HIPAA - Points to consider

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was designed to improve "the efficiency and effectiveness of the health care system by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information" (Public Law 104-191).

The requirements of HIPAA are fairly complex and affect nearly every aspect of the health care system. It is important to take a detailed and methodical look at HIPAA to ensure that you are fully compliant with every aspect of this legislation. To that end, here are several important points to consider while developing your HIPAA plan of action:

1. Make sure you, as a provider or health plan, are ready.
   1. Don't rely on your payers, or software vendors to make you compliant. HIPAA is much too complex for a 'HIPAA-in-a-can' solution offered by many vendors.
2. Contract with uninterested parties (i.e. organizations without a conflict of interest) that are HIPAA-aware to help you through the process.
   1. There are many steps and many areas that need to be addressed. It is always better to have several, specialized people than one who thinks he is the 'HIPAA Kahuna'
3. Be as prepared as possible for each regulation release by examining the context of the regulations to be released.
   1. Privacy was released first, so go through the steps that ensure you meet the requirements for privacy under HIPAA. Once that is done, start preparing for the security regulations. After all, having a secured network now will reduce the work required to meet the security regulations once they are distributed.
4. Be realistic about what you are capable of accomplishing.
   1. HIPAA regulations are full of statements like 'reasonable effort' and 'as permitted'. This means depending on who you are, how big you are, and how much money your company has, determines your level of reasonable effort.
5. HIPAA is about protecting PHI (protected health information, also confidential or sensitive health information), this is a given, what is taken for granted, is the number of possible conduits that PHI is capable of leaving your custody to an unauthorized entity.
   1. Be diligent about covering all the bases. Everything from fax machine location to who is asking for the PHI has to be accounted for.
   2. There also has to be a paper trail or 'chain of custody' for the information.
   3. As long as you know where the information is, who has access to it and you can prove it, who HAS accessed it, and who gave permission for what to be disclosed, the privacy regulations are pretty logical.
6. If you use software for billing, you NEED to be in conversation with the vendor.
   1. You MUST allow enough time for testing the new billing forms and for any corrective actions that might need to happen.
   2. There are state-governed requirements for submitting billing.
   3. It is well worth the effort to use the services of a third party testing facility to verify your 835/837 forms are formatted correctly. www.claredi.com is a common validation site.
7. Need to know dates
   1. April 14, 2003: Privacy regulations go into effect except for small health plans
   2. April 16, 2003: EDI transactions and code sets; must start testing
   3. October 16, 2003: EDI transactions and code sets; go into effect for all those covered entities that filed for an extension and small health plans
   4. April 14, 2004: Privacy regulations in effect for small health plans
   5. July 30, 2004: Employer Identifier Standards into effect, except small health plans
   6. August 1, 2005: Employer Identifier Standards into effect for small health plans
8. Useful resources:
   1. http://aspe.hhs.gov/admnsimp/
   2. http://www.cms.hhs.gov/hipaa/
   3. http://www.claredi.com
   4. http://www.wedi.org/snip/
   5. http://www.hipaagives.org/

There is no way that all the points of HIPAA can be put into a small outline. HIPAA is a complex, sensitive beast, however, it CAN be tamed. It takes time, perseverance and an overall understanding that once these regulations are in place and working properly, it is very possible, if not likely, that these standards will start to expand to cover other entities that deal with sensitive information. Entities like child protection services and foster care agencies are likely candidates. Although HIPAA regulations are lengthy and sometimes confusing the way they override some state laws and yield to others, it is in the best interest of everyone to give HIPAA the proper respect it deserves. After all, what if the information that was accidentally given to the wrong people was yours?

The content for this security policy tip on HIPAA was compiled by Lewis C. Fry.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.