July 23, 2002
Corporate Connecticut Magazine, June/July 2002, by Susan Cornell

Perhaps your business is afloat in a sea of information about the federal "HIPAA" statute and implementation regulations from the Department of Health and Human Services ("HHS"). Combine navigating the waters of complexity with the mere thought of civil and criminal penalties for noncompliance and even the most steady of us shake. The questions are: what can we do to get a handle on HIPAA, and to whom can we turn?

HIPAA, The Health Insurance Portability and Accountability Act of 1996, was the result of efforts by the Clinton Administration and congressional healthcare reform proponents to reform healthcare. The goals and objectives of this legislation are to streamline industry inefficiencies, make it easier to detect and prosecute fraud and abuse, reduce paperwork, and enable workers of all professions to change jobs, even if they (or family members) had pre-existing medical conditions.

Jeanette C. Schreiber, partner in the HIPAA practice at Wiggin & Dana LLP as well as listed by The Best Lawyers in America in the category of best health care lawyers, explained, ""Within HIPAA are the so-called ‘Administrative Simplification’ provisions which focus on electronic transmission of health care information and protecting privacy and security of health information. While these new requirements will eventually simplify electronic billing and payment, implementing privacy and security requirements will be time consuming and resource intensive."

HIPAA brings to all segments of the health care industry both a new national standardization of concepts and practices for assuring the privacy and security of health information and a heightened awareness of privacy. The legislation marks a new era of information management. The next few years will bring an unprecedented focus to patient privacy rights and health information practices. Compliance will require a well-organized and substantial effort by covered entities.

Covered entities? HIPAA specifically applies to health plans, health care clearinghouses (entities which process health care data), and health care providers who transmit health information in an electronic form to carry out financial and administrative functions. HIPAA also contains requirements for contractors (or business partners) of these entities. As a provider, if you or any part of your organization provide health care services (very broadly defined and also including prescription drugs or products) and you perform any electronic billing, you are a HIPAA covered entity.

Informed Schreiber, "Although employers technically are not "covered entities" under the new regulations, many of HIPAA’s requirements will have a direct impact on employers that provide health insurance for their employees. HIPAA regulates how these health plans can use employee health information, and how that information can be shared with the employer. In many situations, employers will have to amend their health plans to comply with the regulations, and meet other requirements."

The HIPAA statute focuses primarily on the electronic exchange of health information. Nonetheless, as implemented by HHS and as applied in practice, the requirements are more far reaching and will, ultimately, likely govern essentially all collection, maintenance, transmission and disclosure of individually identifiable health information.

By April 14, 2003, doctors, hospitals and insurance companies must be in compliance with HIPAA’s privacy requirements or else face the possibility of severe civil and criminal penalties, including prison terms and monetary fines. Unintentional violations, could trigger the imposition of a penalty of up to $100 per violation, not to exceed $25,000 per calendar year. Intentional violations are punishable by fines up to $50,000, one-year imprisonment, or both. And, if an intentional violation is committed under false pretenses, the penalties increase to a five-year prison term, fines of up to $100,000, or both. Further, if a violation is committed with the intent to sell, transfer or use information for commercial advantage, malicious harm, or personal gain, the fines increase to $250,000, 10 years imprisonment, or both.

Major Sets, HIPAA regulations:

Electronic transactions and code sets - establishes standards for certain designated electronic transactions and data elements to be included, and standard code sets to be used by covered entities in these transactions. The original compliance date of October 16, 2002 can be extended one year by filing a compliance plan with HHS.

Privacy standards - establishes extensive and detailed requirements governing many aspects of the use and disclosure of health information. The final compliance date remains April 14, 2003. Covered entities subject to these requirements have a lot to do between now and then including inventorying and mapping all internal and external uses and disclosures, establishing "business associate" agreements with many vendors and contractors, developing and amending numerous policies and procedures, and educating the workforce in the new requirements.

Security standards - are still in proposed form. These will add further requirements to safeguard the integrity and confidentiality of information, including the need for numerous additional policies and procedures. Final regulations are expected by this fall.

The regulations promulgated under HIPAA are complex and far-reaching. The combined, coordinated, and organized efforts of individuals with legal, operational and information technology expertise will be essential to interpret and implement the comprehensive requirements.

The Wiggin & Dana HIPPA team is presently assisting an array of health care providers, systems and associations on HIPAA analysis and implementation. Provider clients range from a large academic medical center to individual practitioners and community providers. The group recently authored The HIPAA Handbook: Implementing the Federal Privacy Rule in a Long-Term Care Setting for AAHSA, the American Association of Homes and Services for the Aging. This 250-page manual addresses the practical application of the Privacy Rule in a long-term care setting and includes an implementation checklist and model forms.

"Also, although HIPAA is a federal law, it provides that state law that includes more stringent privacy protections remain in place. This means that compliance efforts must carefully track both federal and state requirements," said Schreiber.

