Overview:
The U.S. Department of Health and Human Services is in the process of issuing a series of new regulations that affect the way health care providers, insurers, and patients will interact and share information. These regulations address subjects ranging from standards for the transmission of information electronically to the way private personally identifiable health information is stored and handled in the healthcare system.
The new regulations are intended to address the following (among other) problems:
• Problem: consumers were faced with resistance from health insurers as they moved to new jobs or to new health plans.
• HIPAA's Solution: Health insurance portability provisions designed to make it easier for healthcare consumers to move health information as they move among healthcare plans by setting standards for the movement of information electronically;
• Problem: Physicians and patients and other segments of the healthcare world were concerned about the security of private health information in an increasingly electronic world.
• HIPAA's Solution: Set standards for the maintenance of privacy for individually identifiable patient information and set standards for keeping that private information private and confidential; and
• Problem: Concerns about electronic insecurity delayed the implementation of new technologies in health care that can reduce administrative costs in the provision of healthcare in the US and that can improve the quality of care delivered.
• HIPAA's Solution: By setting standards that protect privacy and security, the benefits of new technologies can bring administrative cost savings to healthcare as well as supplying tools that make better information available to healthcare providers, which will lead to better-served patients.
Estimates are that by using new technology in the healthcare system, the industry will save nearly $30 billion over the next ten years. The need to provide better security for private information will add some costs to the system, but the net result will be an estimated cost savings of $17 billion dollars over the next ten years, which is good for everyone.
Do the regulations affect “me?”
It is safe to assume that if your organization is involved in the provision of healthcare services or health insurance, the regulations affect you.
Does that mean that I am a “Covered Entity?”
If you are a physician, work for a hospital, work in a clinic, work for a health insurance company, work for a group plan, you or your employer are a covered entity, and the regulations apply to you.
What are the obligations of “Covered Entities?”
There are a range of things that covered entities must do to comply with the most recently released regulations. These regulations, released in the Federal Register on December 28, 2000, will go into effect on February 26, 2003, which is not so very far away. They address issues regarding privacy of health information.
The list below is not comprehensive, but it should give a flavor of what is required. Covered Entities must:
• Review the consent forms that patients sign regarding the release of the patient's private health information;
• Keep track of who accesses private patient information;
• Seek patient authorization to release information to anyone who is not covered by the initial consent or by some exemption in the regulations - an exemption like the need for emergency medical care or release of the information in response to a court order or in response to a regulatory demand;
• Ensure that the businesses that perform administrative services for them or data aggregation services for them also treat the private information with the required level of security;
• Provide patients with access to the patient's own information, and must be prepared to tell the patient who else has seen the information if the release is something out of the ordinary course of the provision of care;
• Scrub individually identifiable patient information from records prior to using those records for activities not covered by consents, authorizations, business associate contracts or other laws.
• Train healthcare workers, including doctors, nurses and administrative staff, tokeep track of information as it moves through a healthcare practice, hospital or clinic.
The new regulations implicate changes to the law, the way a practice or hospital is run, new technologies AND new workflow processes.
Can my Information Technology people handle HIPAA compliance for me?
There are elements of HIPAA compliance that will probably involve the introduction of new technology into hospitals and medical practices. And, there will need to be some changes to the information systems that are currently in use. So, IT people will need to be involved with HIPAA compliance. But, the regulations cover activities that go beyond information technologies. What is more, many IT departments are already over-burdened, and they may not have time to read and absorb the new regulatory requirements in addition to handling their current work.
Can I turn to my healthcare attorney/hospital general counsel and let them handle HIPAA for me?
Working with your attorney or general counsel's office with regard to HIPAA will be key to success. However, as with your IT advisors, your counsel may not have much time to dedicate to HIPAA in addition to existing work requirements. Further, counsel may seek help in this arena of interface between regulation and technology. Technology can address some HIPAA issues but not all. Understanding the opportunities and limitations of technology under the new regulations is a vital component in smooth, effective compliance with the new regulations. And, the smoother the implementation, the lower the cost of compliance. This process should result in a cost savings from streamlined administration. It will be important to involve counsel in the process, especially in the drafting of consents, authorizations, and business associate contracts; they may not have the expertise currently to handle all aspects of HIPAA compliance.
How do I start to address HIPAA?
Practice managers and hospital administrators can initiate HIPAA compliance by (1) educating themselves on the HIPAA regulations; (2) conducting an assessment of the current work processes and systems; and (3) laying out a plan for assuring compliance. To do this they may wish to bring in outside experts to help with one or more of these steps.
First, be ready to examine the workflow process. This experience should give you flowcharts showing information flow, people flow, and money flow. This ought to provide the working basis for analysis of where changes need to be made in any or all of those flows. The next steps are to establish compliance procedures and to train staff. These steps are essential to compliance with HIPAA.
