Occupational Health & Safety magazine

June 2001

Portable Privacy?

Here's the lowdown on HIPAA--its status and how it affects you.

by Peter Singer  June 2001

In August 1996, Congress passed and President Clinton signed Public Law 104-191, otherwise known as the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Under HIPAA, Congress imposed a three-year time limit for the passage of health privacy legislation. Failing to enact any such laws in that period, the provisions in HIPAA mandated that the Secretary of Health and Human Services promulgate final regulations to protect the confidentiality of electronically transmitted health information. HIPAA's reach extends well beyond the protection of electronically transmitted information, however, and it put into place regulations that govern health care standards for patient record privacy, electronic transactions, security, code sets, and more.

If your organization provides or pays for health care-and this includes occupational health--you will be affected by HIPAA. How your organization codes injuries and illnesses, employee clinic visits or referrals, may need to change. You may need to modify your coding methods to adapt to this federal standard.

HIPAA Regulation Schedule

Although acceptance of HIPAA has been slow, momentum seems to be building. According to the results of Phoenix Health Systems' Spring 2001 quarterly HIPAA survey, "Approximately 3/4 of the 600+ survey participants reported that their organizations are actively engaged in enterprise HIPAA awareness efforts, 2/3 are addressing internal impact assessments, about half are working on HIPAA project planning, and roughly a third are making inroads on actual HIPAA implementation."

Transaction and Code Set Standard

Transactions

HIPAA standards for health care-related transactions ultimately will simplify and encourage electronic commerce in health care. Currently, health care providers and health plans that conduct business electronically use a variety of formats. There are about 400 different formats for health care claims alone. Defining a transaction standard will allow providers to submit the same electronic transaction to any health plan, eliminating a major administrative burden for the involved parties.

It is important to note that the federal government is not the entity that defines the transaction standard. A new class of organization called a Designated Standard Maintenance Organization (DSMO) was established to be the developers and keepers of the standard. The following organizations have been designated as DSMOs: Accredited Standards Committee X12, Dental Content Committee of the American Dental Association, Health Level Seven, National Council for Prescription Drug Programs, National Uniform Billing Committee, and National Uniform Claim Committee. For additional information about DSMOs, see www.hipaa-dsmo.org.

The following transactions fall under control of the standard, according to the U.S. Department of Health and Human Services:

• Health claims or equivalent encounter information l Health claims attachments
• Enrollment and disenrollment in a health plan
• Eligibility for a health plan
• Health care payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status
• Referral certification and authorization.

The law requires that anyone who performs transactions electronically must comply with the standard. HIPAA does not require entities to perform electronic transactions. However, if an entity is not currently performing electronic transactions, it must either begin to do so directly or must have them performed through a clearinghouse. The technical specifications for the various transaction formats are freely available for download at www.wpc-edi.com/hipaa. The format should be familiar to anyone who has worked with the X12 Electronic Data Interchange (EDI) standards put out by the Data Interchange Standards Association (DISA).

Code Sets

In using the transaction standard, certain medical data code sets are required to be used under HIPAA for diagnoses, procedures, drugs, and dental work. Following are the code sets used:

•  International Classification of Diseases, 9th Edition, Clinical Modification, (ICD-9-CM), Volumes 1 and 2 (including The Official ICD-9-CM Guidelines for Coding and Reporting), as updated and distributed by HHS, for the following conditions: diseases, injuries, impairments, other health-related problems and their manifestations and causes of injury, disease, impairment or other health-related problems. See www.cdc.gov/nchs/about/otheract/icd9/abticd9.htm.
• International Classification of Diseases, 9th Edition, Clinical Modification, (ICD-9-CM), Volume 3 Procedures (including The Official ICD-9-CM Guidelines for Coding and Reporting), as updated and distributed by HHS, for the following procedures or other actions taken for diseases, injuries, and impairments on hospital inpatients reported by hospitals: prevention, diagnosis, treatment, and management. See www.cdc.gov/nchs/about/otheract/icd9/abticd9.htm.
• National Drug Codes (NDC), as updated and distributed by HHS, in collaboration with drug manufacturers, for the following: drugs and biologics. See www.accessdata.fda.gov/scripts/cder/ndc/default.cfm.
• Code on Dental Procedures and Nomenclature, as updated and distributed by the American Dental Association, for dental services. See www.ada.org/prof/prac/manage/benefits/cdtguide.html.
• The combination of Health Care Financing Administration Common Procedure Coding System (HCPCS), as updated and distributed by HHS; and Current Procedural Terminology, Fourth Edition (CPT-4), as updated and distributed by the American Medical Association, for physician services and other health related services. These services include, but are not limited to, the following: physician services, physical and occupational therapy services, radiological procedures, clinical laboratory tests, other medical diagnostic procedures, hearing and vision services, and transportation services including ambulance. See www.ama-assn.org.
• The Health Care Financing Administration Common Procedure Coding System (HCPCS), as updated and distributed by HCFA, HHS, for all other substances, equipment, supplies, or other items used in health care services. These items include, but are not limited to, the following: medical supplies, orthotic and prosthetic devices, and durable medical equipment. See http://www.cms.hhs.gov/MedHCPCSGenInfo/.

