The HIPAAcratic oath: do no harm to patient data. (Implementing HIPAA and Other Compliance Programs).PHYSICIAN EXECUTIVES who have weathered the storm of Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 will have ample opportunity to apply their honed skills and lessons learned to the next great system-wide challenge--HIPAA, the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when . Passed on August 21, 1996, the act is named for its health insurance portability provisions. However, the section that will impact health care organizations the most will be Title II, Subtitle sub·ti·tle n. 1. A secondary, usually explanatory title, as of a literary work. 2. A printed translation of the dialogue of a foreign-language film shown at the bottom of the screen. tr.v. F, entitled Administrative Simplification, which includes provisions covering privacy protection and system security. Physician leaders need to familiarize themselves with HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, and organize their institutions to plan for and execute a compliance program with the same vigor and system-wide participation as they did for Y2K. Administrative simplification and privacy protection HIPAA can be divided into two general categories of mandates: (1) administrative simplification, and (2) privacy and security provisions. The purpose of the administrative simplification subtitle is to improve "the efficiency and effectiveness of the health care system" by setting standards that encourage "electronic transmission of certain health information" (http://aspe.os.dhhs.gob/admnsimp/p1104191.htm). The provisions of HIPAA apply only to providers, health plans, and clearinghouses (referred to as "covered entities"). The Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (HHS HHS Department of Health and Human Services. ) was mandated to set standards for administrative transactions (e.g., claims, eligibility, benefits), code sets (e.g., diagnosis, billing), unique health identifiers (for providers, plans, and patients), security provisions, and electronic signatures. Once HHS issues final regulations, covered entities must comply with the standards for electronic transactions within two years (small health plans will have three years) or they will be subject to a penalty of $100 for each violation up to a maximum of $25,000 in a calendar year. HIPAA also contained provisions for protecting the privacy of individually identifiable health information. Congress acknowledged that passage of federal legislation was the preferred way to deal with privacy protection. Sensing the challenges, however, Congress wrote a backup plan, giving itself three years to pass comprehensive privacy legislation. Failing that, the act called on HHS to issue privacy regulations within six months of the deadline. Several bills were introduced in both the Senate and the House of Representatives, but bipartisan differences prevented any from being passed by the August 21, 1999 deadline, Consequently, the Secretary of HHS is required to issue privacy regulations. Penalties for wrongful disclosure of individually identifiable health information include up to $50,000 in fines and one year in prison, or both. If the offense is committed with the intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm, the penalties include up to $250,000 in fines and 10 years' imprisonment Imprisonment See also Isolation. Alcatraz Island former federal maximum security penitentiary, near San Francisco; “escapeproof.” [Am. Hist.: Flexner, 218] Altmark, the German prison ship in World War II. [Br. Hist. , or both. Obviously, the stakes are high. This is an area where physician executives should devote much of their attention. Rulemaking process and timetable When issuing regulations, a government agency such as the Department of HHS must post a 'notice of proposed rule making' (NPRM (Notice of Proposed Rule Making) An announcement by an agency of the U.S. government that proposes a change in regulations. It is followed up by a final ruling. ) in the Federal Register and allow the public 60 days to comment. After reviewing feedback, the agency makes revisions it deems appropriate before issuing the final rule. The initial NPRMs were due February, 1998 (18 months after passage of HIPAA), however, most weren't published until the summer of 1998 (http://aspe.os.dhhs.gov/admnsimp/nprm/txlist.htm). Because of the complexity of the issues, final regulations for the transaction standards haven't been released, although most are expected sometime this year. Many of the proposed administrative standards are commonly used, such as code sets (e.g., ICD-9 CM and CPT-4) and transaction standards (e.g., X12 with payers and NCPDP NCPDP National Council for Prescription Drug Programs with pharmacies). Some of the identifier standards are being developed (e.g., national provider and plan identifiers) and will be released soon. In contrast, during an emotionally charged public hearing, concern was raised that assigning unique health identifiers to individuals would make it easier to link information. Under public pressure, Congress instructed HHS not to pursue defining identifiers for individuals until privacy protections are put in place. Privacy protections for individually identifiable health information The single biggest