The regulations, which went into effect in 2001 but don't require compliance until April 14, 2003, are part of the Health Insurance Portability and Accountability Act (HIPAA). The act covers organizations including hospitals, health plans, billing agencies, doctors' offices and employers that are self-insured.
For employers that sponsor an insured plan such as an HMO, which deals directly with employees on claims, the effects will be minimal. But employers that deal with a patient's medical information -- even if that just means writing reimbursement checks from a pre-tax flexible spending plan -- will have to do more to comply.
"The more protected health information you have from your employees, the greater the impact of HIPAA will be on you and your organization," says Laura Koballa, senior manager at Deloitte and Touche and a member of its national HIPAA team. "I think employers in many cases are going to start looking at data at a more summarized level so that in as few cases as possible are they dealing with a specific individual's information."
HIPAA includes regulations covering the electronic transmission of health records and security, but for most organizations, the privacy regulations are going to be the most burdensome, says Koballa. Privacy regulations in general are not new, Koballa says -- "banks have been dealing with security and best practices for years and years, because it's a highly regulated industry" -- but there hasn't been that kind of regulation of health records, she says.
"Most of the privacy regulations are brand new for these entities, and the way in which you currently conduct business, the way in which you handle protected health information, is going to be different," Koballa says.
Those authorized to view health care information will have to ensure no one else sees it. That could be as simple as relocating a workstation so passersby can't see the screen or locking file cabinets when leaving the room or as complicated as installing new systems.
"The biggest challenge is going to be for nonhealth care employers who sponsor health plans, because most employers are not geared up already as physicians' offices and hospitals are in the world of confidentiality," says Scott Sandrock, chair of the health care practice at Black McCuskey Souers and Arbaugh in Canton.
Not for sale
In addition to restricting who can view medical records, HIPAA prohibits the selling of a patient's health care information to outside entities.
"Your health information is yours," says Sandrock. "And you decide who gets it, and unless you give permission for the release of it, it can't be used, shared or disclosed unless there is some express situation that permits disclosure of that information."
That regulation arose from a case in which the maker of Prozac bought lists of patients taking the drug and sent them clearly marked samples in the mail, says Sandrock.
"That caused some people to be very upset, because family members picked up the mail or it came at work, and they didn't want the universe to know they were taking Prozac," Sandrock says. "Those situations are so incredibly rare, but so egregious," that the government took action in the form of HIPAA.
Can I see?
Also included in the privacy regulations are rules regarding a patient's right to view his or her health information.
"There's nothing from an employer perspective right now to really formalize that process," Koballa says. "You have the right to see a certain claim, but if you said, 'I want to see my whole claims history,' there's no process. An employer, a health plan, doesn't need to save anything in a certain format or for a certain period of time right now."
As part of the process, each organization must develop its own standardized forms.
"The government will tell you what needs to be included in that form and implemented, but they have not created the forms," Koballa says. "However, many consulting and law firms have begun to put together a standard set of templates that can be customized for individual clients. It may sound simple, but customization can be huge."
Although the regulations apply to anyone who deals with protected health information, it is large hospitals that face the most difficult task, Koballa says.
"The security there has typically been pretty weak," Koballa says. "On the health plan side, and probably for most employers, security may already be a high priority, so what needs to be addressed from a security perspective might be minimal. For health care organizations, because their primary focus, especially on the provider side, is patient care, they've been very slow at adopting best practices around privacy and security."
Who's in charge?
The Federal Office of Civil Rights has been charged with enforcing HIPAA regulations, but Congress has not granted it any significant budget increase to do so, says Sandrock.
"They don't plan to go out and do field audits," Sandrock says. "They're not going to ask to see your HIPAA manual. But to the extent that complaints are filed, they will investigate and respond. The government is going to leave it up to people who are upset to rat out employers and health care providers."
Koballa agrees that organizations will have to police themselves, and says public image will drive compliance.
"What if an employee of your organization blows the whistle on you and tries to claim that the organization did not have the proper safeguards in place, and therefore that information got into the wrong hands and they were denied a promotion or they weren't extended a job offer because their information was used incorrectly?" Koballa says.
Not only would that company be facing a lawsuit, it could also face criminal penalties, Sandrock says. The statute allows for a fine of up to $250,000 and/or imprisonment for up to 10 years for knowing misuse of individually identifiable health information.
"If it's an innocent situation, you're talking about a slap on the wrist and fines. People aren't going to go to jail for innocent violations, although the statute authorizes it. But if they find egregious conduct, there will probably be some selective criminal enforcement," with the hope that that will intimidate other businesses to follow the rules, he says. How to reach: Black McCuskey Souers and Arbaugh, (330) 456-8341; Deloitte and Touche, (216) 589-1402