Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) -in particular, Title II, Preventing Health Care Fraud and Abuse; Administrative Simplification and Medical Liability-was intended to establish a federal floor of protections for managing the evolving technologies of storing and sharing electronic health information.
Section 261 of Title II, Administrative Simplification (AS), is overseen by the Centers for Medicare and Medicaid Services (CMS); it focuses on technology and security standards as they apply to all electronic transactions. The technology standard creates transaction and code sets (TCS) that went into effect in October 2003, as well as national identifiers for providers, insurance plans, and employers.
The security standard was established to protect data in electronic medical records (EMRs) through security configuration and information access control; it went into effect in April 2005. The purpose of these two standards is to improve the efficiency and effectiveness of America’s health care system by encouraging the use of electronic data interchange (EDI).
Section 264 of Title II, Standards for Privacy of Individually Identifiable Health Information (IIHI) (the Privacy Rule), falls under the jurisdiction of the Department of Health and Human Services’ Office for Civil Rights (OCR) and pertains to all patients’ protected health information (PHI) in any format-electronic, written, verbal, or image. This rule applies to three types of covered entities: health care plans, clearinghouses, and providers; compliance was required by April 2003.
Priority 1: Security
Health care providers initially concentrated on EDI by submitting standardized electronic claims via their practice management systems (PMS) to clearinghouses or insurance companies. Only a handful of administrative parties were privy to a limited amount of patient information, such as diagnosis or procedural codes.
Now that the technology has advanced and providers are beginning to use EMRs, e-prescribing, and online communications, all of a patient’s IIHI is available to numerous clinical and administrative people in multiple locations, 24/7. Although security and privacy standards have becoming increasingly commingled, it is the security standard that dominates HIPAA compliance in the electronic office.
One year into the HIPAA security regulations, 25% of surveyed hospital and health systems indicate complete compliance and 50% state that they are close to full compliance, according to the American Health Information Management Association’s (AHIMA) 2006 survey, The State of HIPAA Privacy and Security Compliance.
Medium-sized and small physician practices report increases in compliance with the security standard, 33% to 54% and 40% to 68%, respectively, according to the US Healthcare Industry HIPAA Summer 2006 Survey, sponsored by Healthcare Information Management and Systems Society and Phoenix Health Systems.
However, three years after the implementation of the HIPAA privacy rule, only 85% of AHIMA survey respondents indicate that they are more than 85% compliant, compared with 91% of respondents in 2005.
In both surveys, key reasons for less than full compliance with the privacy rule include such factors as a lack of resources, administrative support, and interoperability between systems, as well as budget constraints to train new staff.
Ironically, this lag in privacy compliance comes at a time when consumers are becoming more aware of the privacy rule and their rights to understand and control how their health information is used and disclosed.
According to a spokesperson from the OCR, most complaints regarding privacy are against physician practices and involve:
- Impermissible use or disclosure of IIHI;
- Lack of adequate safeguards to protect IIHI;
- Refusal or failure to provide individual with access to or a copy of personal records;
- Disclosure of more information than is minimally necessary to satisfy the request; and
- Failure to have the individual’s valid authorization for a disclosure that requires one.
Some of the most frequent security problems involving small physician practices relate to a lack of adequate safeguards, such as exposure to computer screens. To avoid misuse or improper access, practices must address security concerns involving firewalls, password protection, encryption, and related considerations.
Other security vulnerabilities involve practices engaging in the improper disposal of patient information. Simple deletion of an electronic file from a storage medium generally does not permanently erase it in a way that precludes it from being restored in an unauthorized manner.
The OCR spokesperson acknowledges that while most physician offices are subject to general security safeguards under the privacy rule, those engaged in electronic transmission and storage need to look closely to the HIPAA security rule to make certain that their systems are in compliance with the more detailed standards that exist for security of electronic PHI-especially since 70% of people surveyed in a 2005 Harris Poll about EMRs were concerned that sensitive personal information may be leaked because of weak security.
Experienced otolaryngology practice administrators of groups using EMRs are heeding this advice, knowing that privacy must be securely protected in order to calm patient concerns.
Your EMR product should have zero gaps with the requirements of the transaction and code sets and privacy and security regulations, meaning that end users can be fully compliant using these products, provided that they have the appropriate policies and procedures in place, says Jolene Eicher, Practice Administrator for Commonwealth Ear, Nose & Throat and The Sinus Center in Louisville, Ky. Remember, it’s the physician’s practice that is compliant, not the products that it uses.
Ms. Eicher, whose practice has been using Greenway’s PrimeChart since May 2005, recommends that a PMS and EMR include the technical safeguards of HIPAA’s security standard to ensure privacy (see www.cms.hhs.gov/EducationMaterials/Downloads/Security101forCoveredEntities.pdf ).
We have firewall protection, says Linda Bauer, Practice Administrator for Pediatric Ear, Nose & Throat of Atlanta, PC, and all employees have a security code which changes every 90 days. Logins are routinely monitored to see who is viewing patient records and why.
Since the privacy rule requires the designation of a privacy officer, Ms. Bauer strongly recommends that a practice hire or train an existing employee in HIPAA security and privacy laws. This person should explain HIPAA regulations to the EMR vendor and information technology (IT) person and be included in all talks regarding how to maintain patient privacy, as well as what the needs of the practice are regarding HIPAA, before implementation of the EMR.
