Behavioral health gets a jump on compliance - HIPAA Watch

Health Management Technology, Nov, 2001 by John A. Paton

While the burden of HIPAA implementation and compliance rests with healthcare providers, payors and information clearing-houses, many experts believe that behavioral health and human service organizations will face additional scrutiny from consumers, who now have the law behind them when pursuing possible medical records privacy breaches.

Meticulous records will be required to meet rigorous security standards, and also to respond to consumer requests. For example, patients will be en titled to a complete log documenting every occasion their records have been accessed, including names, dates and inquiry reason.

Healthcare organizations are mandated to develop, implement and enforce comprehensive policies, procedures and business practices that support total compliance with the law--and to provide documentation that employees have been trained on compliance with those policies, procedures and practices as well. They must also designate a privacy officer and security officer and establish a grievance process for patients to make inquiries or file complaints.

Easing into Compliance

Many HIPAA requirements represent actions that responsible healthcare organizations have been taking all along. For years, behavioral health and public health providers in nearly every state have been subject to stringent confidentiality and privacy laws. Protected classes of healthcare service information like mental health, substance abuse and communicable diseases already require special handling. The vast knowledge the industry has gained through compliance with these laws will help ease the burden of HIPAA compliance.

Consider what your organization is already doing to protect and maintain clinical records, implement quality assurance and improvement measures, and satisfy the staff training, documentation, and reporting requirements of accreditation authorities, licensing institutions and funding sources--and you could be well on your way toward HIPAA compliance.

By promoting the greater use of electronic data interchange and the elimination of inefficient paper forms, administrative simplification is expected to provide a net savings to the healthcare industry of nearly $30 billion over 10 years. Universal code sets and standardized forms for medical conditions, services and other industry-standard language and methodologies will greatly improve and streamline claims processing. This should significantly reduce the number of claims that are denied or returned for lack of data or failure to use proprietary codes.

In behavioral health, one of the greatest benefits to be realized is one that can't be measured in dollars, time saved or paper eliminated, and that is improved client confidence. By guaranteeing the security of confidential personal and medical information, trust and candor between patient and caregiver will grow, giving way to a more relaxed and productive relationship.

Meeting Requirements

Proposed security regulations apply to more than just providers. They require administrative procedures, technical security standards and physical safeguards to protect electronic data integrity, confidentiality and availability.

The keyword is "electronic" and its reach is extensive. Any information about the physical or mental condition of a client receiving any form of healthcare services through an affected organization, or any information about payment for such services--past, present or future--is subject to HIPAA regulations.

Even seemingly innocuous demographic information is subject to the same security regulations. Once this type of health information has been transmitted, received or maintained electronically, original paper source documents and even verbal discussions that may change the content of the patient's record are also subject to these requirements.

While security regulations apply to entities maintaining or transmitting health information in electronic form, the privacy rules apply to all forms of individually identifiable health information--paper, oral and electronic. Privacy rules are based on the "minimum necessary" disclosure principle and require that covered entities obtain a general consent from the client to use his or her personal health information for treatment, payment and healthcare operations.

HIPAA also applies to any covered entity's business partners--any person or organization to whom the covered entity discloses protected health information to carry out, assist, perform a function or activity on behalf of the covered entity. Examples include lawyers, accountants, auditors, vendors, consultants and billing firms. Even service providers such as computer maintenance services, temporary staffers and healthcare oversight agencies may legitimately be considered business partners.

HIPAA establishes criminal and civil penalties for non-compliance, and also provides a formal vehicle for consumer complaints and federal investigation of alleged violations. Make no mistake--the DHHS Office of Civil Rights is fully empowered to impose financial penalties of up to $250,000 or jail time of up to 10 years per incident if an investigation finds evidence of non-compliance, negligence or willful disclosure of personal health information.