Plans of Government Officials Were Sailing Along Until… A Serious Hitch in HIPAA: The Internet
Keith Ferrell is a free lance writer based in Franklin County. Reprinted from the Sept. 19, 2005 edition of the Blue Ridge Business Journal.
If you have to see an ophthalmologist as a result of the eyestrain you get from reading the hundreds of pages of government prose in the Health Insurance Portability and Accountability Act (HIPAA) — or for that matter a physical therapist for your strained back from picking it up — you can rest assured that its provisions are intended to protect both the continuity of your health care coverage, and the privacy of your personal medical records.
That, anyway, is the intent.
But a funny thing happened on the way to the Act’s implementation: the Internet.
The portability aspects of HIPAA are designed to provide continuity of coverage should you change jobs, requiring that a new employer enrolling you in a group health plan within two months of your leaving your former job not impose pre-existing condition restrictions on treatments covered under your previous plan.
So far, so good.
Another, and in most ways larger, aspect of the initial plan was designed to simplify medical administration, and through simplification reduce skyrocketing costs.
The result of decades of work by committees and industry groups, HIPAA included among its goals the creation of a uniform set of claims codes for electronic transmission, filing and management of health care coverage records.
According to some sources, this is one case of a government cost-savings initiative that has actually worked, generating administrative savings measured in the billions.
But as HIPAA progressed through the actual stages of its phased implementation, beginning in 1996, Congress became concerned that the increasingly electronic world of medicine offered substantial opportunity for medical records to lose their privacy through intercepted emails, hacked computers and other dangers of our digital age.
Enter the privacy and security aspects of HIPAA.
“Broadly,” says Heman Marshall of Roanoke law firm Woods Rogers, “the purpose of the privacy aspects is to restrict unauthorized and unnecessary disclosures of protected health information (PHI).”
Additionally, HIPAA provided, for the first time, a national policy guaranteeing patients the right to have access to their medical records.
PHI privacy regulations went into effect in 2003, affecting who is permitted to have access to medical records.
Compliance-required security rules took hold in 2004, requiring that physical medical records be kept behind locked doors, with the digital equivalent of those locks required for electronic files.
Penalties for violations by organizations and companies covered by the rules — known by the government as “covered entities” — include both monetary fines and possible prison terms.
Who’s required to comply?
“Covered entities include health care providers that transmit PHI electronically,” Marshall says, “as well as health care clearinghouses (companies that convert healthcare data from one form to another) and health plans, including health insurers, HMOs, PPOs and employee health plans.”
The important thing to understand is that it is the plan — insurance companies, health care providers, Medicare, Medicaid, etc. –that’s covered by HIPAA, not the employer.
Clearly a business owner who’s a physician, or whose business is a pharmacy, would be considered a covered entity — as far as medical records of patients and customers goes. (Personnel files are not covered under HIPAA — only medical records.)
But a typical business which provides employees with third-party health insurance would not be. The insurance company is the HIPAA-affected covered entity.
Should the company provide self-funded group coverage, though, the company may becomes a covered entity, depending on the size of the coverage and the number of claims filed each year.
Self-funding organizations that are HIPAA-bound are required to keep those aspects of the business that deal with protected PHI records separate from other office management.
Medical records must be kept separate from other aspects of the employee’s personnel file.
Need to know
“Only the people who need to know the information should have any access to it,” says Roanoke attorney Robyn Ellis of Gentry Locke Rakes & Moore. “Benefits administrators, human resource directors — these are the only people who should have access.”
The problem for small and medium-size businesses lies in determining whether they may provide a benefit or service that itself could be considered a covered entity.
Does a weight-loss or stop-smoking program that keeps track of employee progress count as a covered entity? What about an on-site clinic or nurse’s station?
“Generally,” says Ellis, who has written frequently on HIPAA-related topics, “these sorts of programs are managed by outside contractors, who are the HIPAA covered entities. But if an employer has a health care professional on staff, there are HIPAA issues that should be reviewed with a qualified consultant or attorney.”
There are other complications. Suppose you’re an employer who is designated as a HIPAA covered entity.
Should one of your employees change jobs, and request that health coverage records be forwarded to the new employer, that request — like all medical records access requests – must be made in writing, on an official HIPAA authorization form. Without that authorization, employers must keep the records under lock and key.
HIPAA has also run into inconsistencies with state health records requirements. “HIPAA has to be read together with state laws on medical information privacy,” Marshall notes.
In addressing those inconsistencies, the rules again become complex.
“As far as access to medical records,” Marshall says, “the stricter of the two privacy rules trumps. But in terms of the patient’s own access to medical records, the regulation that provides patients with the most access trumps.”
Most employers and employees are insulated from the variety of questions and fine-points surrounding HIPAA: responsibility for meeting the guidelines rests with the actual plan administrators.
But should you want learn more — or be concerned that you need to — there are plenty of resources available.
“There’s a lot of HIPAA information available,” Marshall says, “both on the Web, and in books. Human resource associations have also put together a large amount of information. People can also get help from qualified consultants and lawyers.”
One word of warning: if you do decide to read the actual HIPAA regulations yourself, don’t drop it on your foot.