What Is HIPAA? And How Will It Affect My Practice?

Kathleen M. Roman, Clinical Risk Management Education Leader
The Medical Protective Company

Deadline approaching for compliance with final HIPAA regulation. All healthcare providers have been affected by new federal regulations designed to improve privacy, standardization, and efficiency in the collection, maintenance, and transfer of personal health information. This set of rules affect any health-related information that carries individual identifiers, regardless of the format ? oral, paper, or electronic. They are part of The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 ?- referred to as HIPAA. The rules have been implemented in stages, at two-year intervals beginning in 2000. Compliance with the final set of regulations addressing the need for healthcare providers to obtain individual identification numbers, is expected by mid-2007. With that deadline, any health care provider or entity that engages in a transmission of patient-related information, including insurance and/or billing information, must conduct transactions using the new identifiers. Providers include: medical and dental practices; hospitals; ambulatory surgery centers; rehabilitation facilities; skilled nursing facilities; hospices; and home health care agencies.

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the Department of Health and Human Services (HHS) to establish national standards to improve the efficiency and effectiveness of the nation?s healthcare system. These goals were to be achieved through: a) accelerated transition to electronic healthcare transactions; b) formalized processes designed to protect the privacy of healthcare information; c) system-wide security of healthcare transactions and data; and d) introduction of national provider identifiers/numbers to be used by physicians, health plans, and employers.

In a nutshell, the HIPAA regulations provide for:

1. Consistency in the way that healthcare-related information is transmitted, including payment and insurance-related transactions as well as the transfer, storage, and accessibility of clinical information.
2. Formalized systems that require every healthcare entity to implement a privacy system to protect the confidentiality of Personal Health Information (PHI). Required administrative elements of this regulation include:
   • A written privacy policy; a privacy official who assumes primary responsibility for the organizations' compliance with the new regulations;
   • Formal education to ensure that staff and all parties who have access to patient information understand their responsibilities under the law;
   • Contractual agreements with outside parties/vendors to ensure that compliance is upheld throughout the entire structure of the health care system;
   • Periodic review of policies, actions taken to address complaints or deviations from the program, and documentation of ways in which these issues were addressed/resolved.
3. In addition, numerous patient-focused elements must be addressed in each organization?s HIPAA plan:
   • Policies related to privacy must be given to all patients and must be made available to the general public.
   • With few exceptions, patients must be provided with written informed consent documents that include information about procedures and payments.
   • Patient consent must be obtained before medical records can be released.
   • Patients have the right to restrict the use or disclosure of their medical information.
   • Disclosure of health information must be restricted to the minimum level necessary to fulfill the purpose of the transaction.
   • Sanctions will be brought against individuals/entities that improperly disclose information.
   • Additional regulations must be I place to cover broader health-related transactions, i.e., research.
   • Patients may require that corrections be entered into their medical records.
4. Security requirements hold covered entities accountable for protecting the security of PHI. This would include any breaches in technology, systems, or procedures that could be allow non-qualified parties access to patient information. Examples include:
   • Policies and enforcement of policies limiting access to PHI to the minimal level necessary in order to complete a healthcare transaction.
   • Poor systems or poor enforcement of systems related to the use of passcodes.
   • Systems and compliance measures of electronic access, maintenance, storage, alteration, and destruction of PHI.
5. Healthcare entities that engage in the electronic transfer of PHI are expected to apply for unique National Provider Identifier numbers to be used during HIPAA-related transactions. The deadline for implementation of these numbers is May 23, 2007. The Centers for Medicare & Medicaid Services are currently accepting applications from physicians, dentists, pharmacists, and organizations that are eligible for NPIs, e.g., hospitals, medical and dental practices, pharmacies, nursing homes, etc. A web-based application can be accessed via: https://nppes.cms.hhs.gov or a paper application can be obtained by calling (800) 465-3203. Without NPI numbers, providers will be unable to participate in Medicare or Medicaid and many health plans have already begun to transition to the use of NPIs as well.
6. NPI is intended to:
   • Simplify transactions (including health claims, EOBs, and Utilization Review) by making them more efficient and cost effective. NPIs will establish a single number that a health care provider will use throughout all data transactions.
   • Allow providers to use paper transactions as well.
   • Eliminate the necessity for a provider to have more than one identifier number, regardless of how many health plans, contracts, or locations.

• Return to Risk Management
• HIPAA Business Associate Agreement
• I only use fax to transmit patient information
• Am I covered if I don't comply with HIPAA?