HIPAA Privacy Rules Challenge Long-Term Care Providers. (Computer Quarterly Update).Of the major requirements of the Health Insurance Portability and Accountability Act of 1996 (HIPAA HIPAA - Health Insurance Portability and Accountability Act of 1996), probably the greatest challenge for long-term care providers is meeting the privacy standards. Many long-term care organizations have yet to begin any serious planning to meet HIPAA requirements, and in particular the privacy rule, despite government confirmation of the rule in April and issuance of a privacy guidance document this summer. Even if the current congressional debate over HIPAA deadlines results in their extension, all healthcare organizations recognize that HIPAA will go into effect, and that last-minute planning to meet its requirements will rarely succeed. The key HIPAA privacy requirements include: * Healthcare providers, plans and clearinghouses (repricing and billing companies) may not use or disclose individually identifiable health information in oral, written or electronic form without prior written authorization from the individual named. * HIPAA allows disclosure of individually identifiable health information with signed patient consent for treatment, payment and healthcare administration. (Providers can disclose such information without patient consent in emergency medical situations.) * Disclosure of individually identifiable health information for law enforcement purposes (including mandatory healthcare risk incident reporting and judicially required legal procedures) is permissible without a patient's consent. * Health plans and insurers will not need to obtain additional patient consent to use patient health information for treatment, payment or administration, but will need written authorization to use this information for other purposes. * Even where authorized, disclosure of protected health information must be limited to the "minimum necessary" to accomplish the user's purpose. Beyond the permitted uses, the information cannot be disclosed without the affected person's specific authorization. * Record keeping and auditing of measures to preserve patient privacy are mandatory so that adherence to HJPAA standards can be reviewed. * Patient health information can be disclosed if it has been cleaned of personal identifying data, such as Social Security number, Medicare/Medicaid number, health plan ID number, name, birth date, etc. * Employee health data maintained in the human resources department cannot be used by or disclosed to other employer departments; redundant recordkeeping systems are needed to segregate health-related personal data. Fully insured employers who do not create, receive or maintain personally identifiable health information (other than summary information on claims history and/or expenses from which personal identifiers are removed) other than health plan enrollment data must amend health plan documents to include HIPAA privacy provisions. * Employer wellness and disease management programs that use personal health information from employees should be reviewed to assure the privacy of such data and information. Such programs when administered through health plans do not require patient-authorized disclosure, but protected patient health information cannot be released by health plans to outside vendors of health and wellness programs without specific patient authorizations. It is clear that the HIPAA privacy rules will be particularly challenging for long-term care providers. For example, authorizations to use protected patient health information for routine purposes will frequently have to come from patient family members serving as a proxy for the patient. Nonrontine disclosure of protected information will require patient or proxy consent for each such disclosure. Obviously, obtaining such consent could be difficult to administer. Meeting the Deadlines The current schedule requires that HIPAA privacy and security requirements be met by 2003. Even if this schedule is extended, every long-term care provider should initiate planning now to meet the requirements. Providers should directly involve their information systems vendors in the planning process, not only for verifying vendor product compliance with HIPAA, but also to learn about the specific capabilities of their software and hardware in meeting the requirements. The basic steps for preparing to meet the HIPAA privacy requirements are: (1) understanding and evaluating their relevance to your facility; (2) assessing all gaps in current procedures causing noncompliance with the requirements; (3) developing a compliance plan, including required process and systems changes and identifying necessary resources and timetable; and (4) scheduling implementation. HIPAA also requires that every provider: * designate a privacy officer; * name a contact person to receive complaints and provide information about HIPAA privacy requirements; * train all employees who handle identifiable health data and information; * establish firewalls between these employees and others; * establish a complaint resolution and sanction system; and * establish a system of audit procedures to track the release and use of identifiable health data and information. Consulting assistance is available to support long-term care providers in completing HIPAA compliance audits, performing gap analyses, establishing compliance plans and implementing them. Firms such as Beacon Partners, McKesson Information Solutions, PricewaterhouseCoopers, QuadraMed and HealthLinks are just a few of the many organizations that are providing HIPAA compliance consulting services. In addition, the Long-Term Care Specialty section of the Healthcare Information and Management Systems Society (HIMSS) is developing a list of resources to assist providers in meeting HIPAA requirements. Malcolm H. Morrison, PhD, is president and CEO of Morrison Informatics, Inc., an information technology and data analysis consulting firm specializing in long-term care and post-acute care. RELATED ARTICLE: Resources A considerable amount of technical material on HIPAA compliance has become available and can be accessed through HIMSS at www.himss.org. A summary of HIPAA privacy rules, rights and protections is available at www.hhs.gov/news/press/200lpres/0lfsprivacy.html, with a more detailed, 350-page initial guidance document available at www.hhs.gov/ocr/hipaa. Also see Nursing Homes, March 2001, page 68. |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion