New HIPAA rule will protect information security
From the April ACP Observer, copyright © 2003 by the American College of Physicians.
By Margo Williams
Earlier this year, the government answered some longstanding questions about how to protect electronic patient information.
The new rules, as well as minor changes to earlier transactions requirements, give health care organizations long-awaited guidance on security. At the same time, however, the window to implement other HIPAA regulations before their April deadlines is closing fast.
On Feb. 20, HHS published its final security rule. The regulations spell out what hospitals, physician groups and other organizations must do to protect patient information that is stored or transmitted electronically.
The security rule is the third and final major piece of the Health Information Portability and Accountability Act (HIPAA). The law aims to simplify the flow of patient information among health care organizations, as well as protect the security and privacy of that information.
The good news about the security rule is that hospitals, medical groups and other organizations don't have to comply for about two years. (The security rule deadline is April 20, 2005.)
The bad news? When it comes to two other HIPAA rules—one on privacy and one on electronic transactions—time is quickly running out. You must comply with the HIPAA privacy regulations by April 14. You must also begin testing your office systems by April 16 to make sure they meet the new transaction standards.
While the government is not likely to throw you in jail if you don't meet the deadlines, officials have said they will respond to patient complaints. If you don't at least have a compliance plan and even one patient complains that you violated his or her rights, you could face problems.
The bottom line? If you haven't started to prepare your practice, get moving.
ACP's Practice Management Center has developed a series of tools to help practices comply with all three HIPAA rules. While you should start thinking about how you'll comply with the security rule, you still have plenty of time to get your practice ready. For now, at least, you should focus on meeting the privacy and transactions rules deadlines.
Here are some commonly asked questions about HIPAA and its different rules:
Q: What's the difference between the security and privacy regulations?
A: The two rules are intertwined. The privacy rule regulates how you use and disclose patient information, whether it is spoken, written or electronic. As of now, the security rule regulates only the storage and transmission of electronic health information.
While the privacy rule primarily focuses on requirements for releasing information appropriately, it does contain what is known as a "mini-security rule." This provision requires covered entities to implement "appropriate administrative, technical and physical safeguards" to protect both electronic and nonelectronic health information.
As a result, the security and privacy rules are closely related. To protect the privacy of information from unintended release, you need to put adequate physical and electronic security measures in place.
The security rule defines the standards you must meet to appropriately safeguard the confidentiality, integrity and availability of electronic health information. Information meets the government's definition of "electronic" if it ever existed in electronic form on a computer.
One good thing about the security rule is that it gives users some flexibility in meeting its various standards. Small practices with less sophisticated computer systems can meet the requirements; they can adopt new technology over time and still comply.
Q: How do I know for sure if my practice management system vendor is HIPAA-ready?
A: All vendors should begin testing HIPAA transactions by April 16. By that date, all practices that applied for an extension to the earlier Oct. 16, 2002, transactions deadline must begin testing. By Oct. 16 of this year, all practices must be fully compliant.
You should focus most of your energy on testing the HIPAA 837 electronic claim transaction with government and private payers. After October of this year, payers like Medicare are expected to stop paying practices that cannot send HIPAA-compliant electronic claims.
As soon as possible, make sure that your computer vendor, billing agency, clearinghouse and payers can send and receive electronic transactions.
Q: Where can I get information about my vendor?
A: Several medical specialty societies, including ACP, have worked together to create a Web site that lists the HIPAA-readiness of many practice management software vendors.
The directory contains information about which HIPAA transactions each vendor's products will support, the name of the clearinghouse that the vendor uses (if applicable), and whether a third-party company certified the product as HIPAA-ready. (The list is available online.)
Ideally, you should look for products that claim to be certified. The site's information is self-reported from vendors, however, so ask your vendor for written confirmation that the information is accurate.
Q: Should I buy a shredder to dispose of duplicate lab reports, patient financial information and other documents that contain protected health information?
A: It's a good idea. While the privacy rule does not address this question specifically, it does say that you should use reasonable "physical, technical and administrative safeguards" to prevent unauthorized use and disclosure of protected information.
That's why you should take some precautions like destroying documents that contain patient information before you throw them away. Otherwise, you are at risk if someone rifles through your trash and reads one of those documents.
The security rule does not address the destruction of paper documents because it deals only with electronic information.
Margo Williams is a practice management associate in the College's Washington office.
For more information
Internist Archives Quick Links
Earn CME Credits with ACP
ACP offers internists many CME options for the completion of AMA PRA Category 1 CME Credits™. Attend live meetings, work online, or watch course recordings on your own schedule.
Explore our many CME credit options.
The Next-Generation Clinical Information Resource
DynaMed Plus is a collaboration between ACP and EBSCO Health. ACP members enjoy free access to this comprehensive tool that optimizes time to answer for busy clinicians, like you. Get started now!