Massachusetts Massachusetts Massachusetts
Bulkley, Richardson and Gellinas
Home About the Firm Practice Areas Directions Attorneys News Community Contact Us Employment
 

Other Bulletins

February 2001
Health Law Newsletter

HIPAA – It’s Time to Get Started!

Make no mistake: The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its ‘Administrative Simplification’ provisions are intended to change the health care industry in the United States. The goal of these HIPAA provisions is to increase the efficiency of America’s health care delivery systems, in part through standardizing certain health care-related communications (called “transactions” in the regulations) to allow their efficient electronic transmission. To reach this goal, multiple federal regulations are being issued creating standard formats for transactions and unique identifiers for those who engage in them, and mandating procedures designed to keep personal health information secure and private in the face of facilitated information exchange. These new federal regulations will touch every health plan and nearly every health care provider in this country.

In this newsletter, we discuss final HIPAA privacy regulations issued in December, 2000 and the proposed HIPAA security regulations issued in August, 1998.

An Overview

Under HIPAA, certain types of transactions relating to health care, if communicated electronically, will have to be undertaken in standard form. The transactions to be standardized are: first report of injury, health plan eligibility, health care claim attachment, health care claim status, referral certification and authorization, premium payment and remittance advice, and health care claims or encounters. The U.S. Department of Health and Human Services has already issued regulations to standardize computer codes for these transactions, to replace the 400 different code systems currently used in the industry. The use of standardized data exchanges by health care, insurance and financial entities and the government should simplify and streamline such exchanges and, it is hoped, reduce their cost. The government predicts industry-wide savings of $29.9 billion over ten years. Unfortunately, cost estimates for implementation are high as well.

The security and privacy standards are designed to ensure that users of individually identifiable health information maintain the confidentiality of the information. While the regulations require compliance by March, 2003, health plans and health care providers should begin HIPAA compliance efforts today.

The regulations are intended to compel compliance by as many entities that handle personal health information as possible. “Covered entities” under the regulations include all health plans and health care clearinghouses (e.g., billing services) and certain health care providers. The regulations define “health care provider” broadly, to include not only hospitals and individual physicians, but also providers of mental health care and clinical social workers. Health care providers who transmit personal health information via internet, extranet, leased lines or other electronic means in connection with the above-listed administrative and financial transactions are governed by the regulations.

The Privacy Standards

The privacy standards create certain patient rights, including the right of patient consent for uses of health information related to treatment, payment, or health care operations; the right of patient authorization for most other uses of health information; and the right of patients to get copies of and request corrections to their medical or mental health records. The privacy standards also impose obligations on covered entities, including requiring the designation of a privacy officer; requiring the development of patient notification, consent, and authorization forms; requiring the disclosure of the "minimum necessary amount" of information to most requesters; and requiring the use of business associate agreements to ensure that those with whom covered entities do business and with whom they exchange protected health information, such as accountants and lawyers, follow and meet the privacy standards.

Security Standards

The security standards, which are still in proposed form, outline procedures a covered entity must use in order to protect patient privacy. A covered entity must institute safeguards to ensure that patient health care information is protected against any reasonably anticipated threats or hazards to its confidentiality, security or integrity. The proposed standards require that covered entities ensure compliance by its officers and employees.

Covered entities will have to develop administrative procedures, physical safeguards, and technical security mechanisms designed to rigidly maintain and protect private health information. The proposed regulations require a broad range of additional actions, including limiting employee access to protected health information, creating audit trails capable of indicating who has accessed such information, and encrypting any private health information sent over the internet. The strong language of the security standards reflects that they were modeled after standards in the U.S. defense industry, and the belief that effective security measures are the lynchpins to the success of HIPAA.

How to begin

First, depending upon the scale of your organization, identify a team to tackle HIPAA compliance. The team should be composed of individuals involved in financial operations, risk management, the provision of health care, and technical operations. Then, designate or hire the required privacy officer to coordinate the effort. If the organization is large enough, create subcommittees to deal with different aspects of compliance, such as privacy and security.

Examine how health information about individuals is used by your organization, and examine current related policies and procedures. Draft the required patient notification, consent, and authorization forms. Devise a plan for employee training. Design contract agreements that will require HIPAA compliance by all business associates. Make certain that every new contract for hardware, software, data communication and related vendor services contains a HIPAA covenant.

Take stock of the capability of systems currently in place. Evaluate current computer and telecommunication networks, learn about security vulnerabilities and how to counter them. Learn about encryption and other security products that may be available. The regulations will require that covered entities, or a specialist hired by covered entities, “certify” that their systems comply with the security standards.

Summary

The new privacy and security standards may require investment in new hardware and software. However, unlike Y2K compliance, compliance with the HIPAA regulations is more than a technical issue, as it will also require the creation of new policies, training of personnel, and development of contracts to bind business associates.

If you would like assistance regarding HIPAA compliance by your organization, please contact Kelly A. McCarthy, Coordinator of the BR&G Health Law Practice Group at (413) 272-6306 or kmccarthy@bulkley.com, or Elizabeth H. Sillin at (413) 272-6296 or cmyhrum@bulkley.com

News & Articles
The Largest Firm in Western Massachusetts
About the Firm | Practice Areas | Directions | Attorneys | News | Community | Contact Us | Employment
LexisNexis: Martindale-Hubbell
Advertising. In accordance with rules established by the Supreme Judicial Court of Massachusetts. This web site must be labeled "advertising." It is designed to provide general information for clients and friends of the firm and should not be construed as legal advice, or legal opinion on any specific facts or circumstances.This web site is designed for general information only. The information presented at this site should not be construed to be formal legal advice nor the formation of a lawyer/client relationship. [ Site Map ]