Second, be ready to assess a range of technology tools and policies that can help with compliance or that may need to be changed to prepare for HIPAA compliance. For example, physicians in a practice may be pushing to adopt wireless palmtop devices to facilitate electronic prescription writing. There are now some key questions to answer not just about the available technology but about the level of information security that each technology allows. Technology shortfalls often can be addressed using good information management rules. Technology will need to be integrated with the information management that was key in the first area.
Third, it is important to understand the regulations and the legal implications of them. There is a need to have legal counsel review the plan for compliance. However, it is important to ensure that the attorneys do not set the bar so high for avoiding risk that compliance becomes impossible.
For a hospital, it may be useful to have outside help with each of these three areas as it begins its HIPAA compliance activities. That way, the individuals who will become responsible for HIPAA in each of these three fields will have some support through the process. For a hospital or medical practice, there are economies of scale to have outside experts help introduce the new regulatory requirements and the opportunities that they present, without crippling the activities of the practice or hospital.
What Washington Federal Strategies Offers:
Washington Federal Strategies has done a detailed analysis of the new regulations. We have interviewed several experts in HHS regulation and health policy to give us the background to deal with HIPAA compliance. We can work with you to undertake a compliance plan, or we can work with your attorneys and information technology staff to help them get a head start on the new challenges of HIPAA compliance. Our staff includes attorneys, management consultants, technology experts combined into teams ready to address HIPAA issues.
The process of complying with the new regulations requires an enterprise-wide approach to changes in technology, workflow process, and sensitivity to new regulation. WFS brings a diverse team of talent to HIPAA compliance. We begin with presenting some background materials on HIPAA and let you know how to keep up-to-date. Then, we undertake an assessment of your work processes and identify opportunities for technology to streamline work or protect the privacy of information. We can then work with your staff to help draft compliance manuals, train staff and manage the implementation of new tools. Our team will work with your staff at your facility(ies) to make the process of compliance smooth and effective. Your hospital(s) or offices will reap the benefits of better technology tools, administrative savings, and more effective staff training in the new processes. This will generate better relationships with patients and streamline the processing of insurance claims.
WFS's staff has worked to reinvent government agencies, streamline business processes and comply with government regulatory and legal requirements. Further, our staff has extensive experience with introduction of sophisticated technology in hospitals and medical practices - from the smallest offices to large hospital consortia. This technology is adapted to the needs of the facility or practice, and presented as simply as possible, to cause the least disruption to patient care. Finally, we offer all of this with insight from legal counsel experienced in helping businesses comply with complex regulations. While we do not offer certified legal opinions, we can offer an integrated solution that will expedite HIPAA compliance for you.
Our integrated approach will minimize the number of times that systems have to be changed, upsetting your staff by making them learn and unlearn systems or practices. We want to help you to do this once, simply. No internal office politics to overcome, no turf battles. No need for you to coordinate the schedules of your already overburdened IT and legal advisors. We handle all of that by bringing in a team that is accustomed to working on these problems in an integrated fashion. And, we will train your staff to maintain compliance. We can even come in annually to give your new hires training and update manuals in accordance with any regulatory changes. Your staff is free to carry on the important work that is now filling their time.
Biographies of Our Senior Staff:Kurt M. Lowman has served as COO and CIO of an Internet-based world-wide, high tech healthcare informatics company. Prior to that, he served as the Executive Vice-President of an advertising and marketing firm where he was a pioneer in introducing computer design and digital imaging technologies into his company's design process. Mr. Lowman's background gives him great depth in working on business and technology problems. His experience in running companies allows him to offer practical advice on approaches to solving business problems. Mr. Lowman's greatest strength is his experience in adapting technology to solve business problems. Because of his involvement in health informatics and expertise in securing electronic information, Mr. Lowman has the experience to find the best technology and business solution for our clients.
Anne E. Linton has served an attorney at two law firms and for many years at the Federal Communications Commission. While at the FCC, she was part of a two year pilot study of total quality management in government streamlining the application process in the cellular licensing office and the tariff filing process, and she worked with the National Performance Review to reinvent government. She has worked with lawyers and technologists and engineers to improve work processes and train staff to work in teams. At the FCC, she also developed expertise in regulatory interpretation and compliance. Ms. Linton's experience as a commercial litigator and communications regulator allow her to look at and evaluate the risks of our clients' proposed actions. Experienced in working with agencies including FCC, Transportation, Commerce, State, FEMA, and HHS, she also guides WFS's government relations efforts. She has addressed the Society for Computer Applications in Radiology and the Radiological Society of North America on issues ranging from FCC support for telemedicine, to security of medical information on line, to risk management in the implementation of electronic patient record systems.
S. Nasir Ali specializes in advising businesses that wish to integrate information technology solutions into their core operations. He works with WFS after nearly a decade of management consulting advising Fortune 500 companies in the information technology, telecommunications, and aerospace sectors. Mr. Ali has assisted chief executives and boards of directors of Fortune 500 companies and major not-for-profit organizations in operations redesign, strategy implementation, project turnaround management, and new venture evaluation. He is also an expert in the software, hardware, and communications technologies driving the mobile Internet.