Publications

Critical changes are developing in federal law and regulations that will have a major impact on any person or organization that handles health care information. You either have been or soon will be bombarded with a sea of information about the federal “HIPAA” statute and implementing regulations coming from HHS. This advisory will give you a framework for understanding the several pieces of the HIPAA puzzle and how they will impact your organization and will suggest steps to take now in this early phase of HIPAA implementation.

THE BASICS OF HIPAA

In 1996, Congress responded to a myriad of pressures and concerns about the rapidly developing world of health information technology by enacting a comprehensive structure for regulating the flow and protection of health information. The Health Insurance Portability and Accountability Act (“HIPAA”) contains, among other things, “Administrative Simplification” provisions that address the electronic transmission, storage, security and privacy of individually identifiable health care information. HIPAA specifically applies to “covered entities,” which are health plans, health care clearinghouses (entities that process health care data), and health care providers who transmit any health information in electronic form to carry out certain administrative and financial functions. HIPAA also contains requirements for contractors (“business partners”) of these entities who handle identifiable information.

Although HIPAA is focused specifically on health information that has been electronically transmitted or stored, we believe that the HIPAA requirements will ultimately affect the handling of all individually identifiable health care information. The HIPAA security and privacy requirements are “scalable,” meaning they have been designed in recognition that entities of all types and sizes will be subject to their requirements. Generally, HIPAA regulations will not require that specific technological approaches be adopted but instead will establish conceptual standards that must be met, along with many administrative policies and procedures. Organizations attempting to determine “how much is enough” will need to be guided by evolving industry interpretation of the standards as well as a combination of care and attention to detail, good faith and common sense.

Congress provided strong penalties for violations of HIPAA. The Department of Health and Human Services (“HHS”) may impose civil fines of up to $100 per violation with an annual $25,000 cap for violations of an identical requirement. Criminal penalties are also available with fines of up to $50,000-250,000 and imprisonment of up to 1-10 years, depending on the nature of the violation.

HIPAA will generally preempt state laws that cover transmission, security and privacy of health information except where HHS determines that the state law should prevail. However, in the area of privacy of individually identifiable health information, state laws that are more stringent will remain in effect.

HHS Regulations

Congress directed HHS to develop regulations in several areas to implement the requirements of HIPAA. To date, HHS has published several sets of proposed regulations and one set of final regulations. These regulations contain detailed requirements addressing major health information systems and issues. Each will require the review and development of systems for managing information and the implementation of new administrative policies and procedures. HIPAA requires full compliance with regulations within twenty-four months after their final effective date. The major HIPAA regulations are as follows:

• Standards for Electronic Transactions

• Standards for Security and Electronic Signatures

• Privacy Standards

• HIPAA Enforcement and Compliance

A detailed summary of the HIPAA statute and regulations is available on the Wiggin & Dana web site.

GETTING READY FOR HIPAA

Because of the complex, detailed and far-reaching nature of HIPAA, any organization that will be subject to these requirements should begin now preparing for implementation. We believe that a thorough, well-organized process will help assure the most efficient and cost-effective implementation effort.

1. Appoint a “Chief”

It is very important that a senior-level manager or other appropriate senior-level person be involved and ultimately responsible for an organization’s HIPAA efforts. Keep in mind that HIPAA involves not only ensuring the security of patient-identifiable information from an information technology perspective, but many other facets of information management and use as well. Implementing HIPAA will therefore affect a variety of processes and individuals within and associated with an organization. Take time to determine who is best to lead the way as the chief HIPAA officer. The chief HIPAA officer should be someone who has demonstrated over time the ability to work as part of a larger team to oversee complex, large projects involving diverse groups across the organization. The chief HIPAA officer, or an individual under the chief’s supervision, also can ultimately serve as the “privacy official” required under the proposed privacy regulations.

Also consider carefully who else the organization should tap to work closely with the chief HIPAA officer to ensure the HIPAA effort is effectively planned, organized, implemented and maintained in the future. In many larger organizations, implementation of the different parts of HIPAA will be handled by separate implementation teams. It is important that their efforts be well coordinated through the chief HIPAA officer.

Entities that are part of a health system will benefit from close coordination of HIPAA implementation efforts across the system. Such coordination should involve assessing the sharing and common use of health data and information within the system and standardizing issues of interpretation and development of policies and procedures.

2. Develop a Preliminary Plan and Establish Working Groups

The chief HIPAA officer or the chief’s designee should review the proposed HIPAA requirements and develop a preliminary plan that includes the various processes and tasks to be accomplished. Some of these processes and tasks are discussed further below. The preliminary plan also should include preliminary timeframes for completing tasks. As part of the preliminary planning process, the chief HIPAA officer, in consultation with the entity’s governing body, may want to establish a HIPAA Steering Committee composed of a cross-section of the organization’s staff. The HIPAA Steering Committee should include representatives from senior management and key legal, clinical and information technology staff. The preliminary plan might also include tentative working groups corresponding with the identified processes and tasks in the preliminary plan.

