What every business needs to know about HIPAA: most healthcare organizations must comply with HIPAA's Privacy Rule by April 14, 2003--but do all organizations? Here's what businesses need to know."The Internet-fueled proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of data--and data availability--has created a paradox paradox, statement that appears self-contradictory but actually has a basis in truth, e.g., Oscar Wilde's "Ignorance is like a delicate fruit; touch it and the bloom is gone. : Businesses demand the benefits of a technology-enabled world along with the relative anonymity, or privacy, that the pre-technology world provided. The government's response to that paradox is regulation that balances business' need for increasingly detailed data with the public's demand for privacy. The Graham-Leach-Bliley Act of 1999 set rules for the financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. industry, and ... HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, [Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when ] will do the same for health care."--Ben Worthen, CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. magazine At the Core This article * examines HIPAA's Privacy Rule * discusses who must comply with HIPAA * explains what businesses should know about complying with HIPAA Every day, U.S. businesses collect, use, and even sell individuals' personal information in almost any way they can. There are a few feeble fee·ble adj. fee·bler, fee·blest 1. a. Lacking strength; weak. b. Indicating weakness. 2. Lacking vigor, force, or effectiveness; inadequate. See Synonyms at weak. ways for consumers to combat the unfettered use of their most intimate details, such as Social Security and phone numbers, address, marital status marital status, n the legal standing of a person in regard to his or her marriage state. , and gender. For instance, the financial industry allows customers to sign and send back a form to opt-out of the practice. But consumers have to be informed, proactive, and serious. Individuals must sign, stamp, and return a form to each financial institution they do business with--and that means for each credit card they own, too. Healthcare providers also collect, use, and maintain an overwhelming amount of personal information. Personal issues such as genetic history, sexuality, diet, family medical history, and environmental factors may be examined during the course of treating a patient's mental and physical health. But, unlike other U.S. industries, healthcare organizations will no longer be able to use individuals' personal information however they like. In an effort to promote effective use of this information and to ensure its continued confidentiality and security, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) in 1996. HIPAA is the first federal law to address health privacy in a comprehensive way. It requires all "covered entities"--healthcare providers, plans, and clearinghouses--to protect individually identifiable health information. HIPAA provides for health insurance portability, standards for electronic transactions, and privacy and security protections for personal health information (PHI phi n. Symbol  The 21st letter of the Greek alphabet.PHI, n See health information, protected. ). PHI includes any information that relates to the physical or mental health of the individual, the provision of health care or payments for health care, and that can be used to identify an individual. Organizations in the healthcare industry must pay careful attention to HIPAA, but they are not the only ones that collect and handle patients' PHI. All healthcare organizations have business associates with whom they share PHI for various reasons. So last August, after many well-publicized delays and revisions, the U.S. Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (HHS HHS Department of Health and Human Services. ), recognizing the potential risks of exposing individuals' PHI, published the final rule for "standards for Privacy of Individually Identifiable Health Information." The Privacy Rule is intended to * protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information * improve the quality of health care in the United States Health care in the United States is provided by many separate legal entities. The U.S. spends more on health care, both as a proportion of gross domestic product (GDP) and on a per-capita basis, than any other nation in the world. Current estimates put U.S. by restoring trust in the healthcare system among consumers, healthcare professionals, and the multitude of organizations and individuals committed to the delivery of care * improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, organizations, and individuals The HIPAA Privacy Rule covers all a patient's identifiable information or PHI that is transferred to or maintained by a healthcare provider, including e-mail, electronic, fax, paper, oral, and voice mail records, as well as phone conversations. HIPAA rules protect the information itself, not the record in which the information appears. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , information does not lose its protection simply because it is stored in or printed from a computer. Most healthcare organizations must comply with the Privacy Rule by April 14, 2003, but considering the complexity of the HIPAA privacy regulation and the significant impact it will have on the way healthcare and other organizations do business, it will not be an easy task. Who Must Comply? The HIPAA Privacy Rule applies to health plans, healthcare providers, and clearinghouses, as well as certain business associates of these covered entities. Life insurers, employers, schools, public agencies, and other entities are not directly covered, but they may still be affected by the rule. