HIPAA Privacy Rules Challenge Long-Term Care Providers. (Computer Quarterly Update).Of the major requirements of the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1996 (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ), probably the greatest challenge for long-term care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. providers is meeting the privacy standards. Many long-term care organizations have yet to begin any serious planning to meet HIPAA requirements, and in particular the privacy rule, despite government confirmation of the rule in April and issuance of a privacy guidance document this summer. Even if the current congressional debate over HIPAA deadlines results in their extension, all healthcare organizations recognize that HIPAA will go into effect, and that last-minute planning to meet its requirements will rarely succeed. The key HIPAA privacy requirements include: * Healthcare providers, plans and clearinghouses (repricing Repricing To change the price of an asset. In derivatives, it sometimes refers to the exchange of options of with different strike prices. repricing and billing companies) may not use or disclose individually identifiable health information in oral, written or electronic form without prior written authorization from the individual named. * HIPAA allows disclosure of individually identifiable health information with signed patient consent for treatment, payment and healthcare administration Healthcare administration is a term that typically refers to the Master of Health Administration (MHA)—also Master of Healthcare Administration— degree, which is a graduate professional degree that provides training in health policy, economics, project and . (Providers can disclose such information without patient consent in emergency medical situations.) * Disclosure of individually identifiable health information for law enforcement purposes (including mandatory healthcare risk incident reporting and judicially required legal procedures) is permissible without a patient's consent. * Health plans and insurers will not need to obtain additional patient consent to use patient health information for treatment, payment or administration, but will need written authorization to use this information for other purposes. * Even where authorized au·thor·ize tr.v. au·thor·ized, au·thor·iz·ing, au·thor·iz·es 1. To grant authority or power to. 2. To give permission for; sanction: , disclosure of protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the must be limited to the "minimum necessary" to accomplish the user's purpose. Beyond the permitted uses, the information cannot be disclosed without the affected person's specific authorization. * Record keeping and auditing of measures to preserve patient privacy are mandatory so that adherence to HJPAA standards can be reviewed. * Patient health information can be disclosed if it has been cleaned of personal identifying data, such as Social Security number, Medicare/Medicaid number, health plan ID number, name, birth date, etc. * Employee health data maintained in the human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. department cannot be used by or disclosed to other employer departments; redundant recordkeeping systems are needed to segregate seg·re·gate v. seg·re·gat·ed, seg·re·gat·ing, seg·re·gates v.tr. 1. To separate or isolate from others or from a main body or group. See Synonyms at isolate. 2. health-related personal data. Fully insured employers who do not create, receive or maintain personally identifiable health information (other than summary information on claims history and/or expenses from which personal identifiers are removed) other than health plan enrollment data must amend health plan documents to include HIPAA privacy provisions. * Employer wellness and disease management programs that use personal health information from employees should be reviewed to assure the privacy of such data and information. Such programs when administered through health plans do not require patient-authorized disclosure, but protected patient health information cannot be released by health plans to outside vendors of health and wellness programs without specific patient authorizations. It is clear that the HIPAA privacy rules will be particularly challenging for long-term care providers. For example, authorizations to use protected patient health information for routine purposes will frequently have to come from patient family members serving as a proxy for the patient. Nonrontine disclosure of protected information will require patient or proxy consent for each such disclosure. Obviously, obtaining such consent could be difficult to administer. Meeting the Deadlines The current schedule requires that HIPAA privacy and security requirements be met by 2003. Even if this schedule is extended, every long-term care provider should initiate planning now to meet the requirements. Providers should directly involve their information systems vendors in the planning process, not only for verifying vendor product compliance with HIPAA, but also to learn about the specific capabilities of their software and hardware in meeting the requirements. The basic steps for preparing to meet the HIPAA privacy requirements are: (1) understanding and evaluating their relevance to your facility; (2) assessing all gaps in current procedures causing noncompliance noncompliance failure of the owner to follow instructions, particularly in administering medication as prescribed; a cause of a less than expected response to treatment. noncompliance with the requirements; (3) developing a compliance plan, including required process and systems changes and identifying necessary resources and timetable; and (4) scheduling implementation. HIPAA also requires that every provider: * designate a privacy officer; * name a contact person to receive complaints and provide information about HIPAA privacy requirements; * train all employees who handle identifiable health data and information; * establish firewalls between these employees and others; * establish a complaint resolution and sanction system; and * establish a system of audit procedures to track the release and use of identifiable health data and information. Consulting assistance is available to support long-term care providers in completing HIPAA compliance audits, performing gap analyses, establishing compliance plans and implementing them. Firms such as Beacon Partners, McKesson Information Solutions, PricewaterhouseCoopers, QuadraMed and HealthLinks are just a few of the many organizations that are providing HIPAA compliance consulting services Noun 1. consulting service - service provided by a professional advisor (e.g., a lawyer or doctor or CPA etc.) service - work done by one person or group that benefits another; "budget separately for goods and services" . In addition, the Long-Term Care Specialty section of the Healthcare Information and Management Systems Society Founded in 1961, the Healthcare Information and Management Systems Society (HIMSS) is a healthcare industry membership organization exclusively focused on providing leadership for the optimal use of medical informatics technology and management systems. (HIMSS HIMSS Healthcare Information and Management Systems Society ) is developing a list of resources to assist providers in meeting HIPAA requirements. Malcolm H. Morrison, PhD, is president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Morrison Informatics Same as information technology and information systems. The term is more widely used in Europe. , Inc., an information technology and data analysis consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee consulting company business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a specializing in long-term care and post-acute care. RELATED ARTICLE: Resources A considerable amount of technical material on HIPAA compliance has become available and can be accessed through HIMSS at www.himss.org. A summary of HIPAA privacy rules, rights and protections is available at www.hhs.gov/news/press/200lpres/0lfsprivacy.html, with a more detailed, 350-page initial guidance document available at www.hhs.gov/ocr/hipaa. Also see Nursing Homes, March 2001, page 68. |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion