HIPPA Effects Of Health Insurance Essay, Research Paper
Effects of the Health Insurance
Portability & Accountability Act (HIPAA)
Just when Americans thought it was safe to turn on their computers after this year?s anticipated Y2K catastrophe, now comes the federal government?s new Health Insurance Portability & Accountability Act (HIPAA) — privacy regulations that will create new, insurmountable challenges for today?s healthcare industry. The Y2K bug is estimated to have cost the health care industry upwards of $10 billion. By comparison, implementing the HIPAA privacy and security regulations is estimated to cost the health care industry $40 billion over the next two years. Beginning January 2001, US health care operations will never be the same again.
This paper will address the origins of these new federal privacy regulations with a specific focus on the privacy standards and the Health and Human Services (HHS) proposed rules on confidentiality of personal health information. In a Wall Street Journal/ABC poll conducted on September 16, 1999, Americans were asked to identify those issues that concerned them most for the coming century. “Loss of personal privacy” ranked as the first or second concern of 29 percent of all respondents. Other issues, such as terrorism, world war, and global warming, scored of 23 percent or less.
Historically, an individual?s access to his or her own medical records ? and the ability to limit that access to third-parties ? was safeguarded by the patient, physicians, and healthcare organizations (i.e., hospitals, clinics, etc.). However, with advances in information technology, the issues of security and breeches of patient confidentiality have become major priorities.
When Congress passed the Health Insurance Portability & Accountability Act of 1996, it contained hundreds of pages of proposed legislation intended to set privacy and security standards for the creation and maintenance of patient health care databases. Congress set a deadline for itself of fall 1999, to pass comprehensive legislation regulating the privacy and security of information traditionally held sacred between patient and doctor. If Congress did not meet its deadline, HIPAA authorized the Secretary of the Department of Health & Human Services (HHS) to take on the program. In November 1999, after Congress failed to meet its deadline, HHS issued proposed privacy regulations regarding the secure treatment of electronic information and requiring a “standardization” of data used in transmitting health care information electronically. After the uneventful passing of the Y2K “crisis,” healthcare providers reevaluated the proposed regulations and began to realize the impact of such privacy and security regulations.
HIPAA addresses the protection of health information from its creation and establishes uniform requirements for those handling such information. The new privacy regulations effect all health care providers, health plan administrators, and health care clearinghouses (hereinafter collectively referred to as “health care operators”) that electronically transmit individual, identifiable health information in one of several types of transactions. The regulations apply not only when a health care operator engages in one of the listed transaction, but any time they use or disclose protected information. In fact, the regulation covers such a broad variety of healthcare-related transactions — such as verification and coordination of benefits — that only on rare occasion will a health care operator not be effected by this mandate.
The regulation governs the use and disclosure of individual, identifiable health information that has been electronically transmitted or maintained by a health care operator. However, not all health care information is protected under these regulations. The new privacy regulation only applies when a health care operator places information that potentially identifies an individual into an electronic format, and a reasonable basis exists to believe that the information can or will be used to identify the individual. This category of information is known under the new regulation as “protected health information.”
It is important to remember that individual, identifiable health care information can easily become subject to these regulations whenever existing information is entered into a computer or any type of electronic data system. This includes the scanning of older, paper records into an optical storage device. As a general rule, protected health care information may not be used or disclosed — even within an organization — unless the health care operator receives specific authorization from the individual patient.
The Privacy Act of 1974
Before considering the HIPAA Act, there is value in first reviewing the Privacy Act of 1974, as both generally promote respect for the public?s privacy. Under the Privacy Act of 1974, federal agencies were adopt minimum standards for the collection and processing of personal information, and to publish detailed descriptions of these procedures. This Act also limits the making of such records available to other private agencies or parties and requires agencies to make records on individuals available to them upon request, subject to certain conditions and exclusions. This is not unlike the HIPAA Act which governs how health care operators (as opposed to the federal government) handles the confidential information obtained from patients (as opposed to the public at large).
The Privacy Act of 1974, has four basic policy objectives:
oTo restrict disclosures of personally identifiable records.
oTo grant individuals more rights to access records agencies maintain on them.
oTo grant individuals the right to seek amendments to agency records maintained on themselves.
oTo establish a code of fair information practices which requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records.
According to the HIPAA, the security standards that apply to the health care operators must address reasonable and appropriate administrative, technical, and physical safeguards to:
oEnsure the integrity and confidentiality of the information.
oProtect against any reasonable anticipated threats or hazards to the security or integrity of the information, including unauthorized use or disclosure.
oEnsure compliance by officers and employees of the health care operators.
Organizations that handle individual health care information must establish control policies that regulate appropriate access to the information in their possession, while assuring its confidentiality. An effective policy would first determine those staff members who are granted authorization to the information, and then govern how and when such authorization is maintained, modified, or terminated.
Issues to consider are:
?Training. Employees should be trained regarding what information, systems, or applications they have authority to access, together with their responsibility to limit such access.
?Identification: Health care operators should supply authorized personnel with Personal Identification Numbers (PINs) or key cards by which users can be authenticated as part of the control process.
Information Systems Security Management
Information systems security management requires formal policies and procedures for granting (or denying) access to various levels of health care information, including user authentication and accountability practices. In order to meet regulatory compliance, three key areas must be in place:
1.security measures for all information systems;
2.security testing, including intrusion testing, performed regularly on systems and networks;
3.virus protection, and a response procedure when a virus is detected.
The HIPAA security guidelines require that management control the implementation measures, practices, and procedures for the security information systems. The organization can amend these issues by:
?documenting all policies and procedures in the integration and daily work of the Information Systems Management Department.
?installing software that maintains review schedules for testing security features.
?creating a system for on-going and periodic system checking.
?updating and formatting a frequent virus checking system and procedure.
Security Incident Procedures
To ensure that violations are managed quickly, health care operators are required to have documented “damage control” procedures for reporting security breaches. Such procedures should address data backup, data storage, and proper disposal of data, in addition to assigning responsibility in the event of a security incident. The damage control procedures should also include: a disaster recovery plan, emergency mode operations, equipment control, an organization security plan, procedures for verifying authorization prior to physical access, maintenance records, “need-to-know” procedures for personnel access, and sign-in procedures for outside (contract) vendors.
Security Management Process
Health care operators are required to establish risk reduction security policies to insure accountability, prevention, containment, and correction of security breaches including risk analysis, risk management, and sanction policies. Additional measures to protect sensitive data includes: firewalls, intrusion detection devices, and audit logs.
It is imperative that personnel be properly trained in order for a health care operator to meet the HIPAA standards. Each organization must develop, implement, and maintain records of awareness training for all personnel on virus protection, reporting data discrepancies, and password management to ensure protection of health care information.
In order to meet the HIPAA standards, health care operators must establish termination procedures for personnel leaving the organization including: changing the locks, terminating user access to databases, denying access to the physical facilities, and revoking control mechanisms (i.e., swipe cards and keys).
Market Refortm / Impact
The financial impact for organizations preparing for the Y2K bug was estimated to have cost the health care industry upwards of $10 billion. Implementing the HIPAA privacy and security regulations is being estimated to cost the health care industry $40 billion over the next two years.
According to a recent survey conducted by the newsletter HIPAA Alert, 80 percent of health care operators, and 75 percent of insurers, are trying to build overall awareness in their organizations about the new HIPAA requirements. Additionally, more than half of healthcare industry professionals are completing their initial assessment process.
Over half of billing clearinghouses and vendors are well into HIPAA compliance, planning, and implementation. It is the health care providers and insurers who are behind in their efforts, with less than a third of respondents saying they have begun planning and implementation for the HIPAA compliance. One reason given for the slow movement of providers was that they were waiting for the final rules to be set in place before moving forward with implementation.
Three-fourths of information system vendors indicated that they would complete internal testing of the HIPAA-compliant systems within 12 months, and all billing clearinghouse respondents reported they will be HIPAA-ready within 18 months. More than half of insurers indicate that they will not be fully HIPAA-compliant for 24 months or longer, possibly because of confusion over what is really needed to be compliant.
Inasmuch as the HIPAA law has yet to go into effect, there is no case law yet involving this legislation. It will be interesting, however, to see how this legislation impacts further interactions between health care operators and the people they serve.