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. HIPAA rules, if an organization provides one of a number of specified services for a covered entity and the service involves disclosing PHI, it is a business associate. And business associates--defined as any entity working in partnership with the covered entity and receiving health information from the covered entity or working for or on behalf of the covered entity--are directly affected by the HIPAA Privacy Rule. Business associates may include vendors, consultants, lawyers, auditors AUDITORS, practice. Persons lawfully appointed to examine and digest accounts referred to them, take down the evidence in writing, which may be lawfully offered in relation to such accounts, and prepare materials on which a decree or judgment may be made; and to report the whole, together , clearinghouses, billing firms, and records storage organizations. Before a covered entity can hand over any information to a business associate, it must ensure that the business associate will properly safeguard that information they access and use to perform functions on behalf of the covered entity. Under the HIPAA statute, HHS does not have legal authority to apply privacy regulations directly to business associates of covered entities. However, HIPAA requires a covered entity to ask its business associates to sign a contract, or a business-associate agreement, that mandates compliance with specific standards. For example, that company cannot use or disclose PHI for any reason, it must provide certain security protections for that information (firewalls, etc.), and any agents or subcontractors that the business associate works with that may come in contact with that information must agree on those same requirements. Business associates must promise to return or destroy any information given to them by the covered entity, and if any data is used in an unauthorized way, the organization must tell the covered entity about the usage. In addition, covered entities and business associates must make internal records available to HHS when necessary. Business associate contracts are only required when the covered entity is disclosing information to an outside organization that will use, create, or obtain PHI on behalf of the covered entity. The Privacy Rule excludes two types of organizations from the definition of business associate: conduits and financial institutions. Conduits are entities that merely pass along PHI, such as the U.S. Postal Service The U.S. Postal Service (USPS) processes and delivers mail to individuals and businesses within the United States. The service seeks to improve its performance through the development of efficient mail-handling systems and operates its own planning and engineering programs. , Federal Express, and Internet service providers Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. . Exceptions to the Rule A number of other organizations routinely collect, maintain, and use health data, but are not covered not covered Health care adjective Referring to a procedure, test or other health service to which a policy holder or insurance beneficiary is not entitled under the terms of the policy or payment system–eg, Medicare. Cf Covered. by the HIPAA Privacy Rule. For example, health researchers, law enforcement agencies A law enforcement agency (LEA) is a term used to describe any agency which enforces the law. This may be a local or state police, federal agencies such as the Federal Bureau of Investigation (FBI) or the Drug Enforcement Administration (DEA). , courts, employers, government agencies, and others may obtain health data from covered entities but are generally not subject to the Privacy Rule. However, if these organizations receive or create health information while functioning as covered entities, then they are subject to HIPAA. For example, an employer who operates a first-aid room staffed by health professionals can be a provider and subject to HIPAA for the first-aid function. If records storage and management companies are collecting or storing information from covered entities, they are business associates and must comply with the rules set out in each entity's business associate agreement. If they are not collecting, maintaining, or storing information for or from the healthcare industry, they will not be directly affected by HIPAA and, therefore, do not have to comply with its regulations. "There are certain exceptions, and some legal processes are exempt," says Ryan Barker barker a term for an animal that does not usually bark which makes a violent respiratory effort, often during a convulsion, accompanied by a sound which roughly resembles a dog's bark. , Privacy Council chief privacy officer. "HIPAA is really not going to affect government, law enforcement, or courts. But covered entities must make a note of who they disclose information to and why, and patients can access that." Even at this late date, Barker says much confusion exists in all industries regarding compliance requirements Compliance requirements are a series of directives established by United States Federal government agencies that summarize hundreds of Federal laws and regulations applicable to Federal assistance (also known as Federal aid or Federal