By its nature the plan can be only preliminary at this stage until a full inventory of systems, procedures and contracts is completed. It is important that prior to implementing the plan, the chief HIIPAA officer consult with members of the Steering Committee to flesh out and modify the plan. Input from the Steering Committee could be supplemented with one-on-one interviews with key staff members representing a cross-section of affected groups. The plan should include a preliminary assessment of the support staff needed to assist with the HIPAA effort and a determination of whether the entity may need to hire additional staff. The plan should address budgetary issues including costs associated with becoming HIPAA ready and ongoing costs associated with maintaining HIPAA compliance.

3. Inventory Existing Systems, Policies, Procedures and Processes

Well before beginning to implement any of the HIPAA requirements, an organization will need to review and inventory existing procedures and processes to determine how the transaction standards will affect its internal operations and to determine how patient-identifiable information is used and disclosed. The organization should develop a “data map.” That is, it should determine where patient information resides, and how patient information flows within, and into and out of, the organization, including whether patient information flows across state lines. The data map should also include what types of information are involved (e.g., HIV/AIDS, psychiatric, drug and alcohol or other highly sensitive information) and who is permitted to have access to, or has the ability to access, the information. The organization will also need to inventory what patient authorizations, if any, are used. This data map can be developed, and the inventory conducted, using a combination of methods, including questionnaires, staff interviews, collection and review of relevant policies (e.g., medical records policies and security policies), and review of other relevant documentation, such as authorization forms.

The organization will also need to inventory relevant software systems to determine if the systems address HIPAA requirements or whether the systems can be modified to aid in the HIPAA compliance effort. For example, do the systems provide a mechanism for auditing who has reviewed patient-identifiable information? Do the systems include features that limit access to patient-identifiable information or address HIPAA’s minimum necessary requirements? The involvement of information technology staff is obviously very critical here. The organization’s information technology inventory for Y2K may also be useful in this regard.

4. Inventory Contractual Arrangements

The organization should begin to inventory vendor contracts, service contracts and other “business partner” arrangements. Develop a list of new contractual provisions and protections that should be considered for “chain of trust” security agreements and business partner agreements, including a business partner certification form that can be used on an annual basis to certify the business partner’s ongoing compliance with HIPAA.

5. Lay the Foundation. Educate!

Communicate early and often to all levels of the organization about the HIPAA requirements and the organization’s progress in implementing them. This will serve not only to educate staff and lay a foundation for future training efforts, but also to facilitate staff acceptance of changes brought by HIPAA. In addition, clear and plentiful communication will allow the chief HIPAA officer and the Steering Committee to refine the HIPAA plan over time in a way that addresses practical issues and the unique and varied components of the organization. Be sure to communicate to key players, including the medical staff, through an intranet HIPAA page, interviews, memos, e-mail, informational luncheons or breakfasts, and other media.

6. Assess Situation and Draft Recommendations

After inventorying the organization’s policies, procedures, processes and contracts, the chief HIPAA officer will need to assess the organization’s needs and any technical, staffing and organizational deficits. The chief HIPAA officer should prepare a report to the Steering Committee informing the Committee about the organization’s HIPAA preparedness and the organization’s needs and deficits. The report should relay recommendations about what needs to be accomplished to be HIPAA compliant and should prioritize the recommendations, to the extent possible. The chief HIPAA officer should obtain the Steering Committee’s support for the recommendations, and then begin implementation through working groups and defined tasks and deadlines.

7. Gather Resources

There are already voluminous amounts of general HIPAA information being developed and marketed or shared over the Internet by consultants. These include a variety of boilerplate policies and procedures and recommendations for HIPAA compliance strategies. Recognize that materials prepared before the final privacy and security regulations are adopted may need modification to ensure full HIPAA compliance. Also, use great care in applying any boilerplate policies to your institution; each policy must be tailored to your organization’s unique operational structure and reviewed for compliance with applicable state laws. Your state trade association can be a very good source of information and a vehicle for addressing implementation issues.

8. Other Tasks

An organization will also want to consider a number of additional items in preparing for HIPAA, such as the following:

• Begin to work with your legal counsel, your state trade association and other similarly situated entities to develop a plan for analyzing which privacy and security-related laws, both federal and state, still apply under HIPAA. It is necessary to examine other state and federal laws and to consider how they interact with HIPAA in developing policies and procedures and determining how your organization will actively use and disclose information. If you conduct business in multiple states, you will also need to inventory and assess state requirements in each state where health information is transmitted, maintained, disclosed or used.

• Review the organization’s insurance coverage to determine whether it will cover liability arising from violations of the HIPAA requirements, including violations by business partners.

• Begin to collect and review employee handbooks/policies in preparation for incorporating HIPAA requirements.

• Include language in all new vendor and service contracts, or contracts renewed prior to the issuance of the final rule, allowing the organization to amend the contract automatically to comply with HIPAA and explicitly obligating the contractor to be HIPAA compliant.

• Begin to consider and discuss strategies for monitoring staff and business partner compliance with the final HIPAA requirements.

By planning for HIPAA now through steps such as those listed above, covered entities will be in the best position to assess the gaps between their current systems and processes and those required under HIPAA. Once this assessment is completed, an organization can move on to determine the financial resources and organizational efforts required for full HIPAA implementation.

For more information on HIPAA, please contact one of the following individuals: