W hen I speak with colleagues, I get a sense that not many of them have implemented any kind of plan in keeping with mandates set by the Health Information Portability and Accountability Act (HIPAA). This act is one the most important pieces of legislation to come into effect in recent years. Last year, after HIPAA’s initial implementation, the act was discussed widely in lectures and journals and among practitioners. But after its initial implementation, interest in it seems to have declined. However, deadlines that many of us must meet are coming — some have already passed. In fact, standards take effect this July 1 for the previous October 2003 deadline that required Medicare claims to be submitted electronically. Payment delays of at least 2 weeks will begin on July 1 for anyone not electronically submitting claims to Medicare. To avoid any payment delays or other penalties tied to HIPAA non-compliance read on as I’ll review some of HIPAA’s components, reiterate the deadlines for the implementation of these components, and discuss the status of the enforcement of HIPAA. It’s the Law HIPAA is the law, and it has withstood a variety of legal challenges. A federal district judge in Philadelphia on April 2 of this year dismissed a lawsuit challenging the constitutionality of the HIPAA privacy rule. The suit, filed a year ago against the department of Health and Human Services (HHS), claimed the rule unconstitutionally granted insurance companies, employers and others access to identifiable health information without patient consent. According to the Philadelphia Inquirer, U.S. District Judge Mary McLaughlin ruled HIPAA’s privacy rule did not violate constitutional rights to privacy and due process, and that HHS Secretary Tommy Thompson did not act arbitrarily in implementing HIPAA’s Privacy Rule.1 HIPAA is meant to keep digital patient information private and secure and to create standardized modifiers, transaction codes and identifiers for healthcare providers. A variety of deadlines attach to the privacy rule, the security standard and employer identifier standards and national provider identifier — which I’ll discuss later in this article.2 HIPAA is meant to apply to the following: 1. a healthcare provider who conducts certain transactions in electronic form (called here a “covered healthcare provider”) 2. a healthcare clearinghouse 3. a health plan. HIPAA is regulated and implemented by HHS’s Office of Civil Rights (OCR). A number of companies that contain consultants and education providers have claimed that they or their materials or systems are endorsed or required by the federal government, for example HHS or OCR. This is not the case. The federal government does not endorse any private consultants’ or education providers’ seminars, materials or systems. The federal government does not certify any persons or products as “HIPAA compliant.” HIPAA does not require attendance at any specific seminars. All materials needed to gain a basic understanding of HIPAA are available at the Web sites of the HHS and OCR — at no cost.3 Although attendance at seminars is helpful, it’s not required under the law. Reviewing the Privacy Standard The privacy provisions of HIPAA apply to health information created or maintained by healthcare providers who engage in certain electronic transactions, health plans and healthcare clearinghouses. The final rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on Feb. 20, 2003. This final rule specifies a series of administrative, technical and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information (PHI). Specifically, PHI is information that can be identified as that of a specific patient (based on certain identifiers such as date of birth or social security number), and this is information that must be kept protected and private.4 Entities under the ambit of HIPAA that maintain or transmit health information are required to implement reasonable and appropriate administrative, physical and technical safeguards to ensure the integrity and confidentiality of the information. In addition, these entities must protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. Only electronic PHI received, created or maintained by entities under the ambit of HIPAA, or transmitted by entities under the ambit of HIPAA, is covered by the security standards and must be protected.5 Transactions and Code Set Standards and Employer Identifier Standard HIPAA also provides transactions and code set standards and the Employer Identifier Standard. These standards were created to decrease administrative complexity and costs. The final rule adopting changes to the HIPAA Electronic Transactions and Code Set Standards was published in the Federal Register in 2003. This final rule modifies a number of the electronic transactions and code sets adopted as national standards under HIPAA, and eliminates the National Drug Codes (NDC) set as the standard for all providers except retail pharmacies. It does not adopt a standard for reporting drugs and biologics on non-retail pharmacy transactions.6 The Employer Identifier Standard will deal with the companies that provide health insurance and will be defined further in the future. Decreasing Administrative Complexity HIPAA mandated the creation of a National Provider Identifier to facilitate a decrease of administrative complexity. National Provider Identifier (NPI) final rule as required by HIPAA to create a unique health identifier for healthcare providers was published in the Federal Register on January 23, 2004. Healthcare providers can begin applying for NPIs on the effective date of the final rule, which is May 23, 2005. All healthcare providers are eligible to be assigned NPIs; healthcare providers who are covered entities must obtain and use NPIs. All HIPAA-covered entities should use NPIs by the compliance dates (May 23, 2007, for all but small health plans; May 23, 2008, for small health plans). The situation of using identifiers is complicated. Healthcare payers and claims clearinghouses may continue using legacy provider identifiers — for internal processes — after the May 23, 2007, compliance date for the HIPAA national provider identifier, according to the Centers for Medicare and Medicaid Services. That means that while providers must migrate to the new identifier, payers and clearinghouses can keep using the Unique Physician Identification Number, Medicare Provider Number, Medicaid Provider Number and others for internal processes. Under such a scenario, they would map the national provider I.D.s with the appropriate legacy identifiers already in their computer systems.7 HIPAA and Enforcement8 HHS’s Office of Civil Rights began accepting privacy-related complaints against covered entities as of Apr. 14, 2003. Complaints originate for a variety of reasons (For more information see, “Most Frequent Complaints Under HIPAA.”) and are most likely to be filed against those who have direct contact with patients (see “Most Claims Filed”).9 As of March 1, 2004, OCR received and initiated reviews of approximately 4,755 complaints under HIPAA.9 Approximately 43% of those cases had been closed. The reasons for the case closures include: • OCR lacks jurisdiction under HIPAA (for example, the alleged violation occurred prior to the compliance date or allegation versus a non-covered entity not covered by the Privacy Rule). • The activity complained about doesn’t violate the Privacy Rule (for example, the covered entity has declined to disclose PHI in circumstances where the Privacy Rule would permit such a disclosure).9 Some complaints have been satisfactorily resolved through voluntary compliance (for instance, cases where individuals have provided access to medical records after they’d allegedly denied previous access).9 The number of referrals of breaches of HIPAA evaluated by OCR to the Department of Justice for criminal action is unknown.9 HIPAA doesn’t provide a private cause of action for violation of its standards. Nevertheless, plaintiffs have tried to piggyback on the requirements and strictures of HIPAA.9 Presently, there is litigation in the courts that is seeking to identify existing state or federal statutory or common laws that will provide remedies to states or to patients under HIPAA. In addition, the litigation is seeking to determine whether the violation of patient privacy mandates should parallel the rules of HIPAA.9 Make Way for HIPAA HIPAA is now in force. Its components are being gradually phased in. The best way for HIPAA to dovetail with medical practice is learn about it and integrate its mandates with clinical practice.
HIPAA: 2004 and Beyond
W hen I speak with colleagues, I get a sense that not many of them have implemented any kind of plan in keeping with mandates set by the Health Information Portability and Accountability Act (HIPAA). This act is one the most important pieces of legislation to come into effect in recent years. Last year, after HIPAA’s initial implementation, the act was discussed widely in lectures and journals and among practitioners. But after its initial implementation, interest in it seems to have declined. However, deadlines that many of us must meet are coming — some have already passed. In fact, standards take effect this July 1 for the previous October 2003 deadline that required Medicare claims to be submitted electronically. Payment delays of at least 2 weeks will begin on July 1 for anyone not electronically submitting claims to Medicare. To avoid any payment delays or other penalties tied to HIPAA non-compliance read on as I’ll review some of HIPAA’s components, reiterate the deadlines for the implementation of these components, and discuss the status of the enforcement of HIPAA. It’s the Law HIPAA is the law, and it has withstood a variety of legal challenges. A federal district judge in Philadelphia on April 2 of this year dismissed a lawsuit challenging the constitutionality of the HIPAA privacy rule. The suit, filed a year ago against the department of Health and Human Services (HHS), claimed the rule unconstitutionally granted insurance companies, employers and others access to identifiable health information without patient consent. According to the Philadelphia Inquirer, U.S. District Judge Mary McLaughlin ruled HIPAA’s privacy rule did not violate constitutional rights to privacy and due process, and that HHS Secretary Tommy Thompson did not act arbitrarily in implementing HIPAA’s Privacy Rule.1 HIPAA is meant to keep digital patient information private and secure and to create standardized modifiers, transaction codes and identifiers for healthcare providers. A variety of deadlines attach to the privacy rule, the security standard and employer identifier standards and national provider identifier — which I’ll discuss later in this article.2 HIPAA is meant to apply to the following: 1. a healthcare provider who conducts certain transactions in electronic form (called here a “covered healthcare provider”) 2. a healthcare clearinghouse 3. a health plan. HIPAA is regulated and implemented by HHS’s Office of Civil Rights (OCR). A number of companies that contain consultants and education providers have claimed that they or their materials or systems are endorsed or required by the federal government, for example HHS or OCR. This is not the case. The federal government does not endorse any private consultants’ or education providers’ seminars, materials or systems. The federal government does not certify any persons or products as “HIPAA compliant.” HIPAA does not require attendance at any specific seminars. All materials needed to gain a basic understanding of HIPAA are available at the Web sites of the HHS and OCR — at no cost.3 Although attendance at seminars is helpful, it’s not required under the law. Reviewing the Privacy Standard The privacy provisions of HIPAA apply to health information created or maintained by healthcare providers who engage in certain electronic transactions, health plans and healthcare clearinghouses. The final rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on Feb. 20, 2003. This final rule specifies a series of administrative, technical and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information (PHI). Specifically, PHI is information that can be identified as that of a specific patient (based on certain identifiers such as date of birth or social security number), and this is information that must be kept protected and private.4 Entities under the ambit of HIPAA that maintain or transmit health information are required to implement reasonable and appropriate administrative, physical and technical safeguards to ensure the integrity and confidentiality of the information. In addition, these entities must protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. Only electronic PHI received, created or maintained by entities under the ambit of HIPAA, or transmitted by entities under the ambit of HIPAA, is covered by the security standards and must be protected.5 Transactions and Code Set Standards and Employer Identifier Standard HIPAA also provides transactions and code set standards and the Employer Identifier Standard. These standards were created to decrease administrative complexity and costs. The final rule adopting changes to the HIPAA Electronic Transactions and Code Set Standards was published in the Federal Register in 2003. This final rule modifies a number of the electronic transactions and code sets adopted as national standards under HIPAA, and eliminates the National Drug Codes (NDC) set as the standard for all providers except retail pharmacies. It does not adopt a standard for reporting drugs and biologics on non-retail pharmacy transactions.6 The Employer Identifier Standard will deal with the companies that provide health insurance and will be defined further in the future. Decreasing Administrative Complexity HIPAA mandated the creation of a National Provider Identifier to facilitate a decrease of administrative complexity. National Provider Identifier (NPI) final rule as required by HIPAA to create a unique health identifier for healthcare providers was published in the Federal Register on January 23, 2004. Healthcare providers can begin applying for NPIs on the effective date of the final rule, which is May 23, 2005. All healthcare providers are eligible to be assigned NPIs; healthcare providers who are covered entities must obtain and use NPIs. All HIPAA-covered entities should use NPIs by the compliance dates (May 23, 2007, for all but small health plans; May 23, 2008, for small health plans). The situation of using identifiers is complicated. Healthcare payers and claims clearinghouses may continue using legacy provider identifiers — for internal processes — after the May 23, 2007, compliance date for the HIPAA national provider identifier, according to the Centers for Medicare and Medicaid Services. That means that while providers must migrate to the new identifier, payers and clearinghouses can keep using the Unique Physician Identification Number, Medicare Provider Number, Medicaid Provider Number and others for internal processes. Under such a scenario, they would map the national provider I.D.s with the appropriate legacy identifiers already in their computer systems.7 HIPAA and Enforcement8 HHS’s Office of Civil Rights began accepting privacy-related complaints against covered entities as of Apr. 14, 2003. Complaints originate for a variety of reasons (For more information see, “Most Frequent Complaints Under HIPAA.”) and are most likely to be filed against those who have direct contact with patients (see “Most Claims Filed”).9 As of March 1, 2004, OCR received and initiated reviews of approximately 4,755 complaints under HIPAA.9 Approximately 43% of those cases had been closed. The reasons for the case closures include: • OCR lacks jurisdiction under HIPAA (for example, the alleged violation occurred prior to the compliance date or allegation versus a non-covered entity not covered by the Privacy Rule). • The activity complained about doesn’t violate the Privacy Rule (for example, the covered entity has declined to disclose PHI in circumstances where the Privacy Rule would permit such a disclosure).9 Some complaints have been satisfactorily resolved through voluntary compliance (for instance, cases where individuals have provided access to medical records after they’d allegedly denied previous access).9 The number of referrals of breaches of HIPAA evaluated by OCR to the Department of Justice for criminal action is unknown.9 HIPAA doesn’t provide a private cause of action for violation of its standards. Nevertheless, plaintiffs have tried to piggyback on the requirements and strictures of HIPAA.9 Presently, there is litigation in the courts that is seeking to identify existing state or federal statutory or common laws that will provide remedies to states or to patients under HIPAA. In addition, the litigation is seeking to determine whether the violation of patient privacy mandates should parallel the rules of HIPAA.9 Make Way for HIPAA HIPAA is now in force. Its components are being gradually phased in. The best way for HIPAA to dovetail with medical practice is learn about it and integrate its mandates with clinical practice.
W hen I speak with colleagues, I get a sense that not many of them have implemented any kind of plan in keeping with mandates set by the Health Information Portability and Accountability Act (HIPAA). This act is one the most important pieces of legislation to come into effect in recent years. Last year, after HIPAA’s initial implementation, the act was discussed widely in lectures and journals and among practitioners. But after its initial implementation, interest in it seems to have declined. However, deadlines that many of us must meet are coming — some have already passed. In fact, standards take effect this July 1 for the previous October 2003 deadline that required Medicare claims to be submitted electronically. Payment delays of at least 2 weeks will begin on July 1 for anyone not electronically submitting claims to Medicare. To avoid any payment delays or other penalties tied to HIPAA non-compliance read on as I’ll review some of HIPAA’s components, reiterate the deadlines for the implementation of these components, and discuss the status of the enforcement of HIPAA. It’s the Law HIPAA is the law, and it has withstood a variety of legal challenges. A federal district judge in Philadelphia on April 2 of this year dismissed a lawsuit challenging the constitutionality of the HIPAA privacy rule. The suit, filed a year ago against the department of Health and Human Services (HHS), claimed the rule unconstitutionally granted insurance companies, employers and others access to identifiable health information without patient consent. According to the Philadelphia Inquirer, U.S. District Judge Mary McLaughlin ruled HIPAA’s privacy rule did not violate constitutional rights to privacy and due process, and that HHS Secretary Tommy Thompson did not act arbitrarily in implementing HIPAA’s Privacy Rule.1 HIPAA is meant to keep digital patient information private and secure and to create standardized modifiers, transaction codes and identifiers for healthcare providers. A variety of deadlines attach to the privacy rule, the security standard and employer identifier standards and national provider identifier — which I’ll discuss later in this article.2 HIPAA is meant to apply to the following: 1. a healthcare provider who conducts certain transactions in electronic form (called here a “covered healthcare provider”) 2. a healthcare clearinghouse 3. a health plan. HIPAA is regulated and implemented by HHS’s Office of Civil Rights (OCR). A number of companies that contain consultants and education providers have claimed that they or their materials or systems are endorsed or required by the federal government, for example HHS or OCR. This is not the case. The federal government does not endorse any private consultants’ or education providers’ seminars, materials or systems. The federal government does not certify any persons or products as “HIPAA compliant.” HIPAA does not require attendance at any specific seminars. All materials needed to gain a basic understanding of HIPAA are available at the Web sites of the HHS and OCR — at no cost.3 Although attendance at seminars is helpful, it’s not required under the law. Reviewing the Privacy Standard The privacy provisions of HIPAA apply to health information created or maintained by healthcare providers who engage in certain electronic transactions, health plans and healthcare clearinghouses. The final rule adopting HIPAA standards for the security of electronic health information was published in the Federal Register on Feb. 20, 2003. This final rule specifies a