Author: Betsylew R. Miale-Gix

The intent of the Health Insurance Portability and Accountability Act (HIPAA) of 1998 is to make the health care system more uniform, efficient and effective, to provide additional privacy protection for patients, and to make health insurance more portable for individuals. HIPAA created nationwide standards in areas in including:

1. Standards for Electronic Transactions of “Code Sets.” This rule adopts standards for eight electronic transactions and for code sets to be used in those transaction for encoding data elements, such as tables of
terms, medical concepts, medical diagnostic codes, or medical procedure codes.

2. Standards of Privacy of Individually Identifiable Health Information. Sets standards to protect the privacy of electronic protected health information. The Department of Health and human Services had extended the reach of HIPAA by requiring covered entities that disclose health information to third parties to take reasonable steps to ensure they follow the HIPAA standards when acting on behalf of the covered entity through Business Associate Agreement requirements.

3. Standards for Security of Identifiable Health Information. Each covered entity must assess potential risks and vulnerabilities to the individual health data in its possession and develop, implement, and maintain appropriate security measures.

4. Standard Unique Identifiers for Providers and Health Insurers. Uniform systems for identifying health care providers and health care insures at the national level, not unlike process now used to issue social numbers.

Covered Entities

Exchanges of data relayed or viewed within the following media as electronic communication qualify a provider or plan as a covered entity regardless of size:

• Computer Databases;
• In-house computer networks via floppy disk, magnetic tape or CD;
• E-mailing protected information whether externally over the Internet or an in-house computer network;
• Providing Health claim attachments;
• Communications checking on the status of a claim payment;
• Communications checking patient insurance eligibility and verifying referral authorizations;
• Communication of protected information in coordination of health care benefits.

There are two exemptions form the HIPAA standards for care providers:

1. The care provider does not submit electronic transactions and does not Medicare patients; or
2. The provider office accepts Medicare by has less then 10 full time employees and does not submit electronic transactions.

A further requirement under either exemption is that no billing company or other third party on behalf of the care provider transmits any such information electronically.

Enforcement

April 16, 2003 is the testing deadline for electronic transaction and code sets. October 16, 2003 compliance date for electronic transactions and code sets.
The Center for Medicare and Medicaid Services (CMS) will be charged with enforcing the rules governing standards for electronic transactions and the insurance portability requirements of HIPAA. The Office of Civil Rights (OCR) will be responsible for enforcing the HIPAA privacy standard. The process will primarily be driven by complaints received. OCR has some good enforcement guidance available on their website http://www.hhs.gov/ocr/index.html.

The Absolute Minimum Compliance Activities Include:

1. Notifying patients about their privacy rights and how their information can be used.
2. Adopting and implementing privacy procedures training for all employees of the provider or plan.
3. Denoting the individual responsible for implementing that privacy procedures.
4. Securing patient records containing electronic protected health information both physically and electronically so they are not readily available to those who do not need them.
5. Implementing integrity controls so electronically protected information in not improperly modified.
6. Applying the security requirements to all exchanges of electronic protected health information.
7. Ensuring the integrity and confidentiality of the electronic message and its delivery to the right person.
8. Entering into Business Associate Agreements with the individuals and entities that involve the use of disclosure of protected health information.

New Developments

On February 13, 2003, the Department published the final regulations for the Transaction sets and Security provisions of HIPAA. The fundamental rationale for the security standards is to insure the integrity of the electronic message, its delivery to the right person, and its confidentiality as an integral part of conducting electronic commerce. Some clarifications include that:

• Integrity controls are required to insure that electronically protected information is not improperly modified. Whatever data protocol is used one must apply the security requirements.
• For now, encryption of wireless or other emergency medical radio communications which can be intercepted by scanners, and of telephone systems, is not required.
• In an area where multiple patient-staff communications routinely occur, use of cubicles, dividers, shields, curtains, or similar barriers may constitute a reasonable safeguard. Private rooms and soundproofing of rooms are not required.

The additional requirements of HIPAA privacy and security of information compliance are less onerous in Washington given our state’s existing protections for patient record confidentiality and disclosure requirements. Given that increased electronic conveyance of data and standardize care coding is not only the wavelet of the present, but the wave of the future in health care insurance and governmental claims processing and payment, the best path may well be to move toward HIPAA compliance now even if one of the exceptions would apply.