Health care operators who will be affected by the final ruling slated for December 2000, should assess their current status to ascertain whether they will be in compliance with HIPAA and, if not, what they need to do about it. Such assessments should include:
Educate organization staff members
What can a health care operator do to prepare for HIPAA? Their first step should be to educate their senior management and line-staff. The HIPAA is a complicated and extensive piece of legislation. It requires considerable education and a commitment from senior management to secure the necessary human resources and financial resources. Especially in larger health care operations, a chief security officer or similar senior management officer is recommended to lead the organization?s HIPAA efforts.
Coordinate a HIPAA Committee
Individual health care operators should each establish HIPAA committees. These group should be responsible for the oversight of HIPAA education, communication, and timelines. Needless to say, personnel from Human Resources, Information Services, Finance, and the General Counsel?s office should comprise the committee, in addition to personal from medical records, medical staff affairs, managed care, and the business office. Such committee should meet frequently during the establishment and coordination of the HIPAA initiatives to make certain that compliance will be met, and then periodically thereafter to insure proper maintenance.
Audit Policies, Procedures, and Application Systems
Health care operators should audit their existing information systems to identify areas that will require improvement in order to comply with the HIPAA rules. One method would be to conduct a gap analysis. The analysis would serve as the foundation for creating a timeline for meeting the HIPAA deadlines. The audit should include an extensive review of all policies and procedures associated with the release of information, network and application security, and medical record confidentiality. Such audits ? both current and future ? should be under the direction of the HIPAA Committee referred to above.
Identify Risk Areas
As a result of the initial audit, each health care operator should be able to recognize high risk areas and then develop a corrective action plan in response. Such action plan will greatly depend on the identified deficiency. As a matter of necessity, those areas with the highest risk should be addressed first, although these may also require the most time, money, and manpower to correct. Most importantly, health care operators should document each of their efforts towards compliance in the event that their labors are ever questioned.
Compliance with the upcoming HIPAA mandates will require the coordinated efforts of every health care operator in the United States. However, despite how long, costly, and tedious this process may be to these organizations, these initiatives are absolutely necessary to safeguard the right of each American citizen regarding his or her health care records.
In the current cyber-society in which we live ? one that will only get more sophisticated with time ? such laws are imperative. The average cyber-junkie, familiar with the information superhighway and all its little side-streets and alleys, can already find out more information on the average citizen than most of us would want shared: our home addresses, phone numbers, interests, hobbies, etc. In some ways, it is akin to George Orwell?s 1984. The only exception is, this time it is not “Big Brother” who is watching ? instead it is your next door neighbor or the kid down the street. Without laws such as the Health Insurance Portability & Accountability Act, we could one day learn that our most personal concerns ? the health of our minds and bodies ? is fodder on the Internet.
HIPAA Insurance Reform http://www.hcfa.gov/medicaid/
HIPAA Health Information Standards http://www.jhita.org/hipaarule.htm
Health Insurance Portability and Accountability Act of 1996 Administrative Simplification http://www.hcfa.gov/facts/February 1997 Health Insurance Portability and Accountability Act of 1996
“Getting Ready for HIPAA Privacy Rules” AHIMA article on preparing for HIPAA security standards http://www.ahima.org/journal/features/feature.0004.5.html
“Conducting Your Own Internal Assessment” Journal of AHIMA article provides good checklist to do your own assessment http://www.ahima.org/journal/features/feature.0005.4.html
Lemonine, B. The Business Journals. HIPAA compliance cost may exceed Y2K http://www.bizjournals.com/
Part II Potential Effects of HIPAA: A Review of The Literature
Stephen Long and M. Susan Marquis
Department of Health and Human Services, Proposed Standards for Privacy and Individually Identifiable Health Information http://aspe.hhs.gov/admnsimp/faqtxdif.htm
“Proposed Rules” Federal Register, 63, no. 155 (1998) http://www.access.gpo.gov
Implementing HIPAA Security Standards?Are you Ready? ( October 1999)
HIPAA supersite from consulting firm Beacon Partners, includes news, timelines and legal info. http://www.hipaacomply.com