Healthcare is, perhaps, the most highly regulated industry in the United States. Healthcare compliance is a multi-faceted beast. When considering the issue, it includes complex statues, judicial decision, lots and lots of federal rules, United States Department of Health and Human Services guidance documents, individual state’s Departments of Health regulations, and different standards of accreditation.
But, perhaps, the largest bit of regulatory reform that hospital executives and General Counsel have to cope with, is the HIPAA which was passed in 1996. Billions of healthcare compliance dollars have been spent on HIPAA consulting entities and more, perhaps, on HIPAA lawyers. While it is true that HIPAA is a very large dog with rather sharp teeth penalties can reach a maximum of over $1,500,000, and enforcement has been ramped up with the HITECH Act revision of the Privacy and Security Rules, and the Privacy and Security Regulations comprise more than eight hundred pages, there are only a few basic themes underlying the HIPAA privacy concept. Just as flicking a light switch illuminates a room, comprehension of these basic HIPAA tenets can dry the organization’s night sweats by providing clear focus for this healthcare compliance initiative.
The HIPAA regulations are divided into two Rules: HIPAA Privacy and Security. The latter is designed to ensure compliance with the former by providing a series of standards which provide administrative, physical and technical protections for electronic health information. The Privacy Rule is designed to prevent unauthorized use or disclosure of Protected Health Information PHI. PHI, which may be paper-based or digital, is defined in the Privacy Rule as information regarding treatment or requests for treatment which may be identified with an individual person by one or more of 18 identifiers name, social security number, etc..
The Privacy Rule is known as a regulation of exclusion it states that PHI may not be used or disclosed except for purposes or treatment, payment or operations of the healthcare provider or plan, unless the patient authorizes the use or disclosure in writing or the use or disclosure falls within one or the exceptions in the regulations. Exceptions include emergencies, as defined, uses or disclosures required by law, and provision of PHI to third-party contractors whose work requires access to PHI. Such contractors are known in the industry as Business Associates. Privacy Rules mandate that a Business Associate Agreement be signed wherein parties agree to follow the regulations set forth by HIPAA. After February 1, 2010 however, these Associates are required to abide by HIPAA, which means that even they must comply with the law’s requirements as though they were healthcare providers or plans.
Healthcare consulting entities and HIPAA lawyers healthcare attorneys with a specialty in HIPAA law can, by being outside entities, facilitate the necessary discussions to focus this healthcare compliance initiative by preparing Gap Analysis Reports, in which they review policies and procedures on handling of healthcare information and make recommendations to bring those protocols into compliance. In its most basic form, the underlying basis for HIPAA compliance is not too difficult. use or disclose patient information only for the permitted purposes, and secure patient authorization to sue it for anything not permitted by the Regulations. A culture of privacy is already a pervading theme within the cultures of a majority of hospitals. HIPAA lawyers and healthcare consulting entities, working with interdisciplinary teams at the hospital, can cost-effectively revise practices and policies to put these themes into practice, without changing the culture of the organization or unduly frightening the executive staff.
As Health Records are converted to electronic records, there is likely coming a paradigm shift. Nowadays a patient’s lab results can be sent to a Smartphone, where the doctor can text or email her orders based on those findings, all within seconds. Nurses can enter/retrieve notes and findings on a patient’s emergency room treatment from a nurses’ station, a laptop or a portable device from anywhere in the hospital, rather than waiting for the paper chart to make its tortuous way up several stories to the patient’s room. Soon enough, it may be the case that a patient’s information can be sent anywhere in a matter of seconds.
The caveat to the convenience is that electronic records are far easier to alter, and come with their own slew of privacy problems that paper documents never had. In the Security Rule, HIPAA law touches on a number of these issues. The Privacy and Security Rules of HIPAA total almost 1000 pages, and while the legal, administrative and technical protection themes are not complicated, deciphering them and implementing action plans requires HIPAA lawyers to work in tandem with HIPAA consulting entities to prepare policies and procedures which will provide the requisite level of security. This is no small challenge in an age where s two-inch USB, or “thumb” drive can hold thousands of pages of medical information, and can slip from one’s pocket as easily as the change which often turns up under the couch cushions. Moreover, in a world of social networking, it is not uncommon for individuals to do things they wouldn’t normally do in a professional setting forgetting that electronic mediums like the internet make information sensitive or otherwise boundless. Once it goes out, it can go anywhere. Facebook, Myspace, and even text messaging are all important considerations with regard to new regulations and Privacy issues.
The HIPAA Security Rule addresses these concerns through requiring that Protected Health Information “PHI” be encrypted in storage as well as during transmission, according the principles set forth in a Guidance published by the Department of health and human services during April, 2009. DHHS has been mandated, by the changes made to health insurance portability and accountability act within the HITECH Act, to make periodic “spot audits” of hospitals with respect to privacy and security. Evidently, a hospital must possess its HIPAA legal professionals in the facility working on security precautions way before this kind of an inspection takes place.
HIPAA consulting entities, functioning with a crowd comprising IT, Records, Legal as well as the outside Health insurance portability and accountability act lawyers should embark upon a healthcare compliance security initiative through assessing current security technical protections as well as administrative security techniques i.e., how electronic health information is used and also transmitted, revising those protocols when considered necessary, and training the employees on implementation of the new policies and procedures. Health insurance portability and accountability act law, in 2010, is one of the most important standards of healthcare compliance, and the hospital will realize the necessary standard most cost-effectively by commencing bringing together the HIPAA lawyers and health insurance portability and accountability act consulting groups with the hospital stakeholders early enough to accomplish workable procedures in information security.
Alex Dalton researches and writes extensively on HIPAA law.