Wiggin & Dana LLP has counseled health care providers, health care systems, provider associations, employers and other clients on privacy and the management of all forms of health information. The firm is committed to assisting clients in implementing and complying with HIPAA’s health information requirements and implementing regulations in a cost-effective manner. Wiggin & Dana’s HIPAA Practice is 8 attorneys strong and has acquired a depth of practical and legal knowledge and experience concerning the requirements and can provide legal assistance on any aspect of HIPAA. Says Schreiber, "The firm’s HIPAA practice grows out of our HealthCare law practice, which has existed for decades, and our Health Information Technology practice."

Founded in New Haven, Connecticut in 1934, Wiggin & Dana LLP provides legal counsel to an international client base of major corporations and institutions, as well as to private businesses, entrepreneurs, individuals, and families. From offices in New Haven, Stamford and Hartford, Connecticut and Philadelphia, Pennsylvania, the 150 attorney-firm serves clients throughout the United States, Canada and Europe. The firm's expertise includes all forms of litigation and dispute resolution, health care, intellectual property, antitrust, securities law, labor and employment, benefits, complex corporate and real estate transactions, health care and estate planning and administration.

A number of provider associations have engaged the firm’s HIPAA team to assist members with implementation, including the national PACE Association (PACE is the "Program of All-Inclusive Care for the Elderly," a new Medicare certification category).

"We also are working closely with a national home care consulting group, Simione Consultants, LLC, on a comprehensive implementation program for home care agencies and hospices that addresses all aspects of HIPAA from the legal, operation and IT perspectives."

Additionally, the firm is working with four different state provider associations to provide HIPAA services and resources. Team members, in conjunction with the firm’s employee benefits group, assist employers and health plans in management of health information and compliance obligations under HIPAA.

As stated by HIPAA lawyer Michelle Wilcox DeBarge, "the personnel and financial resources needed to implement HIPAA vary dramatically depending on the size, nature and complexity of each organization. Regardless of size or resources, a successful HIPAA implementation effort requires two key elements -- in house "ownership" and direction of the HIPAA implementation process -- and tailored integration of the various regulatory requirements into your own operational structure."

Getting Ready

"Providers who have not yet become familiar with the requirements may be surprised to learn how extensive they are and how much will be required to comply," said Maureen Weaver, Wiggin & Dana Health Care Department Chair.

Because of the complex and detailed nature of HIPAA, organizations who prepare for implementation in a thorough and well-organized manner will be assured of the most efficient (and cost effective) efforts. The Wiggin & Dana team suggests the following:

  • Appoint a "Chief."
  • A senior-level manager or other appropriate senior level person should be involved and ultimately responsible for an organization’s HIPAA efforts.
  • Develop a preliminary plan and establish working groups.
  • Appoint a "privacy official."
  • Inventory existing systems, policies, procedures and processes.
  • Inventory Contractual Arrangements. The organization needs to inventory vendor contracts, service contracts and other "business associate" arrangements. A written agreement containing required terms must be executed with each business associate.
  • Educate! Communicate early and often to all levels of the organization about the HIPAA requirements and the organization’s progress in implementing them.
  • Develop required forms, policies and procedures. HIPAA requires specific policies and procedures as well as forms to implement requirements ranging from patients’ rights to employee access to information to all aspects of release of information. Care must be taken to address both federal as well as state confidentiality laws and regulations.

There are a number of additional items in preparing for HIPAA such as beginning to work with your legal counsel, your state trade association and other similarly situated entities to develop a plan for analyzing which privacy and security-related laws, both federal and state, still apply.

On March 27, 2002, HHS issued proposed regulations that would modify certain standards in the Privacy Rule. A Notice of Proposed Rulemaking ("NPRM") contains these proposed modifications. Most importantly, the NPRM would allow health care providers to use protected health information ("PHI") for payment, treatment, and health care operations activites (both their own and certain activities of other entities) without patient consent. The NPRM takes the Privacy Notice requirements a step further by requiring covered entities that provide direct treatment to make good faith efforts to obtain patients’ written acknowledgement of the notice’s receipt. Additionally, the NPRM provides a limited one-year extension for amending particular existing agreements to comply with the business associate standards, proposes changes to various provisions of the privacy rule, and explains that "incidental disclosures" of PHI in the course of an otherwise permitted use or disclosure would not violate the rule. Nevertheless, the basic substance of the current privacy rule will not change and implementation efforts should be underway.

A well-planned strategy that allows plenty of time for implementation will minimize the burdens of HIPAA. Planning ahead will also enable covered entities to incorporate strategies for effective use of the internet and information technology in improving and enhancing patient care. In addition, advance planning will allow for the development of "best practices" and proactive participation in shaping industry interpretation.

HIPAA remains a moving target. As such, the organization that understands the puzzle and its impact, has prepared for implementation, and has resources available will have an efficient and effective plan in place.