funds). , who must comply, and who need not worry about compliance. But, in fact, many organizations need to pay attention to HIPAA, and not just those in the healthcare industry. According to Barker, the Privacy Rule directly affects anyone working closely with healthcare entities, including lawyers, pharmaceutical companies, records management companies, consultants, and companies marketing products. It also affects employers no matter what industry they are in because, at some point, they access, collect, process, and share health information for employee health plans. For example, employers that administer self-insured self-insured Self fund Health insurance adjective Referring to the practice of carrying an individual health insurance policy for oneself; self insurance is usually more expensive than group insurance health plans are considered covered entities. According to Barker, employers who thought the HIPAA Privacy Rule just applied to healthcare providers, hospitals, and health plans, are now realizing that they, too, need to comply. In general, "covered entity" status for employers depends on whether they are self-administering their health plan or not and how much personal information they are collecting from employees for the health plan. The easiest way for employers to avoid HIPAA compliance obligations is to maintain a "hands-off" approach and allow the health plan insurance carrier to collect employees' PHI information, Barker says. "Companies need to look at HIPAA if they offer health benefits to their employees, whether they sponsor self-funded or fully insured plans Insured plans Defined benefit pension plans that are guaranteed by life insurance products. Related: Non-insured plans ," he explains. "They can get out of some of the requirements by outsourcing (1) Contracting with outside consultants, software houses or service bureaus to perform systems analysis, programming and datacenter operations. Contrast with insourcing. See netsourcing, ASP, SSP and facilities management. the health plan's administrative functions to third parties." Part of the reason why it is difficult for organizations to ascertain whether they are directly affected by this rule is because HHS has not provided organizations with enough guidance on the scope of HIPAA or how they must comply with the regulations. In fact, Barker says, it is up to each covered entity, business associate, and employer to determine that on its own. The fact that organizations must read and interpret the rule on their own has caused many to blame the government for not providing more education. Barker says HHS published a frequently-asked-questions document, but it did not directly address employers or provide them with specific compliance guidance. Education is especially important because HIPAA is indirectly setting a new standard in privacy. "It's really one of the first federal privacy laws in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. ," Barker says. "I think we're going to see federal and state privacy rules and legislation go through for privacy, in other areas. Ultimately, I believe all industries, sooner or later, are going to have some kind of privacy regulation that they have to comply with." What Does Compliance Entail entail, in law, restriction of inheritance to a limited class of descendants for at least several generations. The object of entail is to preserve large estates in land from the disintegration that is caused by equal inheritance by all the heirs and by the ordinary ? To determine compliance responsibilities, Barker suggests that organizations: * educate themselves on the privacy requirements, assess the requirements, and research the facts * assess their current environment. An organization cannot determine how HIPAA or any regulation will affect it until it does so. * assess what information is collected and from whom, how it is collected, where it is stored, who is accessing it, and with whom it is shared. That will help them identify whether they are a covered entity or a business associate or whether another privacy requirement applies. * determine the gaps between HIPAA regulations and their practices and policies * implement requirements to ensure compliance Once an organization establishes that it must comply with the HIPAA Privacy Rule, it must determine how it is required to comply. This can be accomplished by conducting a comprehensive HIPAA privacy assessment and gap analysis to analyze how PHI is received, disbursed, managed, and used in the organization. According to Privacy Council's HIPAA Privacy Essentials, even if an organization already has good privacy practices in place, covered entities, business associates, and many employers will almost certainly be required to change their business practices and do many new things, including * defining privacy practices in writing * disclosing privacy practices to patients * designating a privacy official * training staff in privacy practices * providing patients with access to their health records and the right to correct the records * controlling all uses and disclosures of patient information * ensuring that business associates protect patient records Covered entities are required to maintain documentation of their policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental for complying with the requirements of the Privacy Rule. The documentation must include a statement of the covered entity's practices regarding who has access to PHI, how that information is used within the entity, and when that information will be disclosed to other organizations. Healthcare providers must be able to give patients the information, access, and other rights to which they are entitled en·ti·tle tr.v. en·ti·tled, en·ti·tling, en·ti·tles 1. To give a name or title to. 2. To furnish with a right or claim to something: . That means a privacy notice must be drafted, office procedures must be reconsidered, and uses and disclosures must be more tightly controlled. A covered entity must maintain its policies, procedures, required communications, and other actions, activities, or designations in written or electronic form. Documentation must be retained for six years from the date of its creation or the date when it was last in effect. Required elements include documentation of * designation of the privacy official and contact person * assessment work * implementation plan * actual implementation steps and actions * staff training * complaints and their disposition * use of sanctions Sanctions is the plural of sanction. Depending on context, a sanction can be either a punishment or a permission. The word is a contronym. Sanctions involving countries: * privacy policies and procedures and any changes to them * patient requests for confidential communications CONFIDENTIAL COMMUNICATIONS, evidence. Whatever is communicated professedly by a client to his counsel, solicitor, or attorney, is considered as a confidential communication. 2. * use and disclosure restrictions that a covered entity has agreed to impose Whether an organization is a covered entity or a business associate, privacy training for all staff is needed. Protecting information is a company-wide initiative that will most likely require new behavior, and every employee should be aware of the changes and the penalties for noncompliance noncompliance failure of the owner to follow instructions, particularly in administering medication as prescribed; a cause of a less than expected response to treatment. noncompliance . There are serious consequences for organizations and individuals that do not comply with the requirements. HIPAA provides that a person who knowingly violates the law and wrongfully wrong·ful adj. 1. Wrong; unjust: wrongful criticism. 2. Unlawful: wrongful death. provides or discloses PHI can be fined up to $50,000 and be imprisoned im·pris·on tr.v. im·pris·oned, im·pris·on·ing, im·pris·ons To put in or as if in prison; confine. [Middle English emprisonen, from Old French emprisoner : en- for up to one year. If the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious Involving malice; characterized by wicked or mischievous motives or intentions. An act done maliciously is one that is wrongful and performed willfully or intentionally, and without legal justification. DESERTION, MALICIOUS. harm can be proved, the penalty can reach $250,000 in fines and 10 years' imprisonment Imprisonment See also Isolation. Alcatraz Island former federal maximum security penitentiary, near San Francisco; “escapeproof.” [Am. Hist.: Flexner, 218] Altmark, the German prison ship in World War II. [Br. Hist. . Government penalties for non-compliance include civil penalties of $100 per violation, up to $25,000 per person, per year, for each requirement or prohibition prohibition, legal prevention of the manufacture, transportation, and sale of alcoholic beverages, the extreme of the regulatory liquor laws. The modern movement for prohibition had its main growth in the United States and developed largely as a result of the violated vi·o·late tr.v. vi·o·lat·ed, vi·o·lat·ing, vi·o·lates 1. To break or disregard (a law or promise, for example). 2. To assault (a person) sexually. 3. . Criminal penalties for knowing violations include up to a $50,000 fine plus one year in prison. If individuals are found guilty of the intent to sell, transfer, or use PHI, they could receive up to $250,000 in fines plus 10 years in prison. According to Barker, HIPAA compliance has already been costly for the healthcare industry and may require other industries to spend money in order to meet their compliance requirements. He says many companies cannot meet the requirements by themselves and are bringing in specialists to create, assess, and implement the policies and procedures they need. Relates Barker: "One of our clients is drafting approximately 50 new documents including policies, procedures, forms, and notices. That's incredible--50 documents for one rule. Employee training is one of most important steps for HIPAA compliance. Once you've assessed your environment, identified the gaps, and drafted new privacy policies and procedures, you've got to train your employees. You have to create a culture where privacy is respected and important to employees." Raising the Privacy Bar Starting April 14, 2003, everyone who receives health care or enrolls in a health plan will be made aware of the HIPAA Privacy Rule because covered entities will provide individuals with privacy notices and tell them about their new privacy rights. Patients, consumers, and employees will be given the opportunity to access their information and to control how that information is being used and disclosed. For example, if a hospital wants to use an individual's PHI for marketing or any other purposes unrelated to health care, that individual will receive an authorization The right or permission to use a system resource; the process of granting access. See access control. form. Unlike the financial industry, which sent out consumer privacy notices that were buried bur·y tr.v. bur·ied, bur·y·ing, bur·ies 1. To place in the ground: bury a bone. 2. a. To place (a corpse) in a grave, a tomb, or the sea; inter. b. in mailings, hard to find, and written in legalese legalese - Dense, pedantic verbiage in a language description, product specification, or interface standard; text that seems designed to obfuscate and requires a language lawyer to parse it. , HIPAA is pushing covered entities to create an easy-to-read privacy notice summary that sits on top of the longer, more detailed notice. In addition, covered entities are required to do everything in their power to receive written acknowledgement that an individual has received that notice. "Patients are going to be educated on all the new privacy regulations, and it's going to open their eyes; It should create a lot of awareness about privacy," Barker predicts. "It's going to make a lot of people think about it and hopefully start to educate themselves and demand that other industries provide the same protections that the healthcare industry is going to provide." According to Barker, the Privacy Rule will impact, at least indirectly, all organizations in some way. "Every organization, no matter what industry you're in, needs a privacy policy, some sort of compass for the company--this is what we collect, this is how we use it, and these are the standards we apply," he says. "Just because you're not a covered entity and you don't have to comply with HIPAA doesn't mean you shouldn't be handling information correctly. "When it comes down to it, privacy is about responsible information management and managing information in the best possible manner, and that means ensuring that [information is] not accessed or used in inappropriate ways." And that is what HIPAA really tries to do for patients--to make them feel comfortable and to show them that they do have certain rights when it comes to how organizations maintain their data. "All industries should have an understanding of the information they're collecting and how they can best protect and secure it and build customer or patient trust as well as minimize their risk of litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. ," Barker contends. "It doesn't matter if you're a covered entity or not." Goals of HIPAA * to improve health insurance accessibility to people changing employers or leaving the workforce * to mandate national standards for the electronic transmission of healthcare data to help prevent healthcare fraud and abuse and enable administrative simplification * to improve health insurance coverage by assuring the portability, availability, and renewal ability of health insurance coverage * to improve the Medicare and Medicaid Medicare and Medicaid U.S. government programs in effect since 1966. Medicare covers most people 65 or older and those with long-term disabilities. Part A, a hospital insurance plan, also pays for home health visits and hospice care. programs and "the efficiency and effectiveness of the healthcare system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information" What Does HIPAA Do? * simplifies and standardizes communications in the healthcare industry to make health care more efficient and save time and money * gives patients more control over their health information and gives them certain rights to privacy and confidentiality * establishes appropriate safeguards that healthcare providers and others must implement to protect the privacy of patients' health information * establishes responsibility for maintaining these rights within organizations * holds violators accountable, with civil and criminal penalties Source: HIPAA Privacy Implementation Guide, Privacy Council READ MORE ABOUT IT American Medical Association American Medical Association (AMA), professional physicians' organization (founded 1847). Its goals are to protect the interests of American physicians, advance public health, and support the growth of medical science. . Available at www.ama-assn.org/go/hipaa (accessed 24 January 2003). Centers for Medicare and Medicaid Services The Centers for Medicare and Medicaid Services (CMS), previously known as the Health Care Financing Administration (HCFA), is a federal agency within the United States Department of Health and Human Services (DHHS) that administers the Medicare program and (CMS (1) See content management system and color management system. (2) (Conversational Monitor System) Software that provides interactive communications for IBM's VM operating system. ). Available at http://cms.hhs.gov/hipaa (accessed 24 January 2003). United States Department of Health and Human Services United States Department of Health and Human Services (USDHHS), n.pr a cabinet-level government organization comprising 12 agencies, including the Food and Drug Administration and the Centers for Disease Control and Prevention. (HHS). Available at http://aspe.os.dhhs.gov/admnsimp (accessed 24 January 2003). References Privacy Council. HIPAA Privacy Essentials. Privacy Council: Richardson, Texas Richardson is a suburb in Dallas County and Collin County, Texas. As of the 2000 census, the city had a total population of 91,803, while according to a 2006 estimate, the population had grown to 99,200. . 2002. Privacy Council. HIPAA Privacy Implementation Guide. Privacy Council: Richardson, Texas. 2002. Worthen, Ben. "How to Meet Tomorrow's Privacy Rules Today." CIO. 1 November 2002. Nikki Swartz is Associate Editor of The Information Management Journal. She may be contacted at nswartz@arma.org. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion