It’s six years in the making, 1,500 pages long, and coming to a health care provider near you.
It’s a complicated series of privacy regulations associated with the Health Insurance Portability and Accountability Act (HIPAA) of 1996, a broad act of the U.S. Congress instituted to bring consistency to medical record-keeping nationwide. The idea is to standardize information so all providers and insurance companies use standardized codes and formats to identify diagnoses and procedures and also use identical rules to govern how that information is used, said Barbara Whitten, corporate compliance manager and privacy officer for Holyoke Hospital.
As a major portion of the legislation, HIPAA mandates regulations that govern privacy, security, and electronic transactions standards for health care information. Both health care providers and health plans must be in compliance with the privacy regulations by April 2003, while the security rules are still being written, with no compliance date yet set.
For patients, at least according to HIPAA’s proponents, this means an additional assurance that medical information will not be shared with anyone who does not have a legitimate need for it. For hospitals and other medical practices — not to mention HMOs — it means devoting significant staff, time, and resources to making sure full compliance is achieved a year from now. And, as those working with HIPAA planning told The Healthcare News, it’s not an easy process.
A Monumental Task
Within Baystate Health System, for example, 120 employees are busy working on HIPAA compliance alone — and with good reason. Simply put, the federal law condenses thousands of health care, billing, and insurance transactions down to a few standardized formats, and concerns will obviously arise about who will see this information and for what reason, and how to keep it confidential.
If it were a matter of simply instituting new privacy and security guidelines, that would be complicated enough. But first providers must determine which set of rules — the new HIPAA regulations or existing state laws — should apply.
“Hospitals now have to do a comparison between what the federal law says and what the state law says,” said Kalisa Barratt, privacy officer and director of compliance for the health system. “Whatever law is more protective of patients’ privacy or gives patients more rights, that’s the law that hospitals have to apply, so we’re talking about a legal analysis.”
The Boston Bar Association has taken it upon itself to begin that analysis, Barratt said, but each health care provider in the Commonwealth — and across the country, for that matter — must examine its own guidelines to bring them into compliance with HIPAA.
“What hospitals are doing first is performing a gap analysis — reviewing the regulations in comparison to what we currently have in place, identifying where the gaps are, and then, once that’s laid out, developing an action plan on how to fill those gaps,” Whitten said.
And health care professionals have taken the task seriously, Barratt said, noting that patient privacy is not only a legal obligation but an ethical one. Still, having a federal law overlaying the state regulations has added a wrinkle that reverberates throughout the industry — an industry that ranks among the Bay State’s most important.
That new wrinkle is a far-reaching one.
HIPAA not only strives to set guidelines for who sees a patient’s chart, but also who may be privy to oral discussions about a patient’s status and who may access the information on a computer. That affects countless people, from medical staff to the technical support people who service a health system’s computers and the attorneys who defend providers in malpractice suits. “What the law says is that if you have those kinds of business associates, you need to get satisfactory assurances that they will keep the information confidential,” Barratt said. “And in a system like Baystate, we could have thousands and thousands of business associates.”
What Will Change?
HIPAA will eventually require major changes in how health care organizations and HMOs handle all facets of information management, including reimbursement, coding, security, and patient records.
What it boils down to, Barratt said, is that entities affected by the federal law may not use or disclose any protected health information unless it has obtained the individual’s consent or authorization, or unless the law allows such use or disclosure without consent or authorization, such as in the case of mandatory reporting of child abuse. ‘Consent’ and ‘authorization’ are two separate types of written permission, she explained. A health care provider must obtain a patient’s consent to use or disclose protected information for the purposes of treatment, payment, and health care operations. An authorization allows uses and disclosures for other purposes.
Among the new federal patient rights created by HIPAA are the rights to receive a notice of the covered entity’s privacy practices, to request restrictions on the use and disclosure of protected health information, to access and amend protected health information, and to receive an accounting of disclosures made of protected health information, Barratt said.
Providers must also designate a privacy officer, develop a complaint process, train employees, and create sanctions against those who fail to comply with the law. All of these tasks are made more difficult, she added, by the fact that HIPAA is a moving target, and changes are still being made to what will be the final regulations — as all the while the clock ticks down to next April.
“The challenge is trying to implement a major effort with limited resources in terms of people, skills, and funding,” said Jim DiDonato, Baystate’s HIPAA project manager for the patient security aspect of the law. “If you’re short in terms of people, you need to get some temporary help from outside consultants, and that’s where the funding comes in. We’re trying to balance all available resources.”
Necessity v. Simplicity
Those working with the new guidelines cautiously tout the value of an overriding federal standard. “I think, if I’m a patient, I might worry that there isn’t enough protection, and I might herald this new federal law as being a very positive thing for my personal privacy,” Barratt said. “Most providers think they’ve done a good job with this anyway. Our patients are paramount to what we do, and we’re obligated to protect their information.”
Although Massachusetts has been among the more progressive states in terms of privacy laws to begin with, she said some sectors of the industry nationwide have not been as stringent as they could be, and the HIPAA rules at least provide a level starting point for everyone — even if that means more work for providers and health plans. Even in this region, she noted, new mothers have received solicitations from baby food and diaper companies shortly after giving birth, only one indication that somebody is sharing medical information in worrisome ways.
“On a national level, HIPAA definitely does what it needs to do,” Whitten said. “Other states might be much less stringent than we are here, and it has been a big concern to people in our profession that no federal laws regulated these things, which can differ so broadly from one state to another.
“I just wish it was written more simply,” she added. “Because it’s so complex, it doesn’t necessarily make it easier. They call it ‘administrative simplification,’ but it’s complicating things.”
That’s only a short-term problem, however, said DiDonato, who noted that HIPAA will eventually boil down 400 different types of billing formats to a single one, taking the duplication and inefficiencies out of the system. Meanwhile, he said, the emphasis on improved patient privacy and security of records is a positive byproduct of that process.
“It’s going to streamline the industry,” he said, comparing the eventual outcome with what happened in automated banking, which now allows anyone to use any ATM machine because only one technology is being used.
As for improving privacy and security, he said HIPAA will absolutely do its intended job. Although Baystate is sensitive to protecting patient information, it has had to operate at times without external guidelines. The new rules will lay out those guidelines much more clearly.
“In some states, the regulations might be tougher than in others, and some states might have lower standards than Massachusetts,” DiDonato said. “HIPAA gives everyone an equal floor. And that’s what it’s doing — it’s not setting a ceiling; it’s setting a floor.”
It’s a floor providers in the Bay State will likely continue to exceed in patient protection, he concluded. But for now, that floor is still being laid, and the equally daunting task of educating employees in the new guidelines will follow thereafter.
“We certainly plan to be in compliance,” Barratt said. “But we have a lot of work to do. It’s just a massive task.”