as coordinating business association agreements with vendors, or processing patient privacy paperwork and other communications have pointed out how far-reaching the HIPAA laws actually are.

“There were many large administrative hurdles, but now those systems are up and running. Things are moving along relatively seamlessly because of the effort expended. The biggest concern now is paying attention to scenarios that raise questions and keeping up with ongoing education. We’re constantly reassessing.”

Though Levenstein said patient confidentiality has always been a priority at Baystate, maintaining compliance and training employees is a challenge. He added that some of the grunt work associated with HIPAA compliance adds to the workloads of staff members who now have to process paperwork and make phone calls to make sure regulation standards have been met.

“I’d say we’re talking with upwards of 1,000 patients a day to ensure they’ve received notices of privacy practice,” he said. “It’s a good deal of added work for the staff, and figuring it out is a challenge.”

Still, Levenstein said the bulk of work put toward compliance falls under a set of basic quality-of-care standards that Baystate has already had in place, and standardizing practices is helping the facility underscore those principles.

“It’s a case of re-emphasizing longstanding values,” Levenstein said, adding that practices such as communicating with multi-lingual patients or streamlining vendor relations are examples of health care practices that are affected by HIPAA, but are not new concepts to the industry or Baystate.

“Multi-lingual issues can be a challenge in general, and we have very diverse patient population,” he said. “We’ve translated all of the big HIPAA forms into Spanish, and other forms have been translated into other languages. But it’s an issue that’s not just a health care issue; the difference now is that HIPAA is designed to make sure the delivery of health care would not be interrupted, and communicating with patients who may not speak English definitely falls under that umbrella.”

Barbara Rodriguez, president of East Longmeadow-based Global Link Translations and Interpretations Services, works with several health care providers interpreting for patients. She said she has seen not only a change in how her company does business because of HIPAA, but also an increase in the amount of business.

“Interpreters must be trained extensively, it’s not like it used to be,” she said. “At one time you could pull someone aside that worked in the building and ask them to translate.”

Global Link is one of the only vendors in Western Mass. that has a contract with the state. Rodriguez said the company also works with many of the hospitals in the area, including Mercy, Baystate, and Holyoke medical centers.

“The state now requires ‘competent’ interpreters,” she continued. “In order to be considered competent, you can’t just know the language, you have to know the subtle nuances of a language and how to explain complicated things. HIPAA forms absolutely fall under that category – people need to know exactly what they’re being told, and what they are signing.”

And in Western Mass., Rodriguez works firsthand with one of the most diverse populations in the country, and provides translators for speakers of Spanish, Russian, Portuguese, Vietnamese, and Polish regularly. She also has interpreters of languages such as Creole or Swahili on retainer.

In general, Levenstein and Rodriguez said the language and vendor-relations issues now associated with HIPAA are prime examples of the concerns that health care organizations have had since before the legislation passed.

Security Blanket

Drapeau agrees. He is in charge of getting HMC up to compliance level before the Security Rule’s deadline. He said he has been dealing with security issues for years, and is not feeling a particular crunch to put basic safety systems into place in time for the April 21, 2005 deadline for compliance with the Security Rule. In fact, Holyoke already invested in an extensive, up-to-date security system for electronic files for its network, eliminating the need for a complete overhaul in order to comply.

“Generally, we take a look at the HIPAA regulations and make sure we’re compliant,” he said. “Then work on anything that might be falling short. I’m not getting as much heartburn as others; we’ve had a security program in place since the ‘80s, and we’ve had a security committee that is now called the HIPAA Committee.”

Thus far, the facility has seen a need to work on risk assessment practices and ongoing training areas in order to ready for the compliance deadline for the Security Rule, said Drapeau, even though the overall electronic network and most policies and procedures are in good shape. But he added that the hospital is not far behind on any subject, and he expects HMC will reach compliance with ease.

“From my standpoint there is a push, but not because we don’t have good security in place,” added Carl Cameron, manager of information technology at HMC. “It’s more about looking for holes and making sure policies are being carried out in each department.”

Further, many of the problems that Drapeau and Cameron encounter in their jobs are not directly related to HIPAA. Instead, issues such as viruses infiltrating the medical center’s network and Internet-related problems with keeping private information private are problems that are growing on their own. Thus, HIPAA security rules are, in essence, providing a necessary kick-start that many facilities need to ensure that they are protected.

“HIPAA is a good step to address problems,” Cameron said. “It makes sense and in fact, organizations should be taking the requirements even a step further.”

Costs related to reaching HIPAA compliance are also for the most part costs that would arise independently of the federal law, said Cameron.

“In general our culture needs to make some choices about where to spend their money,” he said. “Can we get by? Yes, but we need to spend money just to take care of patients. What people need to see is the bigger picture — protecting information has become a necessary thing without HIPAA.”

Accepting Change

Health care providers described HIPAA as a “massive culture change” when it was first introduced, according to Levenstein. Now, he thinks that might be somewhat overstated.

“Any change takes some getting used to and now it’s just a matter of getting things done – making sure we’re compliant,” he said.

In summary, the shock of HIPAA seems to have worn off, and with health care facilities paying more and more attention to the safety of information and thorough patient care, the laws of HIPAA are beginning to look more like guidelines for smooth operation.