Duane Szymanski

Thursday, 20 November 2003 11:45

Embracing HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has been hailed as a significant step toward achieving the health care industry's vision of reducing the costs and administrative burdens of health care by standardizing health information collection and exchange.

HIPAA also provides a framework for other laws that may be adopted which protect the privacy of individually identifiable health information and improve the efficiency in health care delivery by standardizing electronic data interchange (EDI) of administrative and financial data. The current version of the HIPAA Privacy Regulations took effect April 14, 2003.

While individuals, organizations, and coalitions have been working toward the goal of health data standardization for decades, the federal mandate provided the groundwork for key players to join forces and develop strategies and methodologies to work toward achieving administrative simplification.

HIPAA compliance

To date, only the Electronic Health Transaction Standards and the Privacy and Confidentiality Standards, Title II section "Administrative Simplification," have been finalized by the Department of Health and Human Services (HHS).

* Electronic Health Transactions Standards. These standardize electronically data pertaining to patient health, and administrative and financial information for the purposes of health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits and related transactions.

* Privacy and Confidentiality Standards. These protect the confidentiality and integrity of individually identifiable health information, past, present, or future; limit the nonconsensual use and release of private health information; give patients new rights to access their medical records and to know who else has accessed them; and restrict most disclosure of health information to the minimum needed for the intended purpose.

The Department of Health and Human Services Office for Civil Rights helps define and govern HIPAA. If the HHS were to examine a company for compliance with the Privacy and Confidentiality Standards, it would look for "reasonable" efforts made to limit the use or disclosure of individually identifiable health information necessary to accomplish the intended purpose.

HHS may make recommendations, but the key to HIPAA is understanding the minimum necessary standard. If individually identifiable health information is wrongfully made public, HHS is responsible for enforcing civil and criminal penalties.

Covered entities that misuse personal health information are subject to civil liability which may include:

* A fine of $100 per violation of HIPAA standards, up to $25,000

* Criminal penalties from $50,000 and one year in prison for obtaining and disclosing protected health information

* $250,000 and up to 10 years in prison for obtaining and disclosing protected health information with the intent to sell, transfer or use it for commercial or personal gain

HIPAA's business classifications

HIPAA compliance extends to all business operations involving communication of personal medical or health information in the business office, and with trading/business partners. Policies and procedures are required for handling communications within HIPAA standards, including storage and destruction of information.

Two business classifications are affected by HIPAA: Covered entities (CE) and business associates (BA).

HIPAA's focus is covered entities, which includes health care organizations and providers, physician offices, health plans, employers, public health authorities, life insurers, clearinghouses, billing agencies, information systems vendors, service organizations and universities which transmit health information via electronic transactions.

Business associates include agents, contractors or others hired to provide services for a covered entity that involve the use or disclosure of individually identifiable health information. Businesses are held accountable for adhering to patients' rights regarding privacy of information.

The Bureau of Workers' Compensation, managed care organizations, self-insuring employers and workers' compensation programs are not considered covered entities and not subject to HIPAA requirements.

Under HIPAA, providers may release protected health information in a workers' compensation claim for the following purposes:

* Treatment and payment of healthcare operations

* Compliance with state workers' compensation laws

* Valid HIPAA authorization

* Valid administrative or judicial order, subpoena, discovery or other lawful process that meets HIPAA requirements

HIPAA's universal impact

HIPAA impacts a large number and range of businesses and individuals, from the chief information officer of a large health plan to the risk manager of a local manufacturing firm to the billing clerk of a small neighborhood clinic.

Employers and employees will experience direct and indirect benefits from a more efficient, less costly and more useful health information system. Duane Szymanski is Ohio MCO (managed care organization) manager of CorVel, which provides case management, utilization management, medical bill review, group health and integrated disability management programs to employers. Reach him at (800) 275-6463.