series of administrative, technical and physical security procedures for covered entities to use to ensure the confidentiality of electronic protected health information (PHI). Specifically, PHI is information that can be identified as that of a specific patient (based on certain identifiers such as date of birth or social security number), and this is information that must be kept protected and private.4 Entities under the ambit of HIPAA that maintain or transmit health information are required to implement reasonable and appropriate administrative, physical and technical safeguards to ensure the integrity and confidentiality of the information. In addition, these entities must protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. Only electronic PHI received, created or maintained by entities under the ambit of HIPAA, or transmitted by entities under the ambit of HIPAA, is covered by the security standards and must be protected.5 Transactions and Code Set Standards and Employer Identifier Standard HIPAA also provides transactions and code set standards and the Employer Identifier Standard. These standards were created to decrease administrative complexity and costs. The final rule adopting changes to the HIPAA Electronic Transactions and Code Set Standards was published in the Federal Register in 2003. This final rule modifies a number of the electronic transactions and code sets adopted as national standards under HIPAA, and eliminates the National Drug Codes (NDC) set as the standard for all providers except retail pharmacies. It does not adopt a standard for reporting drugs and biologics on non-retail pharmacy transactions.6 The Employer Identifier Standard will deal with the companies that provide health insurance and will be defined further in the future. Decreasing Administrative Complexity HIPAA mandated the creation of a National Provider Identifier to facilitate a decrease of administrative complexity. National Provider Identifier (NPI) final rule as required by HIPAA to create a unique health identifier for healthcare providers was published in the Federal Register on January 23, 2004. Healthcare providers can begin applying for NPIs on the effective date of the final rule, which is May 23, 2005. All healthcare providers are eligible to be assigned NPIs; healthcare providers who are covered entities must obtain and use NPIs. All HIPAA-covered entities should use NPIs by the compliance dates (May 23, 2007, for all but small health plans; May 23, 2008, for small health plans). The situation of using identifiers is complicated. Healthcare payers and claims clearinghouses may continue using legacy provider identifiers — for internal processes — after the May 23, 2007, compliance date for the HIPAA national provider identifier, according to the Centers for Medicare and Medicaid Services. That means that while providers must migrate to the new identifier, payers and clearinghouses can keep using the Unique Physician Identification Number, Medicare Provider Number, Medicaid Provider Number and others for internal processes. Under such a scenario, they would map the national provider I.D.s with the appropriate legacy identifiers already in their computer systems.7 HIPAA and Enforcement8 HHS’s Office of Civil Rights began accepting privacy-related complaints against covered entities as of Apr. 14, 2003. Complaints originate for a variety of reasons (For more information see, “Most Frequent Complaints Under HIPAA.”) and are most likely to be filed against those who have direct contact with patients (see “Most Claims Filed”).9 As of March 1, 2004, OCR received and initiated reviews of approximately 4,755 complaints under HIPAA.9 Approximately 43% of those cases had been closed. The reasons for the case closures include: • OCR lacks jurisdiction under HIPAA (for example, the alleged violation occurred prior to the compliance date or allegation versus a non-covered entity not covered by the Privacy Rule). • The activity complained about doesn’t violate the Privacy Rule (for example, the covered entity has declined to disclose PHI in circumstances where the Privacy Rule would permit such a disclosure).9 Some complaints have been satisfactorily resolved through voluntary compliance (for instance, cases where individuals have provided access to medical records after they’d allegedly denied previous access).9 The number of referrals of breaches of HIPAA evaluated by OCR to the Department of Justice for criminal action is unknown.9 HIPAA doesn’t provide a private cause of action for violation of its standards. Nevertheless, plaintiffs have tried to piggyback on the requirements and strictures of HIPAA.9 Presently, there is litigation in the courts that is seeking to identify existing state or federal statutory or common laws that will provide remedies to states or to patients under HIPAA. In addition, the litigation is seeking to determine whether the violation of patient privacy mandates should parallel the rules of HIPAA.9 Make Way for HIPAA HIPAA is now in force. Its components are being gradually phased in. The best way for HIPAA to dovetail with medical practice is learn about it and integrate its mandates with clinical practice.
