HIPAA Update: Are You Ready?
It had long been assumed that many medical practices (including podiatric practitioners) were lagging behind in complying with then-forthcoming HIPAA regulations. The actual figures released after the recent October deadline confirm those assumptions. The Centers for Medicare and Medicaid Services (CMS) indicate about 550,000 health care organizations filed for a one-year extension to delay HIPAA compliance. “It had previously been estimated that there were more than 2 million physician practices and other clinical Level 1 entity groups impacted by the law,” according to Dr. David Marcinko, MBA, CFP. “A dismal response to the first major milestone in implementation of electronic transmission standards shows how unprepared many physicians and covered entities are for meeting HIPAA requirements,” continues Dr. Marcinko, CEO of Marcinko Advisors and Associates, partners in the referral exchange and educational portal Medical Business Advisors. “There was such a low turnout (that) everyone’s wondering whether those (other doctors) think they’re compliant or are they still so confused that they don’t know what to do,” says Raymond Posa, founder of R. Francis Associates, a Belmar, N.J.-based medical consultancy. “Everybody’s taking a wait and see attitude. Part of the problem is that, because this was phased in over time, in pieces, practices might think, ‘I don’t have to comply. The whole thing’s not in effect yet.’ And they’re wrong.” The fate of those who did not file is still unclear. “CMS is prohibited by law from accepting any more requests for extensions and has even removed the extension application from its Web site,” notes Dr. Marcinko. “In theory, physicians who did not file for an extension were required to be in compliance with the new standards after Oct. 16, 2002.” Paying The Cost Of Compliance The cost of complying with HIPAA regulations is often cited as a primary reason why many practices have been so reluctant to move forward. “Working with physicians, and in the health care industry as a whole, I’ve found they typically don’t like to spend money on things like this,” says Kevin Beaver, founder and President of Principle Logic, LLC, a security consultancy. “As a result, they are usually a good bit behind the technology curve.” “HIPPA will be so much more costly than realized,” maintains Dr. Marcinko. “Of course, the full cost of this regulation is unknown, but according to several of our private strategic alliance partners, it is expected to exceed the cost of Y2K compliance by fourfold, in the aggregate. This breaks down to about $15,000 to $20,000 the first year, or considerably more than the $1,500 to $3,700 cited by (the Department of Health and Human Services) for each ‘doctor of medicine.’” Marcinko considers this cost to be more than a little ironic, considering the initial goals associated with HIPAA. “One of the primary goals of HIPAA is to reduce the 17 percent administrative cost of healthcare through the standardization of electronic transactions into a single format,” he notes. “The primary goal of HIPAA is not necessarily security, although it certainly is an objective. Not very facetiously, since more than 50 percent of DPM Medicare reimbursement is for toenail debridement, one might conclude that all these security measures are a bit much for the delivered service.” A Brief History On The Origins Of HIPAA With so much controversy swirling around compliance, some might have forgotten how and why HIPAA regulations came about. Initially, the Health Insurance Portability and Accountability Act of 1996 gave Congress until August 1999 to pass comprehensive health privacy legislation. When no such law was passed in the allotted time frame, HIPAA provided the Department of Health and Human Services (HHS) with the authority to draft such rules, in conjunction with recommendations submitted to Congress by the Clinton administration in 1997. “The HIPAA concept is not new, although the act itself became law in 1996,” notes Dr. Marcinko. “The Federal government and HCFA have planned a shift to electronic data interchange (EDI) for more than a decade. How ironic that it is also known as the Healthcare Administration Simplification Act?” Indeed, administrative simplification was one of the primary goals of the legislation, along with insurance portability and fraud enforcement. There are four specific areas covered in the legislation: • privacy of patient health information must be assured; • electronic transactions and code sets must be standardized; • standard unique employer identifiers must be used in connection with certain electronic transactions; and • security of electronic health information must be assured. Compliance is required of four “covered entities,” as defined by HHS: healthcare providers (hospitals, doctors, pharmacies, etc.); health plans (including HMOs, PPOs, Medicare and Medicaid); health care clearinghouses; and “business associates” (a group that includes lawyers, consultants, auditors and others who perform activities involving health care information). Compliance deadlines were set (see “Timeframes For HIPAA Compliance” below) and the HHS Office of Civil Rights (OCR) was given the responsibility of enforcing the regulations. Meeting The Challenges Or Ignoring Them There were many challenges for all involved parties—regulators and those being regulated. Communication of the policy was an initial concern and some would argue it still is. “I’m still meeting people, to this day, who have not heard of HIPAA,” says Beaver. “Maybe HHS and OCR aren’t getting the word out. If the doctors are reading any sort of magazine or papers, they’ve got to be hearing about this stuff. It’s going to take somebody getting caught or something bad happening before people will start taking compliance seriously.” The sheer enormity of the undertaking has likely contributed to the low level of initial compliance. “I think they’re just so overwhelmed by the volume of it,” offers Posa. “The actual text is over 82,000 pages.” Beaver agrees. “They see this as an 800-pound gorilla being forced down upon them. They think HIPAA is this huge monstrosity that they won’t be able to handle. Especially (when it comes to) the smaller practices that have limited or no staff to deal with this, they think, ‘What are we going to do? We can’t handle this.’” Be Wary Of Shortcuts That Sound Too Good To Be True Smaller practices received some relief in late 2001 when President Bush signed the Administrative Simplification Compliance Act, which among other things, exempts practitioners with fewer than 10 full-time employees (designated “small providers of services or suppliers”) from HIPAA compliance. However, this relief may only be a mirage. “For mom and pop practices, or solo providers, there will be no real practical relief from HIPPA regulations,” says Dr. Marcinko. “For example, how will a solo doctor communicate with covered entities, such as the hospitals, ASCs, WCCs, podiatrists and other physicians who do comply? And will the compliant entity desire to interface with the non-compliant one? How will the non-compliant entity appear to them and their patients when a patient brings in a stack of paper records upon referral and the covered entity seeks to e-mail them? “There will be a strong sense of ‘moral persuasion’ for non-covered entities to comply,” he continues. “And, except for practitioners literally about to retire, EDI is the future. The dissenting dinosaurs will not survive.” The remaining non-dinosaurs that are compliant face a different environment and, potentially, a different set of protocols when dealing with patients. “The whole concept of HIPAA, as I understand it, is all about an attitude,” says Barry Mullen, DPM, who practices in Hackettstown, N.J. “You then have a policy and protocol that you put in place to back that up. A lot of people have been HIPAA-compliant of a kind for years. For them, it’s a matter of tweaking some things in order to be fully compliant with the regulations as they’re defined now.” “One of the interesting things I’m seeing is that people will tell me they’re HIPAA-compliant because their practice management vendor says their software is compliant,” notes Beaver. “That is a huge misconception. HIPAA compliance does not come in a box. “We’re talking about serious change,” he continues. “Doctors are going to have to change the way they do business. I think a lot of people are seeing this as a technology issue. Granted, that’s part of it, but HIPAA is not solely about technology. It’s about privacy and security and it ties more into business processes, the management of businesses, how they do business.” Will ‘HIPAA Police’ Check On Your Compliance Efforts? This doesn’t mean the “HIPAA Police” will be knocking down your door if you are not compliant. “If there is such a thing as ‘HIPAA Police,’” says Beaver, “they’ll be understaffed and have a massive lack of resources, just like any other law enforcement entity. I seriously doubt they’ll come knocking on doors, at least in the beginning, doing random audits. It will likely take something bad happening—a customer complaining, a partner complaining about a specific practice not adhering or an insurance organization complaining.” “HIPAA is not punitive in nature,” observes Dr. Marcinko. “The agency has said it will take a complaint-driven approach to enforcing the transmission standards. Even when a complaint is filed, CMS seeks to ‘bring into the fold’ rather than make use of the noncompliance penalties included in the law.” Still, there are consequences for non-compliance. Civil penalties may reach up to $100 per violation, with a $25,000 per annum cap. Criminal penalties include fines reaching $250,000 and/or imprisonment for up to 10 years. While punishment might widely vary, one thing is for certain—HIPAA will be enforced. Dr. Marcinko offers an example of such enforcement. “All a compliance-checking entity might do is automatically send an e-mail to covered entities, requesting a sample secure e-transmission of medical records or billing statements or operative reports, office notes, a digital certification of authenticity or a registration number of the provider entity,” points out Dr. Marcinko. “Instantaneously, the requesting agency will know if the entity is compliant. This is virtually a cost-free, frictionless policing mechanism for CMS, in particular, to determine compliance.” What To Do If You’re Not Compliant Since the odds are good that your practice is not among those that either immediately complied with HIPAA regulations or filed for an extension, you might heed the following suggestions on getting compliant or at least start the compliance process. • Get a privacy officer in place. The first thing a practice should do when achieving HIPAA compliance is to put someone in charge of the effort. “Delegate a HIPAA privacy officer right away,” says Beaver. “Someone in the organization needs to be responsible for either doing this themselves or for outsourcing it. Either way, there’s got to be a point of contact in the organization, someone with decision-making power. Otherwise, it won’t get done.” While a DPM could conceivably fill the position, it is often better to select an office manager to lead the way. “Office managers likely have more access to information than the doctor does,” explains Posa. “They’re responsible for day-to-day operations of the practice. The doctor can’t just, off the cuff, point to someone and say, ‘Okay, you’re the HIPAA compliance officer—take care of it.’ They must embrace it wholeheartedly and support this person, because it is such a major undertaking in the beginning. It will taper off, but there will always be some effort and maintenance required to keep it up and running. A halfhearted effort will come back and bite you in the end.” Perform Self-Checks And Consider Outside Audits • Conduct analyses. Another step is for you and your compliance officer to sit down and do your homework, both within the practice and outside it. “Read and learn all about the new regulations and begin to budget for their compliance and execution,” says Dr. Marcinko. “Then perform an office risk assessment for the following general areas: office computers, MIS, IT and network security measures; office physical security and e-security, firewalls and intrusion detection for computers and networks; backups and disaster IT plans; employee awareness, skill levels and workloads; and attitudes about security and HIPAA policy adherence.” Dr. Marcinko says your assessment results may dictate the need for an outside audit for more specific areas such as access control, tracking, authorization, data authentication, entity authentication and EDI communication over open networks. Emphasize Training And Documentation • Train and document. Your compliance efforts will fall apart if your office staff is not on board with your mission. “Doctors and practice managers also need to remember to train their people, not only before regulations take effect, but on an ongoing basis as well,” notes Beaver. Documentation of compliance efforts is clearly essential. “Anything you’re doing with relation to transactions, privacy or security has got to be on paper, to say ‘This is how we do it here,’” maintains Beaver. “That documentation has to be maintained. The policies and procedures will eventually change because business processes are going to change, technology is going to change (and) the threats and vulnerabilities and such are going to change.” Monitor The Pulse Of Your Compliance Efforts • Keep up with things. Maintaining the focus of your staff on privacy and security is and will be an ongoing concern, a fact some doctors and office managers are not ready to hear or deal with. “A lot of people think they’ll be able to put the policies and procedures in place, achieve compliance, and that will be that—they won’t have to revisit or revise anything,” claims Beaver. “That’s not the case. They’re going to have to manage this on an ongoing basis. HIPAA is not like Y2K. It won’t come and go.” Often, keeping up with compliance-related responsibilities is a simple matter of using common sense and, on occasion, looking at your practice through the eyes of your patients. “I try to walk into my own office and see all the different aspects of the practice from the patient’s perspective,” says Dr. Mullen, “to see where I, as a patient, would feel violated, or where some aspect of my personal medical information is being violated. We make our changes to policy based upon how we feel when we go through our own office, and inspect our own plan.” Indeed, some of the more mundane things in the office can cause the most privacy problems. “We look at the location of fax machines and copiers, the orientation of computer screens, the security of phone lines and where conversations take place—particularly in the waiting area,” points out Dr. Mullen. “We make sure there’s no exchange or discussion of private medical information within earshot of the waiting room or anywhere there are patients. Once people leave the office, we try to create the mindset in which they’re careful about what they say.” “You don’t necessarily need to erect walls or gates to protect your patient information,” concurs Posa. “A little common sense will go a long way toward addressing those issues.” Mr. Smith is a freelance writer who lives in Cleona, Pa.