issue that will affect physician executives is the HIPAA mandate to adopt uniform protection of individually identifiable health information. The Secretary published the privacy NPRM on November 3, 1999 (http://aspe.os.hhs.gov/admnsimp/nprm/pvclist.htm). The pro posed regulations represent a significant step forward in privacy protection and incorporate several widely endorsed principles. For example, laws guaranteeing patients the right to examine their medical records would be extended to all 50 states (only 28 states have them currently). The NPRM gives covered entities statutory authorization (i.e., specific patient authorization is not required) to use and disclose information for "treatment, payment, or health care operations." What constitutes health care operations has been a subject of debate. Some examples include quality assurance, quality management, outcomes evaluation, disease management, peer review, and credentialing. Activities that would be disallowed include using patient information for marketing; sale, rent, or barter barter: see exchange. barter Direct exchange of goods or services without the use of money or any other intervening medium of exchange. Barter is conducted either according to established rates of exchange or by bargaining. ; sharing with non-health care sister divisions; determining employment decisions; and fundraising. The NPRM requires covered entities to develop policies governing the use and disclosure of confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead and to disseminate these to patients. To reduce the risk of disclosing confidential information, personal identifiers should be removed as soon as feasible while maintaining the usefulness of the data. Improving the protection of confidential health information in the conduct of research is another objective. The proposed regulations call for the use of criteria to weigh the potential benefits of research against the possible invasion of individual privacy. Institutional review boards would be responsible for assessing the merits of a publicly-funded research proposal and an equivalent board would need to be formed to evaluate privately-sponsored research. Some caveats What follows are provisions in the privacy NPRM that warrant special attention because of their unintended and intended effects on health care operations. Covered information HHS has interpreted their scope of jurisdiction to cover all health "information," that has been, is, or will be stored or transmitted electronically. This is intended to eliminate an obvious loophole An omission or Ambiguity in a legal document that allows the intent of the document to be evaded. Loopholes come into being through the passage of statutes, the enactment of regulations, the drafting of contracts or the decisions of courts. , whereby electronically transmitted information could be stored on paper to obviate ob·vi·ate tr.v. ob·vi·at·ed, ob·vi·at·ing, ob·vi·ates To anticipate and dispose of effectively; render unnecessary. See Synonyms at prevent. the need for complying with regulations covering only electronic data. From a practical standpoint, however, it would be difficult, if not impossible, to segregate seg·re·gate v. seg·re·gat·ed, seg·re·gat·ing, seg·re·gates v.tr. 1. To separate or isolate from others or from a main body or group. See Synonyms at isolate. 2. information that has been, is, or will be transmitted or maintained electronically from information that exists only on paper. Physician executives should plan on applying the privacy regulations to all data maintained in patient records, the only sensible approach to complying with the spirit of the requirements. "Opting out" A controversial topic that plagued many of the bills introduced in Congress is the notion of allowing patients to "opt out" of having certain information stored in their medical record. Physicians recognize that some information may be sensitive and could cause social harm to the patient if it were to be disclosed to unauthorized persons. On the other hand, there are risks to the patient and provider when medical information is excluded from the decision-making process by virtue of its being secreted. Rather than walking this tightrope between interfering with informed decision-making and placing additional restrictions on access to specific pieces of the record, we need to raise the overall bar of protection and accountability, treating all health information as highly confidential. An analogy can be made to how policies for universal precautions universal precautions, n.pl 1. approaches to infection control designed to prevent transmission of bloodborne diseases, such as AIDS and hepatitis B in health care settings. evolved. In the 1980s, when it became recognized that blood-borne diseases A blood-borne disease is one that can be spread by contamination by blood. The most common examples are HIV, hepatitis B, hepatitis C and viral haemorrhagic fevers. posed a hazard, special precautions were instituted requiring health care workers to wear gloves when working with infected patients. However, we also inadvertently identified patients Identified patient (IP) The family member in whom the family's symptom has emerged or is most obvious. Mentioned in: Family Therapy as having blood-borne diseases, including AIDS. Current