Penalties for Non-Compliance

Failing to comply with the Transaction and Code Set Standard gives the Department of Health and Human Services the authority to impose monetary penalties. Penalties include no more than $100 per violation on any person or entity. A maximum of $25,000 can be imposed on a person or entity for violations of one requirement. Many of the specific details regarding enforcement procedures for violators have not been clearly defined as of yet and will be published in the future.

How This Standard Affects You

The first thing health plans and providers need to do is understand the Transaction and Code Sets and other HIPAA standards. A lot of the information is available on the Internet at the U.S. Department of Health and Human Services' Web site at aspe.hhs.gov/admnsimp. To stay current on HIPAA regulations, you can also subscribe to the HIPAA-REGS listserv, which will notify you by e-mail when documents or events related to the HIPAA Administrative Simplification regulations are published or posted. Visit aspe.hhs.gov/admnsimp/lsnotify.htm to register.

The American Medical Association, American Dental Association, and other such associations are offering assistance that ranges from online help to publications to training seminars. Providers as well as health plans should check with appropriate associations for available assistance.

Once you understand the standards, either perform or have someone else perform an audit and analysis to determine which standards apply to you and what will be involved in getting your infrastructure, systems, and procedures updated accordingly. If you haven't already done this, now is the time to act. On May 2, 2001, Gartner, Inc. of Stamford, Conn., announced the results of its second quarterly survey of an industryrepresentative panel of 203 payer and provider Healthcare Organizations (HCOs). Gartner found that 75 percent of HCOs have not completed transaction assessments of their environments and risks. This is a frightening statistic, given that the deadline was only about a year and a half away at the time this survey was released.

The efforts of implementing Transactions and Code Sets Standard can generally be characterized as follows:

System Upgrades The larger providers and health plans generally have their own information systems. Smaller providers typically use commercial off-the-shelf (COTS) software developed by software companies that specialize in such systems. In either case, the systems will need to be modified to generate and accept transactions as well as use the new code sets. Similarly, clearinghouses will need to upgrade their systems to support the same functionality.

Implement EDI As mentioned earlier, HIPAA does not require health care providers to conduct transactions electronically. If providers choose to conduct electronic transactions, they will need to purchase, install, and have their staff trained in the use of the new technology. The existence of clearly defined standards may be a motivator for providers without electronic transaction capabilities to justify such an investment.

Training The appropriate personnel in health plan as well as provider organizations will need training in the use of the various code sets, as well as any changes made to their information systems as part of the transaction standard.

Other Issues Of course, implementing any new set of standards that is dependant on such a large number of different organizations and such a wide range of information--and getting it right the first time-- would be a Herculean task. Providers, health plans, and clearinghouses will need to work together for a while to get all the little "gotcha's" worked out of their respective systems.In doing a cost/benefit analysis, most of these improvements are measurable in terms of cost savings, such as reducing man-hours and process simplification. Other benefits can be more difficult to quantify but just as important. Data integrity, timely notifications, elimination of unnecessary data, and ensuring the required information is collected are difficult to quantify on a cost basis. This certainly will not be foreign to EHS personnel who find it difficult or impossible to quantify the cost of accidents that did not occur

.Initially, things probably won't go smoothly. Ultimately, development of the Transaction and Code Set Standard should reduce the administrative burden on all involved entities.

The Privacy Standard

The Privacy Standard says that health plans, health care clearinghouses, and health care providers who conduct certain financial and administrative transactions electronically must offer a certain level of patient control over medical information, limit the use and release of medical information, establish privacy policies, designate a privacy officer, and train all affected people appropriately.

In the past, your medical records may have been on paper in a file cabinet at a health care provider's office. This actually helped facilitate keeping your medical information private. As more and more organizations use software and other electronic means of health care management, medical information tends to flow more freely, which makes it more likely that individuals will have their private medical information exposed.

Privacy is a fundamental right. According to a January 1999 survey by Princeton Survey Research Associates, two-thirds of adult Americans say they "don't trust health plans and government programs, such as Medicare, to maintain confidentiality all or most of the time." With statistics like that, it is not surprising that the government understood the importance of drafting the Privacy Standard of HIPAA. The public needs a certain comfort level with the privacy of personal medical information in order to get the full benefits of the proposed electronic technologies.

