|
HIPAA**Health Insurance Portability and Accountability Act In August of 1996, legislation was passed that touches nearly every aspect of the healthcare profession, from providers to payers to vendors. The Health Insurance Portability and Accountability Act (HIPAA), includes among other provisions of this law, protective guidelines for the confidentiality of healthcare information, containing provisions that spell out the procedures for maintaining privacy and security of this information. The law also mandated uniform standards and formats for electronic transmission of health information and code sets in connection with most routine types of health transactions (such as claims submission and eligibility for health benefits). HIPAA defines the type of information that must be protected by health care providers who conduct certain electronic healthcare transactions, health plans, and healthcare clearinghouses (referred to in HIPAA as "covered entities"), as well as the circumstances required before identifiable health information can be released from one party to another. Policies, procedures, and mechanisms required to ensure the privacy of this information are also required by HIPAA. With regard to standardization of code sets and transmission protocols, HIPAA aims to improve the efficiencies, protect the privacy of electronic data in any state, and reduce the cost of exchanging this information from one authorized entity to another. In order to reach these objectives, HIPAA goes further by mandating the way health information is captured, transmitted, stored, and managed, which in turn affects existing information technology procedures and policies. The standardization of code sets and transaction protocols, as well as patient identifiers, providers and health plans, was first proposed by a report published in 1992 by the Workgroup for Electronic Data Interchange (WEDI). HIPAA utilizes this report’s findings and recommendations to establish standards and protocols. In connection with the administrative simplification rules that were issued under HIPAA, three important standards exist with which covered entities must be familiar:
Electronic Data Interchange (EDI) Standards The HIPAA transactions standards clearly set forth a special role for healthcare clearinghouses to provide services to translate electronic data that is not in the HIPAA-dictated format into standardized data that complies with the HIPAA-dictated formats. One of the difficulties for healthcare clearinghouses in complying with HIPAA requirements is that many of them like Dentrix, EagleSoft, PracticeWorks, etc. occasionally rely upon or interact with contractors, referred to in HIPAA as "business associates", who may not be able to meet the first deadline of October 16, 2002. Many of these business associates have filed for extensions in order to complete, test, and implement their own new mechanisms. Those that have filed for the extension have until October 16, 2003 to become compliant. With that in mind, Austin Programmers Group recommends that all its clients who intend to conduct electronic transmissions through healthcare clearinghouses prior to October 16, 2003, file for an extension as well, even if the client has not yet started to submit claims or statements electronically. Filing for an extension will protect a client's practice from any potential liability for not being fully compliant with the HIPAA EDI requirements in connection with any electronic healthcare transactions conducted before October 16, 2003. Clients can file for an extension electronically at www.cms.hhs.gov. Additional information can be found at www.hipaadvisory.com as well as with the American Dental Association at www.ada.org. Note that the extension will not affect the deadline for compliance with the HIPAA privacy requirements. Privacy Standard HIPAA clearly defines exactly what information, if maintained by those providers and plans that are subject to HIPAA, must be protected from unauthorized use or disclosure. The privacy standards apply to individually identifiable health information that is used, transmitted or stored in any form, such as paper, electronic, data, or oral, that concerns the individual’s past, present, or future health, or that addresses the individual’s means of receiving that care (such as payment for health care). Examples of identifiable information protected by HIPAA: names, addresses, cities, phone numbers, fax numbers, e-mail addresses, web addresses, IP addresses, certificate numbers, license numbers, zip codes, account numbers, and birth dates. HIPAA also affords patients a number of new rights under these standards. They have the right to receive privacy policies from providers who are subject to HIPAA, the right to access and copy their own health information, the right to a log of certain types of disclosures of their information, and the right to request an amendment of their information. Covered entities are required to adopt processes in order to notify patients of their rights, and to handle patient requests to exercise their rights. The administrative requirements under the HIPAA privacy rules are many, including a requirement that covered entities appoint privacy officers and train all their work force in privacy issues. In connection with certain types of disclosures of health information, covered entities are generally permitted to transfer the protected health information to their contractors known as business associates, as long as written contractual assurances are in place with those business associates, requiring the business associate to safeguard the information as required by the HIPAA regulations. Note that a contract for disclosure of health information is not required when that information is being passed from one provider to another for purposes of treatment (e.g., from a general dentist to an orthodontist). The Health and Human Services Office of Civil Rights has been charged with enforcing the privacy rules and its standards. The Office of Civil Rights has stated that it will focus on encouraging voluntary compliance with the rule; however, HIPAA does establish severe civil and criminal penalties for covered entities that fail to adhere to the law. Security Standard The final HIPAA security standard has not yet been published. Compliance will be required two years and two months from the date that the final rules are published. In short, this standard, in its proposed form, sets forth obligations to protect the electronic security (e.g., firewalls) and physical security (e.g., locks on filing cabinets), integrity, and availability of health information (e.g., data back-up and disaster recovery plans). Controls for complying with these standards must be integrated into practice management systems and into those of a practice’s business associates. Even though the security rules have not yet been finalized by the government, some organizations that are subject to HIPAA privacy requirements are paying attention to security now, since it is virtually impossible to keep information private under the HIPAA privacy standards, without taking some steps to protect the physical and electronic security of information.
|
|