New rules for computerized data: What will they mean for physicians?
HIPAA says electronic information must be secure and standardized
The clock has started ticking on what promises to be the biggest information management project the health care industry has ever faced.
In August, HHS released the first set of rules under the Health Insurance Portability and Accountability Act of 1996, better known as HIPAA. The legislation promises to dramatically change the way that medical information--everything from patient medical records to billing claims--is electronically stored and transmitted.
When it comes to computerized health information, HIPAA requires the government to do three things: Establish national standards for electronic transactions, protect the privacy of electronic health information and protect the security of that same information. (Privacy refers to individuals' right to keep their health care information confidential, while security focuses on ways to protect information from unauthorized disclosures.)
Many experts predict that the amount health care spends on HIPAA will make Y2K expenditures look like small change.
The first set of rules released in August regulates how health care organizations exchange information between different computer systems. Health care organizations, including physician offices, have roughly two years to change their procedures and computer software to comply with the new rules.
HHS is expected to finalize the privacy and security rules by the end of the year. Once those rules are finished, the industry will have several years to implement them as well.
Analysts are already comparing HIPAA to the Y2K problem because the legislation promises to be the industry's next big computer and administrative hassle. But many experts predict that the amount of money health care spends on HIPAA will make Y2K expenditures look like small change.
In September, for example, one Wall Street ratings firm warned investors that the health care industry could spend up to $25 billion implementing HIPAA, or roughly four times what the industry spent on Y2K fixes. And unlike Y2K, analysts say, complying with HIPAA is more than a matter of purchasing new hardware or software. The regulations will require many health care organizations to retrain staff and renovate office space to deal with the new regulations.
If you're in a small- or medium-sized practice, the good news is that you won't have to devote as many resources to compliance as huge practices and health plans. The down side? You'll need to revamp parts of your practice, and you need to get started soon.
When Congress passed HIPAA in 1996, the legislation was better known as the Kennedy-Kassebaum bill. At that time, politicians primarily focused on the legislation's role in creating new protections to help Americans keep their health insurance when they changed jobs. That was the "insurance portability" side of the law.
But as its name implies, HIPAA also had an "accountability" side. The law aims to create rules that standardize and simplify how health care information is electronically stored and transmitted. Put simply, if information has ever been entered into a computer, it will be covered by the regulations.
On Aug. 17 of this year, HHS released the final rules regulating the electronic transmission of health care information. While the regulations are lengthy and very technical, they require everyone involved in transmitting health care electronically to use the same formats and code sets. Whenever physicians send information about a patient to an insurance company, for example, or whenever health plans communicate information about enrollments and payment, they will all use the same electronic standards.
Nearly everyone in health care agrees that such standards are needed. The industry currently uses about 400 different formats to exchange information electronically, according to HHS. It's one reason why 17 cents of every health care dollar is spent on administrative overhead. By shifting to a single standard format for electronic claims and related transactions, the government predicts that those costs will drop to 5 or 6 cents per dollar within 10 years.
Standardization may also benefit physicians. By streamlining electronic claims, HIPAA is expected to reduce the high number of medical accounts receivable. Some analysts also predict that standardization could make it economically feasible for small practices to do their own billing, further reducing costs for physicians.
Privacy and security
While HIPAA's mandate to standardize electronic health care transactions has received widespread industry support, its mission to protect the privacy and security of health care information has received more mixed reviews.
Many in health care say that privacy rules are overdue, given the vast number of people that see even the most basic health information. While about half of all states offer medical records some protection, the laws vary widely. Perhaps even more importantly, there is no single national standard.
"We have to be more careful with people's personal information, and HIPAA is moving us in the right direction," said Paul Tang, FACP, chief medical information officer of the Palo Alto Medical Foundation, a 350-physician multispecialty practice in Palo Alto, Calif.
Critics, however, complain that HIPAA doesn't go far enough in protecting patient records. They worry that the law technically applies only to medical records that have ever been stored or transmitted in electronic formats. (HIPAA covers even those records that have been printed and are now stored on paper.)
They are also concerned that the regulations do not apply to everyone who can access personal medical records, including administrators at schools and Internet health care sites that often obtain copies of people's medical records. And because states can require stricter standards, health care organizations that do business in more than one state might have to live by more than one rule, which defeats some of the goals of administrative simplification.
While it's true that HIPAA applies only to medical records stored or transmitted in electronic form, analysts say that very few health care organizations are totally paper-based. As a result, they note, most will probably treat all records as if they are covered by HIPAA.
In fact, analysts say that physician practices will be wise to apply HIPAA rules to all their medical data, even if it is not computerized. Ted Cooper, MD, national director of confidentiality and security for Kaiser Permanente in Oakland, Calif., suggested that doctors think of HIPAA regulations as the "equivalent of universal precautions."
How doctors will cope
What do physicians need to do to prepare for HIPAA? While there is some anxiety about the rules, analysts say that some physician worries may be overblown.
When it comes to complying with the electronic transactions rule released in August, for example, vendors of software packages will do most of the work to make their computer systems HIPAA-compliant. Physician practices, therefore, should start talking to their practice management software vendors, billing clearinghouses and anybody else they contract with.
Over the next two years, physicians need to make sure that their business partners—vendors, transcriptionists, etc.—have taken steps to become HIPAA-compliant. If you sign any new contracts, analysts say, require vendors to promise to comply with HIPAA regulations.
That said, doctors' offices won't be entirely off the hook. "Your practice management vendor or clearinghouse can produce a HIPAA-compliant transaction, but where do they get the data for that transaction?" asked Thomas L. Hanks, practice director for enterprise security and HIPAA compliance at Beacon Partners Inc. in Norwell, Mass., a leading health care industry security consulting firm. "Doctors have to look at the data required, what they are collecting now and how they are going to make up the difference." For instance, he said, doctors will discover that not all the information required by HIPAA is on the HCFA 1500 form.
In addition, Mr. Hanks said, doctors and their staff will probably need to learn some new billing methods. The new electronic transaction rules mandate that payers use only CPT-4, ICD-9, HCPCS and NCPDP codes. Other changes, such as the elimination of J-codes, will affect how physicians, nurses and their staff code in the office. Local codes will also be eliminated, which will affect how doctors bill Medicaid. "Somebody in the office will have to think about this," Mr. Hanks said.
When it comes to protecting the security and privacy of medical records, HCFA had not yet released final guidelines at press time. Most experts, however, said they did not expect the final security rules to differ much from the draft rules.
Analysts say that HIPAA's security rules will affect physicians more than the privacy standards because they spell out what must be done to keep information from unauthorized disclosure. The privacy standards, in contrast, dictate how organizations must protect health records when they share patient information for treatment, payment and administrative functions like credentialing.
The draft version of the HIPAA security regulations states that the regulations are intended to be "technology-neutral." In other words, physicians won't have to use a particular brand or type of hardware or software to comply.
The draft security rules are also designed to be "scalable," which means that small physician practices won't have to take the same level of precautions as hospitals or large groups to comply with HIPAA's security regulations. While an integrated delivery system like Kaiser Permanente may have to place surveillance cameras in data centers and develop human resources policies and procedures, the bar will not be raised as high for small physician practices.
Physician practices will have to take more limited measures. For example, they will have to ensure that all employees have unique passwords to log into computers and that unattended computers automatically sign off so that passersby can't view confidential information. Small practices will also likely have to inform patients of their right to see and correct their records, and they will probably have to implement a grievance procedure to deal with a suspected confidentiality breach. (For more tips on compliance, see "Tips for complying with HIPAA's security regulations," next page.)
HIPAA requires health care organizations to self-certify that they are compliant. (The government will not conduct regular HIPAA inspections.) Organizations that fail to abide by the regulations, however, can be punished. Penalties range from a $100 fine for refusing to use the standards when conducting a transaction to $250,000 in fines and 10 years in jail for selling individually identifiable health information for commercial advantage or malicious harm.
As practices work through the HIPAA regulations over the next few years, consultants say that doctors should be wary of consultants and vendors selling an easy fix. Complying with the regulations, they say, will be too complex to be addressed by a single product or piece of software.
Some analysts hope that HIPAA will force doctors to take a serious look at computerizing their practices to cope with the regulations. Dr. Tang from the Palo Alto Medical Foundation, for example, said that many physicians will discover that electronic medical record (EMR) systems make it easier for the medical practice to comply with HIPAA's security and privacy rules. Because EMR software tracks every person who opens any part of any patient record, he said, practices can track if unauthorized users have read a patient's record.
Health care analysts say that increased computerization would be a good step for the industry. "In general, most industries are investing 6% to 8% of their revenue in technologies that improve productivity. Health care has been spending far less than 2% a year," said Mr. Hanks, the consultant with Beacon Partners Inc. "We should start looking at technologies that may improve productivity as well as support our security policies."
Finally, practices also should remember that no amount of spending can totally secure all their records, nor should they think HIPAA demands total protection. As Mr. Hanks said, "The federal government doesn't have enough money to secure Los Alamos. We sure don't have enough money to secure all our facilities. It is a matter of making risk-acceptance and risk-avoidance decisions that are appropriate for our business, taking our size into consideration."
Deborah Gesensway is a freelance writer in Glenside, Pa.
A good place to start is a two-page section of the Aug. 12, 1998, "Federal Register," where the government gives an example of how a "small or rural provider" might make its office records HIPAA-compliant. The draft version of the rule defines a small practice as having one to four doctors, with two to five additional employees and a PC-based practice-management system that is used primarily to communicate with a clearinghouse for electronic claims submission. (At press time, the final regulation had not been released, but analysts said they didn't expect the final version to change significantly.)
In general, practices will have to follow the following steps before they can consider themselves compliant:
- Assess actual and potential risks to patient information;
- Develop policies and procedures to mitigate and manage these risks;
- Define how staff who fail to meet those responsibilities will be treated; and
- Set up contingency plans in case the practice needs to mitigate damage resulting from a breach of security.
You should develop personnel policies that call for reference checks on new employees and training in the office's security requirements. Termination procedures should require staff to immediately collect a terminated employee's office keys and erase his computer password.
Your office procedures manual must include a section on security that is required reading for all new employees. You should also create a system to regularly remind all employees of the importance of security, such as discussions about security in staff meetings.
In terms of your office's physical setup, small practices do not need to install the same sophisticated security technology required of large clinics and data centers. But practices will need locks on doors and closets where patient information is stored. They may also need to relocate computers to areas of the office with "some degree of physical separation from the public."
To access computers, every employee will have to have a unique password. Practices should not automatically give full access to all computerized records to all employees.
The "Federal Register" says it expects everyone from vendors to medical societies to create models to help small providers comply once the rules are deemed final.
The draft security rules, published in the Aug. 12, 1998, "Federal Register" is available online at the Government Printing Office (www.access.gpo.gov/su_docs/aces/aces140.html)
and the HHS Administrative Simplification Web sites (aspe.os.dhhs.gov/admnsimp).
The small provider example can be found on pages 43255-43256.
Internist Archives Quick Links
New Leadership Webinars
The ACP Leadership Academy is offering FREE webinars covering the core tenets of leadership, leadership in hospital medicine, finance, and more.
Join ACP Today!
ACP membership connects you with like-minded colleagues and provides access to a variety of clinical resources, practice tools, and ways to earn MOC and CME.