June 16, 2003
Legislated Ecommerce, Privacy, and Security: HIPAA (Health Insurance Portability and Accountability Act)
Roy Rada, MD, PhD
The high cost of administering the American health care system has challenged everyone for decades. One step to reduce the cost is to standardize the format for sending claims from providers to payers and to encourage these claims to be in electronic rather than paper form. After the health care industry tried unsuccessfully to standardize these claims, the industry asked the government to intervene.
The government proceeded to standardize not just electronic claims but also other transactions when done electronically, including eligibility inquiries, remittance advice, and referral authorizations. The standards are intended to encourage the movement from paper-based to computer-based transactions. The standards specify both the fields that must occur in a transaction and the code sets that must be used for values within the fields. By October 2003 the health care provider needs to either adopt the new fields and codes or allow its billing service or clearinghouse to convert the traditional transactions into the standard ones.
The government efforts to reduce costs in administering the provider-payer relationship went under the heading of Administrative Simplification. The Congressional Act containing Administrative Simplification is called the Health Insurance Portability and Accountability Act or HIPAA. When Congress realized that standardized, electronic, provider-payer transactions would become commonplace, Congress felt obligated to protect the privacy and security of health information. Accordingly Congress added to HIPAA the requirements for a Privacy Rule and a Security Rule. While the standardization of claims should mean that doctors get fewer inquiries from payers about what was meant and that the time from a claim to a remittance should reduce, the privacy and security provisions are less obviously a direct benefit to the health care provider but a benefit to the patient.
The Privacy Rule reaches into the everyday activities of all people involved in health care. The Rule essentially puts a virtual lock on all protected health information and gives everyone with a decent reason to manipulate the information a virtual key. The deadline for Privacy Rule compliance was April 15, 2003. The parts of the Privacy Rule that typically concern the health care provider are described next.
Patients should acknowledge receipt of a Notice of Privacy Practices. The Notice explains that anyone involved in treatment, payment, or healthcare operations may benefit from the medical record relatively unencumbered. Authorization from the patient is typically required, if any disclosure is to be made for other than health care reasons.
The Minimum Necessary portion of the Privacy Rule asks that a staff person try not to read information about a patient when that information has no impact on the staff person's ability to serve the patient. In integrated delivery networks, Minimum Necessary could mean that the receptionist working from a computer terminal is not supposed to see the online, patient's lab results. However, the government recognizes that the small practice is based on paper records, and that the entire patient record goes from desk to desk. In the small practice all employees may handle the entire record because nothing else is practical to do.
The Privacy Rule strengthens patient rights. The patient has a right to a copy of the patient record, and the health care provider can only charge the cost of providing the copy. The patient may request to add an amendment to the record. If the doctor refuses, then among other things the doctor must note in the record that an amendment was requested but refused. Finally, for those cases where disclosures are permissible and are made without explicit patient authorization, the health care provider must keep track of those disclosures, and if the patient requests an accounting of those disclosures, must provide such an accounting. All these things can be practically accomplished with the paper record and straightforward procedures.
The Privacy Rule is not asking for anything beyond what some would consider common sense. Most health care providers already do most of the things requested by the Privacy Rule. However, through the pressures of everyday practice executives may have made decisions in the name of expedient, quality care that now need to be further tempered with concern for privacy.
The Security Rule details the system and administrative requirements that a covered entity must meet in order to assure that health information is safe from people without authorization for its access. By contrast, the Privacy Rule describes the circumstances under which health information may be used and when a patient may have access to his or her health information. The implementation of reasonable and appropriate security measures supports compliance with the Privacy Rule. The Security Rule applies only to electronic individually identifiable health information, whereas the Privacy Rule applies to all individually identifiable health information. Compliance with the Security Rule is not required till early 2005. Details of the Security Rule are presented next.
- The Security Rule includes administrative, technical, and physical safeguards. The Security Rule establishes two types of safeguards:
- Required: The entity is required to implement exactly the safeguard.
Addressable: The entity may assess whether the safeguard is reasonable and appropriate in the context of the entity's environment.
If an entity determines that any addressable safeguard is reasonable and appropriate, it must implement that safeguard. If the entity determines that an addressable safeguard is not a reasonable and appropriate answer to its security needs, then the entity must document why and need do nothing further.
The Security Rule emphasizes internal risk analysis and risk management as the core elements of the security management process. Cost of security measures is a significant factor to be considered in security decisions. The decision about the reasonable and appropriate nature of an addressable safeguard rests on the health care entity and is based on its overall technical environment and security framework. This decision may rely on a variety of factors, including the results of a risk analysis, measures already in place, and the cost of implementing new measures.
Achieving privacy or security compliance may be seen as occurring in two-stages: first implementation and then maintenance. In the case of privacy compliance, the costs for one year of maintenance are a small fraction of the costs of implementation. However, for security the annual maintenance cost exceeds the implementation cost. The reason is that security maintenance takes time of every employee - procedures like security checks at doors - but for privacy most employees do nothing in maintenance mode.
The driving forces behind Administrative Simplification are cost-containment and patient empowerment. The need for cost consciousness in healthcare drove the introduction of standardization in provider-payer transactions. The insistence of the patient on further control over his or her medical record gave birth to the Privacy and Security Rules.
The Privacy and Security Rules provide an information flow and workflow blueprint for protected health information. While considerable flexibility is given to individual organizations to tailor this blueprint to their particular needs, the existence of a blueprint has major implications for the management of the healthcare enterprise. With a wider distribution of standard health information and blueprints for that distribution, the opportunities for efficiency in and involvement with the system grow.
Roy Rada, MD, PhD