policies establishing universal precautions not only improve the protection of health care workers, but also reduce the risk of invading patients' privacy. Likewise, we would help prevent the spread of confidential information by treating all information as highly confidential, instead of encouraging "opt-outs." Minimum necessary disclosure Covered entities are required to use the "minimum amount" of identifiable health information for all uses and disclosures. The intent of the provision is well motivated. The operational test to determine whether someone should have access to confidential health information is whether that individual has a professional need-to-know. The minimum-necessary disclosure requirement is especially important in the era of megamergers. In the past, most laws and regulations covered disclosure (to an external organization) of information. However, when one company acquires another, information exchanged within the new organization becomes unregulated. Hence, a health insurance company acquiring a life insurance company, or vice versa VICE VERSA. On the contrary; on opposite sides. , could make unfair use of health information when determining underwriting decisions on life insurance policies. Similarly, pharmaceutical companies that purchase pharmacy benefits managers would have access to confidential information and could, for example, target certain patients for advertising. This provision would apply need-to-know tests to internal and external uses of individually identifiable health information. However, controlling access to only the minimum amount of information needed will be difficult to implement using paper records. Ultimately, the only efficient way to comply is by using a computer-based patient record computer-based patient record Electronic medical record Health informatics A 'personal health library' providing access to all resources on a Pt's health history and insurance information (CPR Cardiopulmonary Resuscitation (CPR) Definition Cardiopulmonary resuscitation (CPR) is a procedure to support and maintain breathing and circulation for a person who has stopped breathing (respiratory arrest) and/or whose heart has stopped (cardiac ) system, which can filter information by the user's need-to-know. One reason that the Institute of Medicine declared the CPR an essential technology for health care is because it can increase the protection of confidential patient data. (1) Business partner contracts Since the regulations are limited in scope to providers, plans, and clearinghouses, HHS proposed that these covered entities include provisions in their contracts with all business partners to extend privacy requirements. Although well intended, this has the effect of making covered entities responsible for the actions of their business partners, which is neither feasible nor practical. In addition, the NPRM proposed that patients be designated as "third party beneficiaries A third party beneficiary, in the law of contracts, is a person who may have the right to sue on a contract, despite not having originally been a party to the contract. This right arises where the third party is the intended beneficiary of the contract, as opposed to an incidental " in the business partner contracts. In some states, this creates an opportunity for patients to sue covered entities for harm caused by business partners that violate their privacy. This area needs further study by every organization's legal and risk management teams. A more appropriate solution would be federal legislation that applies equally to all entities that store or transmit health information, not just covered entities. The HIPAA hole One of the most glaring loopholes in the privacy NPRM is that, except for providers, plans, and clearinghouses, all other entities that store or use individually identifiable health information are unfettered in their use of confidential data. For example, medical websites routinely gather identifiable health information and their advertisers can identify users and their browsing patterns over multiple websites--for financial gain. Hence, there is a compelling need to pass comprehensive federal privacy legislation to apply protections uniformly to all entities that use or disclose individually identifiable health information. Preemption preemption U.S. policy that allowed the first settlers, or squatters, on public land to buy the land they had improved. Since improved land, coveted by speculators, was often priced too high for squatters to buy at auction, temporary preemptive laws allowed them to acquire of state laws The regulations act as a "floor" in the sense that they set the minimum standards necessary. Any state statute that is "more restrictive" would supersede To obliterate, replace, make void, or useless. Supersede means to take the place of, as by reason of superior worth or right. A recently enacted statute that repeals an older law is said to supersede the prior legislation. the federal regulation. As a consequence, when dealing with entities or patients outside state boundaries Noun 1. state boundary - the boundary between two states state line border, borderline, boundary line, delimitation, mete - a line that indicates a boundary , organizations may find themselves faced with conflicting rules. It is impractical to apply different laws to data depending on the residency of each patient. If federal health information standards do not preempt pre·empt or pre-empt v. pre·empt·ed, pre·empt·ing, pre·empts v.tr. 1. To appropriate, seize, or take for oneself before others. See Synonyms at appropriate. 