The HIPAAcratic oath: do no harm to patient data - Implementing HIPAA and Other Compliance Programs

Physician Executive, May-June, 2000 by Paul C. Tang

PHYSICIAN EXECUTIVES who have weathered the storm of Y2K will have ample opportunity to apply their honed skills and lessons learned to the next great system-wide challenge--HIPAA, the Health Insurance Portability and Accountability Act. Passed on August 21, 1996, the act is named for its health insurance portability provisions. However, the section that will impact health care organizations the most will be Title II, Subtitle F, entitled Administrative Simplification, which includes provisions covering privacy protection and system security.

Physician leaders need to familiarize themselves with HIPAA and organize their institutions to plan for and execute a compliance program with the same vigor and system-wide participation as they did for Y2K.

Administrative simplification and privacy protection

HIPAA can be divided into two general categories of mandates: (1) administrative simplification, and (2) privacy and security provisions. The purpose of the administrative simplification subtitle is to improve "the efficiency and effectiveness of the health care system" by setting standards that encourage "electronic transmission of certain health information" (http://aspe.os.dhhs.gob/admnsimp/p1104191.htm).

The provisions of HIPAA apply only to providers, health plans, and clearinghouses (referred to as "covered entities"). The Department of Health and Human Services (HHS) was mandated to set standards for administrative transactions (e.g., claims, eligibility, benefits), code sets (e.g., diagnosis, billing), unique health identifiers (for providers, plans, and patients), security provisions, and electronic signatures. Once HHS issues final regulations, covered entities must comply with the standards for electronic transactions within two years (small health plans will have three years) or they will be subject to a penalty of $100 for each violation up to a maximum of $25,000 in a calendar year.

HIPAA also contained provisions for protecting the privacy of individually identifiable health information. Congress acknowledged that passage of federal legislation was the preferred way to deal with privacy protection. Sensing the challenges, however, Congress wrote a backup plan, giving itself three years to pass comprehensive privacy legislation. Failing that, the act called on HHS to issue privacy regulations within six months of the deadline. Several bills were introduced in both the Senate and the House of Representatives, but bipartisan differences prevented any from being passed by the August 21, 1999 deadline, Consequently, the Secretary of HHS is required to issue privacy regulations.

Penalties for wrongful disclosure of individually identifiable health information include up to $50,000 in fines and one year in prison, or both. If the offense is committed with the intent to sell, transfer, or use health information for commercial advantage, personal gain, or malicious harm, the penalties include up to $250,000 in fines and 10 years' imprisonment, or both. Obviously, the stakes are high. This is an area where physician executives should devote much of their attention.

Rulemaking process and timetable

When issuing regulations, a government agency such as the Department of HHS must post a 'notice of proposed rule making' (NPRM) in the Federal Register and allow the public 60 days to comment. After reviewing feedback, the agency makes revisions it deems appropriate before issuing the final rule.

The initial NPRMs were due February, 1998 (18 months after passage of HIPAA), however, most weren't published until the summer of 1998 (http://aspe.os.dhhs.gov/admnsimp/nprm/txlist.htm). Because of the complexity of the issues, final regulations for the transaction standards haven't been released, although most are expected sometime this year. Many of the proposed administrative standards are commonly used, such as code sets (e.g., ICD-9 CM and CPT-4) and transaction standards (e.g., X12 with payers and NCPDP with pharmacies). Some of the identifier standards are being developed (e.g., national provider and plan identifiers) and will be released soon.

In contrast, during an emotionally charged public hearing, concern was raised that assigning unique health identifiers to individuals would make it easier to link information. Under public pressure, Congress instructed HHS not to pursue defining identifiers for individuals until privacy protections are put in place.

Privacy protections for individually identifiable health information

The single biggest issue that will affect physician executives is the HIPAA mandate to adopt uniform protection of individually identifiable health information. The Secretary published the privacy NPRM on November 3, 1999 (http://aspe.os.hhs.gov/admnsimp/nprm/pvclist.htm). The pro posed regulations represent a significant step forward in privacy protection and incorporate several widely endorsed principles. For example, laws guaranteeing patients the right to examine their medical records would be extended to all 50 states (only 28 states have them currently). The NPRM gives covered entities statutory authorization (i.e., specific patient authorization is not required) to use and disclose information for "treatment, payment, or health care operations."