Although the Department of Health and Human Services issued the Privacy Standard under HIPAA, the Office for Civil Rights (OCR) is the organization responsible for implementing and enforcing the privacy regulation. Additional information about this standard can be found at www.hhs.gov/ocr/hipaa.

Privacy Penalties

Penalties for violating the Privacy Standard range from minimal to severe and can include civil as well as federal criminal penalties. The criminal penalties can be eye-opening and include: $50,000 and one year in prison for obtaining or disclosing protected health information; up to $100,000 and up to five years in prison for obtaining protected health information under "false pretenses"; and up to $250,000 and up to 10 years in prison for obtaining or disclosing protected health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm.

Although monetary penalties and prison time are important considerations, losing customers because of a violation may really be the thing that hits health plan organizations where it hurts. If customers are not confident an organization can protect their information, they'll find one that can; this may be more costly than any fines paid.

How This Standard Affects You

There are several important steps to take to help affected entities comply with the HIPAA Privacy Standard. As with all HIPAA standards, it is important to understand the pertinent regulations and, in the case of the Privacy Standard, to perform an analysis to determine where an entity stands with regard to the flow of information, the information systems, and the physical environment of the entity. After the analysis, an entity can develop a plan for what it needs to do to implement an effective privacy policy.

When sending or receiving data over a public wire (e.g., the Internet), the information should not be easily accessible to prying eyes. Encryption and related information transfer methods fall under the HIPAA Security Standard, not the Privacy Standard. The Security Standard has not yet been finalized, but understanding what is currently proposed should give you a head start in laying the foundation for putting the appropriate security systems in place.

Following are some of the key issues of the Privacy Standard and some steps to take to meet it:

Designation of a Privacy Official and Contact Person Covered entities should designate an individual as a privacy official, who is responsible for the implementation, development, and internal enforcement of the entity's privacy policies and procedures. A contact person should be designated to receive complaints about privacy and provide information about the privacy policy of the entity.

Patient Control of Medical Information

Providers and health plans need to develop a patient privacy document that discloses in clear language how the covered entity may use and disclose their health information. They will also need to establish procedures to facilitate patients seeing and getting copies of their medical records, as well as amending them. Health care providers will need to implement a means for getting patient consent before sharing personal information for treatments, payment, and health care operations. Providers and health plans will need to define a mechanism that allows people to file formal complaints with a covered entity.

Privacy Procedures

Develop written privacy procedures that define who can access private information, how it will be used within the entity, and when the information may be disclosed. Entities also must have a mechanism to ensure their business associates protect the privacy of health information.

Training

Covered entities must train all members of their workforce on the policies and procedures with respect to protected health information required by the Privacy Standard, as necessary and appropriate for the members of the workforce to carry out their functions within the entity. A privacy official should be designated to be responsible for ensuring the entity's policies are followed.

Safeguards

Covered entities are required to safeguard protected health information from accidental or intentional use or disclosure that is a violation of the requirements of the Privacy Standard and to protect against the inadvertent disclosure of protected health information to persons other than the intended recipient.

Where To Get Help

As mentioned earlier, the AMA, ADA, and other such associations offer some assistance. Help is also available from other sources. A large part of HIPAA relates to electronic transactions and security, so many of the big software and consulting guns have set their sights on the HIPAA market. Vendors such as Microsoft, IBM, EDS, Ernst & Young, and Accenture, as well as many others, are offering products and/or services focused on HIPAA compliance--and rightfully so, given its complexities and the timeframes currently in place.

According to the same Spring 2001 survey by Phoenix Health Systems mentioned earlier, "Among hospitals with over 400 beds, 53% of respondents indicated they would engage outside consultants to support their HIPAA compliance endeavors; 47% of respondents from smaller hospitals reported similar plans. Most likely uses of consultants by hospitals were reported to be: first, compliance planning; second, risk assessment; and third, education management. Payers are likely to be even stronger users of consultants; 72% of payer respondents reported the engagement of consultants, primarily for help in compliance planning and risk assessments."

Keep in mind that nothing is fully HIPAA-compliant at this point because most of the standards have not yet been finalized. Only two of them have. Although HIPAA compliance requires an initial investment (in some cases, a significant one), in the long run it will simplify health care management and reduce the administrative burden on affected organizations.

About the author:  Peter Singer ( petes@KnorrAssociates.com) is VP-Product Development at Knorr Associates Inc., a New Jersey-based firm specializing in occupational health, safety, and environmental information management systems. The company develops and markets DataPipeTM software.