2. a. the patchwork of inconsistent state requirements, covered entities may be reluctant to transmit important clinical data or may attempt to get blanket releases from patients for routine disclosures. The former situation would be detrimental to patient care, and the latter would defeat the purpose of having privacy protection in the first place. Physician executives must help shape policies that balance the protection of confidential patient data and the need to make informed decisions about treatment, payment, and quality of care. System security for health information The National Research Council's report, "For the Record: Protecting Electronic Health Information" (2) defines security as: "the protection of information systems against unauthorized access to or modification of information, whether in storage, processing, or transit, and against the denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. to authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats." More simply, system security must ensure the integrity of the data stored, limit access to authorized persons authorized person Lab medicine A person–eg a physician, who orders tests and receives test results on persons for whom payment is sought under Medicare. See CLIA 88. only, and provide audit trails of all who access the data. Importantly, the standards apply to all electronic data--stored or transmitted. Since virtually all health care organizations store some information electronically (for example, lab test results), the security provisions will affect all covered entities. The proposed standards cover four categories (http://aspe.os.dhbs.gov/admnsimp/nprm/seclist.htm): Administrative procedures include information access controls (who has access to patient data), training on security, internal audit, security incident procedures, termination procedures (for violators of security policies), contingency plans A plan involving suitable backups, immediate actions and longer term measures for responding to computer emergencies such as attacks or accidental disasters. Contingency plans are part of business resumption planning. (for threats to data integrity), and certifying compliance with security requirements. 2. Physical safeguards to protect computers and media (e.g., backup tapes See tape backup. ) that contain patient data. 3. Technical security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the include features implemented in a computer system to control access to information based on the professional role of the user (e.g., physician, nurse, clerk, billing personnel), provide audit trails and ensure data integrity. Special requirements, such as encryption, are mandated for communications occurring over unsecured lines such as the Internet. 4. Where required, an electronic signature must ensure that the user is authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. , the messages are delivered intact, and the authenticity of the signature cannot be disputed. Currently, an electronic signature isn't required for any of the transactions covered by HIPAA. HHS is expected to work with the Department of Commerce to develop standards. To comply with these requirements, larger organizations may appoint a security officer with overall responsibility for this area. In smaller organizations, this role may be delegated to the director of health information management or other appropriate person. Although the NPRM for security standards was published in August of 1998, the final regulations are not expected until later in 2000 in order to harmonize the system security requirements with the final privacy regulations. Conclusion Implementing the HIPAA-mandated privacy regulations will not be inexpensive. HHS estimates the five-year cost to be about $3.8 billion (http://aspe.os.dhhs.gov/admnsimp/nprm/pvclist.htm) and the health insurance industry projects several times that amount. However unlike the expenditures made to fix the Y2K software bug A problem that causes a program to produce invalid output or to crash (lock up). The problem is either insufficient logic or erroneous logic. For example, a program can crash if there are not enough validity checks performed on the input or on the calculations themselves, and the computer , which contributed nothing to health care quality this effort will improve the protection of confidential patient identification and, by setting standards for administrative simplification, will improve the overall efficiency of the health care system. Physician executives can take several steps to prepare their organizations, even while waiting for the final regulations to be issued. As with prior compliance efforts, it is important to educate the board of directors and the management team early about the requirements and how they will impact the organization. Establishing a high-level HIPAA compliance steering committee steer·ing committee n. A committee that sets agendas and schedules of business, as for a legislative body or other assemblage. steering committee