In his September 4, 2006 AMNews article, contract expert Steven Harris suggests that, a provision to provide technology or mandatory updates for regulatory compliance be required in the vendor’s contract, even though the software should comply with HIPAA’s security standards and include appropriate safeguards for PHI upon purchase.
E-Prescribing and E-Mail
Not only are physicians transitioning to EMRs, they are also beginning to use e-prescribing and Web-based applications, such as e-mail, that save time, money, and postage, but also increase access to patients’ PHI.
We have a two-part Web site, says Jeffrey Dudley, Practice Administrator for Sacramento Ear, Nose and Throat Surgical and Medical Group, Inc. in California. The general information at www.sacent.com was designed by a local developer. The encrypted, patient portal side of the website was developed by Kryptic, whose products are designed specifically to meet HIPAA privacy standards.
Through secure online messaging, patients can complete forms, make appointment requests, and request prescription refills, says Mr. Dudley. Most patientsdon’t think twice about using secure online communication, since they have experience with it through other sources, like online shopping or bill paying.
Our parents who use e-mail just love it, says Ms. Bauer.They feel more ‘in the loop’ regarding the care of their child. Everyone in the practice has a login ID for e-mail and secure messaging.
Ensuring security is important, as 67% of Americans show high levels of concern about the privacy of their PHI, according to the 2005 National Consumer Health Privacy Survey sponsored by the California Health Care Foundation. Disclosure statements should be a standard part of every e-mail communication. Guidelines for physician-patient electronic communications, prepared by the American Medical Association, can be viewed at www.ama-assn.org/ama/pub/category/2386.html .
At Sacramento ENT, online prescription refills still must be reviewed by a physician and then either phoned or faxed to the pharmacy. However, with our AllMeds EMR system, we can fax without generating any paper, so that simplifies things, plus it documents the activity in the patient’s chart, says Mr. Dudley. Our goal, as we become more electronic, would be to try and eliminate as many steps as possible while maintaining the proper approval and documentation.
The OCR spokesperson suggests that physician practices that are going electronic may find of interest recent HHS regulatory changes, established under the Medicare Modernization Act of 2003 (MMA) and effective October 2006, supporting e-prescribing and EMR technology.
CMS issued new exceptions to the Stark physician self-referral prohibition that allow certain entities to provide nonmonetary assistance to physicians to encourage their use of e-prescribing technology. CMS’ final rule also sets forth the conditions for a new regulatory exception for arrangements involving the donation of EMR software, IT, and training services. The HHS Office of Inspector General (OIG) simultaneously issued a final rule regarding the MMA-mandated anti-kickback statute safe harbor for certain e-prescribing arrangements, as well as a safe harbor for the donation of EMR software, IT and training services.
From the HIPAA perspective, our standards apply to all settings, electronic or nonelectronic, and we expect all covered entities to comply with our standards, says the OCR spokesperson. These standards were designed to be technology-neutral.
Although HIPAA implementation has been challenging, most practices have met the challenge, even when confronted with HIPAA-related problems. State privacy laws supersede HIPAA, making information sharing across state lines and compliance very confusing. Medical identify theft is increasing as more people in physician practices have access to data. Consequently, Congress has introduced numerous bills to protect the privacy of patients’ PHI.
The privacy issue will continue to grow and be a significant factor in everyday health care. ENT practice administrators, as they oversee the transition to an electronic office, need to ensure that they comply with HIPAA’s security standard to maintain the confidence, privacy and participation of their patients.
Pending Congressional Bills on Privacy
- 21st Century Health Information Act (H.R. 2234)Proposes creating health information networks that allow seamless transfer of health data and guarantee patient privacy through HIPAA compliance and the ability to opt out of participation.
- Health IT Promotion Act (H.R. 4157)Corrects obstacles that have slowed the adoption of a national, interoperable EMR system and directs the HHS Secretary to recommend a single privacy standard consolidating existing state and federal laws.
- Electronic Health Information Privacy ActCloses gaps in HIPAA; patients decide who sees their medical information and why; patients can opt out of any health information network; privacy rules apply to any organization or individual who sees, handles or exchanges medical records; audit trails mandated; criminal enforcement of privacy violations.
- Health Technology to Enhance Quality Act (S. 1262)Proposes a nationwide interoperable health IT system, strict adherence to HIPAA privacy standards, and the provision of grants to combine state and federal privacy laws.
- Wired for Health Care Quality Act (S. 1418)Adopts standard-setting processes from the American Health Information Collaborative; federal grants for providersneeding financial assistance and training in IT.
- Better Healthcare through IT Act (S. 1355)Establishes a national health information network; calls for privacy measures through compliance with the current HIPAA privacy rule.
For Further Information
- Health and Human Services, Office for Civil Rights-HIPAAwww.hhs.gov/ocr/hipaa
- Centers for Medicare and Medicaid Serviceswww.cms.hhs.gov/HIPAAGenInfo
- Office of the National Coordinator for Health Information Technology (ONC)www.hhs.gov/healthit
- American Health Information Management Associationwww.ahima.org/emerging_issues/2006StateofHIPAACompliance.pdf
©2007 The Triological Society