|
 |
HIPAA HEAVY
|
NEW FEDERAL
REGULATIONS CAN BE A BURDEN FOR HEALTH CARE INDUSTRY AND SOME EMPLOYERS.
By William Poe
If you’ve been to your doctor’s office since mid-April, you may
have noticed a few changes:
- Patient
names no longer posted on the hallway side of the examination
room
-
Elimination of the ubiquitous waiting room sign-in sheet
-
No more shouts of (insert your first and last name here)
as a signal that the doctor is ready to see you
-
Patient charts no longer within easy view at the nurses’
station
-
The distribution of a “notice of privacy practices”
detailing how and when information about your health might
be disclosed by your physician to other parties
|
Those are the
most visible manifestations of a long series of momentous federal
regulations affecting, not only your doctor, but also your pharmacy,
your health insurance provider, and most anyone else associated
with the delivery of health care, including, in a roundabout way,
your company.
The new federal rules, wrapped around the banner of the Health Insurance
Portability and Accountability Act of 1996, are known by everyone
in the health care field as HIPAA (pronounced “hippa”). And the
rules are as lumbering and as powerful as the hippopotamus name
evokes.
“Physician practices, outpatient surgery centers, nursing homes,
pharmacies, most employer-paid health plans, HMOs, insurers, clearinghouses
and even people doing business with the health care industry are
clearly subject to portions of HIPAA,” says David Krauss, an attorney
with The Stolar Partnership. “All have a legal responsibility to
comply.”
DAVID KRAUSS
attorney,
The Stolar Partnership |
|
And health care providers and their employer sponsors need attorneys
to help them meet HIPAA requirements.
“HIPAA is very overwhelming,” says Jennifer Wolfe Jerram, a law
partner in the heath care practice group of Stinson, Morrison, and
Hecker. “There are hundreds of pages of regulations, plus commentary.
It’s a huge problem just reading the regulations.”
Jerram says attorneys read and interpret the rules, review client
implementation of compliance procedures, and work with others, including
accountants and computer experts, who may be in charge of portions
of HIPAA implementation.
Originally conceived to ensure that people losing group health insurance
could obtain coverage outside the group, HIPAA soon grew thick tentacles
of federal mandates concerning privacy, security and electronic
transactions. HIPAA stipulates civil and criminal penalties ranging
as high as $250,000 in fines and 10 years in prison for non-compliance,
but attorneys say enforcement is probably years away.
"HIPAA
IS VERY OVERWHELMING. THERE ARE HUNDREDS OF PAGES
OF REGULATIONS, PLUS COMMENTARY. IT'S A HUGE PROBLEM
JUST READING THE REGULATIONS."
Jennifer Wolfe
Jeram
partner,
Stinson, Morrison, and Hecker
|
|
For employers, it is their health plans—and only rarely the companies
themselves—that are covered entities under HIPAA, attorneys say.
“Employers are not covered entities; rather, the health plans they
sponsor are covered entities,” explains Juliana Reno, an employee
benefits attorney with Stinson, Morrison, and Hecker. “And there
are exceptions to that rule. For instance, self-administered health
plans with fewer than 50 covered workers are not covered entities.
And the working definition of a health plan includes medical reimbursement
accounts but not short- and long-term disability plans or workers’
compensation plans.”
“The employers who have to worry most about HIPAA,” says Reno, “are
those whose health plans are self-insured, and those who have fully-insured
plans but still receive what’s known as protected health information,
or PHI.” Then, she adds, “the gist of HIPAA is to force the company
to develop written policies and procedures that restrict access,
use and disclosure of certain kinds of information.”
Ron M. Present, partner in charge of the health care consulting
practice for the accounting firm of Rubin, Brown, Gornstein & Co.,
heads a team of consultants who can direct virtually any aspect
of a HIPAA compliance project. And the RBG team trains client personnel
to direct their own HIPAA compliance program.
RON
M. PRESENT
partner,
Rubin, Brown, Gornstein & Co. |
|
“We help clients put together their HIPAA compliance plan, and we’ve
trained more than 1,000 people on the subject,” Present says.
A big player at the systems end of HIPAA compliance is S2Tech, a
Chesterfield-based IT company that specializes in HIPAA compliance
for large health care entities, such as states and their fiscal
agents, that pay Medicaid benefits. Much of that IT work is related
to HIPAA rules to protect patient data and establish common code
sets to standardize transactions and claims information.
"HIPAA
MANDATES ARE MOST PERVASIVE IN THREE AREAS: PRIVACY,
SECURITY AND DATA EXCHANGE. WE MAKE SURE THAT UNDER
THE PRIVACY RULES, FOR INSTANCE, ONLY PEOPLE WHO ARE
SUPPOSED TO SEE PATIENT DATA CAN SEE IT AND THAT UNDER
THE SECURITY RULES, DATA TRANSMISSIONS AND NETWORKS
ARE PROTECTED."
Dayakar
Veerlapati
CEO,
S2Tech |
|
“HIPAA mandates are most pervasive in three areas: privacy, security
and data exchange,” says Dayakar (Day) Veerlapati, CEO of S2Tech.
“We make sure that under the privacy rules, for instance, only people
who are supposed to see patient data can see it and that under the
security rules, data transmissions and networks are protected.”
New rules will take another two to three years to implement. The
first big deadline was April 14 for the so-called privacy rules.
Another set of rules covering transactions goes live on October
16. The next big area, Present says, kicks in April 2005 when organizations
are required to have systems in place to protect information infrastructure
such as computer systems. (Compliance deadlines are generally one
year later for small health plans that have less than $5 million
in annual receipts, either in the form of premiums or claims.)
“Compliance with the security rules will be much more expensive
than for the privacy rules,” Present says. “We are recommending
that companies get to work now, because security compliance is not
going to be a quick or easy process.”
Because most employers are not covered entities, “HIPAA is not a
huge monster” for them, Reno says. On the other hand, Jerram says
that health care clients are finding that compliance is an “onerous
and expensive” exercise in generally unwarranted government regulation.
JULIANA
RENO
employee benefits attorney,
Stinson, Morrison,and Hecker |
|
“It’s not like before HIPAA there was no concern for patients’ privacy,”
says Jerram, a former registered nurse. “Providers feel a sense
of frustration that health care dollars are being stretched even
more when there were already state laws and other policies in place
to address privacy.”
That’s not to say, though, that attorneys or consultants find HIPAA
to be government completely run amok.
“Parts of HIPAA are good,” Jerram admits. “Patients are becoming
more knowledgeable of how their medical information is being used
and of their rights.”
Krauss adds: “At the end of the day, HIPAA is probably a good thing.
Privacy is an intangible but vital ingredient if we are going to
have good quality medical care and if people are going to feel comfortable
going to their physicians.”
William V. Poe is principal of Poe Communications, a St. Louis
advertising and marketing communications firm.
|
|
|
|
|
-
- - -
- - -
- - -
- - -
- - -
- -
-
- - -
- - -
- - -
- - -
- - -
- -
-
- - -
- - -
- - -
- - -
- - -
- -
-
- - -
- - -
- - -
- - -
- - -
- -
|