Noun involving security officers, chief information officers, chief medical officers, and executive administration, health information management, legal, and human resources The fancy word for "people." The human resources department within an organization, years ago known as the "personnel department," manages the administrative aspects of the employees. staff will help disseminate information to the functional areas that will be affected. Both time and resources need to be budgeted to effectively deal with compliance. Individuals should be assigned to monitor the laws, regulations, and standards that will be emerging throughout 2000. Organizational preparedness needs to be assessed by reviewing applicable policies, confidentiality forms, business partner contracts, procedures, and information systems capabilities. Although the comment period for the proposed regulations from HHS has ended, the need for federal legislation remains. Physician executives need to educate their organizational leadership, Congress, and their patients about the importance of preserving authorized access to patient information, while offering the highest protection of confidential health information. As guardians of confidential patient health information, we cannot accept the status quo [Latin, The existing state of things at any given date.] Status quo ante bellum means the state of things before the war. The status quo to be preserved by a preliminary injunction is the last actual, peaceable, uncontested status which preceded the pending controversy. of inadequate privacy protections. Acknowledgements I would like to thank Doug Peddicord, who provided many helpful comments on an earlier draft and Steven Lane, MD, who originally dreamed up the phrase "HIPAAcratic oath." References (1.) Institute of Medicine Committee on Improving the Patient Record. The Computer based Patient Record An Essential Technology for Health Care, Revised Edition. 2nd ed. Washington, D.C.: National Academy Press, 1997. (2.) Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. For the Record: Protecting Electronic Health Information. Washington, D.C.: National Academy Press, 1997. Recommended Resources 1. Committee on Maintaining Privacy and Security in Health Care Applications of the National Information Infrastructure. For the Record: Protecting Electronic Health Information. Washington, D.C.: National Academy Press, 1997. This Institute of Medicine report contains an analysis of some existing security practices at major health care organizations and provides recommendations for immediate and future security policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental to be adopted. It formed the basis of the Secretary of Health and Human Services' recommendations. 2. Institute of Medicine Committee on Improving the Patient Record. The Computer-based Patient Record: An Essential Technology for Health Care, Revised Edition. 2nd ed. Washington, D.C.: National Academy Press, 1997. This revised edition of the original report by the Institute of Medicine called for the routine use of computer-based patient records in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . 3. The Computer-based Patient Record Institute (CPRI CPRI Common Public Radio Interface CPRI Computer-based Patient Record Institute CPRI Central Power Research Institute (India) CPRI Central Potato Research Institute (India) ) CPRI has developed a useful toolkit to help prepare organizations to comply with the proposed HIPAA security regulations (http://healthcare.3com.com/securitynet/hipaa/toc.html). 4. The text of the Health Insurance Portability and Accountability Act of 1996: http://aspe.os.dhhs.gov/admnsimp/p1104191.htm. 5. The text of the proposed HIPAA regulations and privacy regulations: http://aspe.os.dhhs.gov/admnsimp/nprm/txlist.htm and http://aspe.os.dhhs.gov/admnsimp/nprm/pvclist.htm. Paul C. Tang, MD, FACP FACP Fellow of the American College of Physicians. FACP abbr. 1. Fellow of the American College of Physicians 2. Fellow of the American College of Prosthodontists , FACMI, FCHIME, is Medical Director of Clinical Informatics Clinical Informatics is a sub-field of medical informatics. It focuses on computer applications that address medical data (collection, analysis, representation). Clinical informatics is a combination of information science, computer science, and clinical science designed to assist at Palo Alto Palo Alto, city, California Palo Alto (păl`ō ăl`tō), city (1990 pop. 55,900), Santa Clara co., W Calif.; inc. 1894. Although primarily residential, Palo Alto has aerospace, electronics, and advanced research industries. Medical Clinic in Palo Alto, California “Palo Alto” redirects here. For other uses, see Palo Alto (disambiguation). Palo Alto (IPA: /ˌpæloʊˈʔæltoʊ/, from Spanish: palo: "stick" and alto: "high", i.e. , and Vice President of Epic Research Institute in Mountain View, California For the census-designated place, see Mountain View, Contra Costa County, California. For other places called "Mountain View", see . Mountain View is a city in Santa Clara County, in the U.S. state of California. The city gets its name from the views of the Santa Cruz Mountains. , He can be reached by calling 650/254-5218 or via email at tang@smt.stanford.edu. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion