HIPAA Compliance: Do You Make The Grade?
The clock is ticking. In another step of a process which began in 1996, the Centers for Medicare and Medicaid Services have set a deadline of April 21, 2005 for compliance with the security standards of the Health Insurance Portability and Accountability Act (HIPAA). Is your practice ready to meet the deadline? The voluminous data on HIPAA compliance lays out broad guidelines for maintaining security. As the final rule from the Federal Register states, healthcare organizations must “ensure the confidentiality, integrity and availability of all electronically protected health information,” and protect such information against security threats or uses that the act does not permit. HIPAA allows DPMs to use any security measures that allow them to implement standards reasonably. About 70 percent of healthcare institutions are complying with the standards, according to the American Medical Association (AMA), and American Podiatric Medical Association President Lloyd Smith, DPM, said recently he believes podiatrists are complying at a similar rate (see page 12, “News And Trends,” May issue). However, although large institutions are complying with the act, the AMA estimates compliance among small practices is about 15 percent. Although the information available on HIPAA can seem overwhelming, the act does give practices latitude to safeguard their healthcare information in a manner deemed reasonable. The key, according to those in the know, is educating yourself and your staff on what is required. “When your staff is properly educated with respect to the various compliance issues, they become well positioned to win the game while carrying out their duties more efficiently and with reduced stress,” says Barry Mullen, DPM. Educating Yourself And Your Staff On HIPAA’s ‘Reasonable Standards’ As noted above, the act requires adherence to “reasonable standards” of privacy and the government lists various mandates. HIPAA requires you to assess the risk of violation of patient privacy, implement a process to safeguard data and devise sanctions for employees who violate security. The act also advises limiting physical access to records, having a contingency plan to store data in case of emergency, and backing up data. Even before the act took effect, state laws required healthcare providers to adhere to reasonable standards of patient confidentiality, according to Dr. Mullen, the Healthcare Compliance Advisor for the American Association of Podiatric Practice Management (AAPPM). “HIPAA basically forced health care practitioners to streamline compliance protocols, which ultimately is a good thing,” says Dr. Mullen. “In the long run, compliance plans will become to healthcare compliance issues as office policy manuals are to the overall concept of practice administration.” Dr. Mullen says compliance plans are invaluable reference sources for physicians and staff to work together in achieving ultimate compliance outcomes in the most efficient manner possible. Establishing a compliance plan is an important step and a vital part of educating staff on the changes, concurs Lynn Homisak, PRT. She says her office created its own compliance manual, which was modeled on the APMA HIPAA Manual. Homisak, a Trustee of the AAPPM, adds that attending HIPAA lectures at different meetings also facilitated a better understanding of HIPAA compliance. “It was beneficial to attend meetings that offered HIPAA presentations, which allowed us to better align ourselves in terms of compliance to ongoing education,” notes Homisak. Dr. Mullen agrees, noting that seminars, Web sites and compliance newsletters are valuable tools for educating yourself and your staff on HIPAA compliance. He emphasizes the importance of investing time and money to stay abreast of compliance issues. What You Should Cover And Address When Meeting With Your Staff Meeting with your staff can further enhance the education process, according to Steven Peltz, CHBC, the president of Peltz Practice Management and Consulting Services. In the first meeting, Peltz says you should summarize the significance of the HIPAA rules. He recommends discussing the following provisions: • when you can and cannot give out information on the telephone; • what is required of “business associates” and who they are; • what is required when a payer asks for charts for an audit; and • how to reduce or eliminate talking about a patient in a public setting. In the second meeting, Peltz suggests reviewing what your practice has implemented and what you may need to alter. As part of the final meeting, he recommends establishing a process of reviewing the HIPAA implementation plan every six months. Peltz says you should ensure the privacy officer knows what he or she is responsible for, and assign someone to teach the HIPAA process to new staff. However, as Hal Ornstein, DPM, notes, it is difficult to get one’s staff to buy into the regulations and it can be difficult to take the time of a busy staff to brief them on the changes that need to be made. He also has found a general trend of DPMs ignoring HIPAA. “I don’t think people are taking it seriously enough,” notes Dr. Ornstein, the President of AAPPM. “We’re trying as much as we can to educate ourselves in our profession.” How You Can Streamline Adherence To Technology Standards While the changes required for HIPAA compliance may seem daunting, some offices have made simple adjustments in the way they practice to ensure they follow the privacy rules. John McCord, DPM, has made a few simple changes and says the required HIPAA regulations have “not made a significant difference” in his practice. One such adjustment in his Centralia, Wash. practice included installing flat-panel LCD computer screens, which staff can turn away from patients to help ensure privacy. He notes additional benefits of the new screens are less eyestrain and fewer headaches for the staff. Dr. McCord’s practice also discontinued the use of online transcription since it seemed to be vulnerable due to easily determined passwords. His practice replaced this with voice recognition software but he acknowledges the transcription can be difficult to decipher. Dr. McCord, a Diplomate with the American Board of Podiatric Surgery, also began using an outside billing service, which helped in dealing with billing compliance issues. While HIPAA does not require the use of specific technologies, reasoning that technologies can become outdated, the following technical safeguards are required: assigning a unique ID to track information users and establishing procedures to access electronic information during an emergency. The act lists “addressable” rules, for which a practice may maintain an equivalent procedure, such as having an automatic logoff from the system after a period of inactivity and encrypting data. Peltz maintains that most practices are already doing what is required by HIPAA, although he concedes the electronic standardization is a “major step” for healthcare providers to understand. When it comes to ensuring compliance with electronic records, Peltz says practitioners should turn to their software manufacturer, payer provider representative or refer to the HIPAA Web site, www.cms.hhs.gov. Since he has found few practices can tackle such tasks on their own, Peltz recommends seeking the advice of someone with experience. Homisak says the computer company contracted by her practice handled the HIPAA-mandated technology requirements. Simple Changes You Can Make To Comply With Privacy Rules Aside from the technology requirements, there are simple changes physicians and staff can make in their day-to-day office routine to follow the rules. Since HIPAA regulations forbid staff from discussing patient information, Homisak says she and fellow staff are especially vigilant about never discussing such information, even with a patient’s friend or relative. Homisak and Dr. McCord also emphasize keeping patient charts out of public view as the front desk is open to the waiting room. In addition, Homisak says the office staff has had to change its phone protocol and now is more careful to call insurance companies when the reception room is empty — either before or after patient hours — so others do not overhear information such as other patients’ Social Security numbers. They also leave the front desk and go to a more secluded area to call in prescriptions to pharmacies. “Our patients seem to accept our explanations knowing, that in similar circumstances, their privacy will be equally protected,” she says. Dr. Ornstein says he has HIPAA documents posted in the office. While the staff should offer copies of regulations to patients, Dr. Ornstein concedes that some are not doing that. Dealing With The Effect Of Compliance On Patients Likewise, Homisak says her staff initially felt that making some HIPAA-required changes was an inefficient use of time. She says it was difficult in the first month to get patients to read and sign privacy statements. Some patients adapted well to signing the new forms but others did not. “Many seemed to be bothered by having to sign another document and hardly anyone wanted to actually take a copy home with them,” recalls Homisak. “In fact, most verbalized that they thought it was nonsense and were ‘fed up’ with having to do the same thing with every doctor’s office and pharmacy they frequented, but then they just signed it and said nothing more.” After some time, Homisak says patients were familiar with the routine from experience with other doctors so the staff did not need to explain it too much. Additionally, Homisak’s office had to be vigilant against possible duplicated patient signatures. This did have its upside, she says, since podiatric offices united forces to share methods of dealing with such a problem. For example, she notes methods for dealing with a duplicated signature problem included: opening the chart to see if one had already been signed; using customized labels on the outside of the charts; or using a sticker with a cartoon of a hippo, signifying there was a HIPAA signature inside the chart. “We tried to be more aware and policed ourselves of any patterns of non-compliance,” says Homisak. “If we found non-compliant behavior, we made changing it a priority.” To date, her office has not had any formal HIPAA-related complaints and they have not needed to issue any sanctions for intentional or accidental incidents of non-compliance. “We’d like to keep it that way,” offers Homisak. “Our decisions now place an even greater emphasis on patient privacy as we strive to make every attempt to keep patient information protected.” Is HIPAA Truly Overwhelming Or Does It Reflect Common Sense About Patient Privacy? So how effective is HIPAA at keeping patient information private? Although Dr. McCord feels HIPAA’s effectiveness at ensuring patient privacy remains to be seen, he thinks its provisions are necessary since a lot of private information is stored in data banks. “Just the presence of the HIPAA program has had a positive effect on the attitudes of the medical profession about privacy,” explains Dr. McCord. Raymond Posa, MBA, agrees and notes that requiring practices to safeguard information has been a positive change. Posa, the Technology Advisor to AAPPM, says some practices previously took oversight of patient information for granted before HIPAA gave patient privacy a structure DPMs could follow. Posa notes the act gives healthcare practitioners a sense of continuity as far as privacy. Before HIPAA standardized practices, Dr. Mullen was among the DPMs who made changes to his practice. He started to implement healthcare compliance protocols, going beyond just HIPAA, well before any imposed deadlines approached. Dr. Mullen says this made for a relatively easy transition once the guidelines became federally mandated. As a result, he says his practice has had little trouble complying with HIPAA mandates, noting the experience has been “very positive.” Homisak notes her office has “never really felt overwhelmed” by the HIPAA changes. “My belief has always been that the HIPAA rules put in place are, for the most part, common sense rules that every office should have been following all along in order to assure patient privacy,” she states. “The changes that we have made as a result of new ‘laws’ have only enhanced our ability to carry them out more effectively.” Consultant Kevin Beaver, the founder and President of Principle Logic, LLC, concurs. “The bottom line is that most of the HIPAA privacy and security requirements should already be in place anyway,” notes Beaver. “It’s just common sense.” However, Dr. McCord notes a downside to the privacy rules. Hospital staff now cannot provide patient information or acknowledge the admission of a patient even if one calls to get a report on a relative or friend. This is change from his experience in the 1960s when the local newspaper would publish the names of people in the hospital and local clergy would pray for the sick. Dr. Ornstein also finds another drawback to privacy rules. Although he does not call patients back to the treatment room by number, and DPMs are not required to do that, he says some practices have done this. Patients can “feel like a number,” which he believes can risk the practice’s humanistic aspect. Making The Commitment To HIPAA Compliance The key to a smooth transition to complying with HIPAA may be in your attitude toward the process, suggests Dr. Mullen. As he points out, some DPMs often function autonomously and have their own ideas for practicing effectively so changes in healthcare delivery can be difficult to digest. “Healthcare providers need to make firm commitments to change with their environment, and not just with respect to compliance issues, or by Darwinian theory, they will cease to exist,” posits Dr. Mullen. Posa argues using a professional consultant to comply with HIPAA has its value since a consultant’s experience permits him or her an understanding of the HIPAA regulations that average practitioners may not have. He adds that consultants can also be valuable in bringing an outside perspective to how a practice is coping with the changes, and they can conduct a required audit of the office procedures. The various HIPAA software tools can also aid small practices in dealing with compliance, according to Posa. Will HIPAA Be Rigorously Enforced? Dr. McCord suggests DPMs familiarize themselves with the rules. He notes compliance is important because government regulators may not give you a second chance at compliance. “The old adage of the chain being only as strong as its weakest link has never been truer than with respect to all aspects of healthcare compliance … for the fines and penalties for compliance breaches can be severe,” emphasizes Dr. Mullen. “If the chief administrator of a given healthcare entity is resistant to change, then change management must be addressed before the rest of the ship can smoothly sail.” The fact that fines recovered from medical compliance breaches, such as healthcare fraud, increase exponentially every year signifies to Dr. Mullen that the federal government is committed to following through with the sanctions it imposes against violators. He believes the government ultimately will impose the same sanctions when it comes to violations of HIPAA. As far as enforcement, Posa believes the healthcare community will know more in November, depending upon the results of the elections. Beaver disagrees. “There’s not going to be a lot of active enforcement of HIPAA — that is, HIPAA police chasing the streets now, if ever — so it will come down to the covered entities who take it seriously and those who get caught being negligent,” he says. Can The Federal Government Do More To Spur Compliance? Although HIPAA compliance begins with your own efforts, the federal government takes a role in oversight and enforcement. Healthcare professionals say the government itself can do more to ensure compliance. The process for HIPAA began with the act’s approval in 1996 and Posa says the timespan of the implementation of HIPAA has been problematic. Since aspects of the legislation became effective in 2002 and enforcement does not start until 2005, he argues this “lulls people into thinking that the law is not real or the government is not serious about it.” Posa compares this phenomenon to the late 1990s fear of the nearly nonexistent Y2K crash. People may remember the panic that computer systems would fail in 2000 and since it did not happen, practitioners may believe HIPAA sanctions may not occur and may develop a “wait and see” attitude, according to Posa. Dr. Ornstein suggests the government create short documents, an educational newsletter and something aimed at staff in order to increase awareness. Likewise, Posa suggests the federal government offer a public relations and education campaign to explain the laws in layman’s terms to DPMs, especially those in smaller practices. The CMS Web site, www.cms.hhs.gov, lists a plethora of HIPAA information, including over 100 frequently asked questions and information on seminars. Peltz emphasizes the problem is the HIPAA mandates cost time and money. He argues that neither the government nor the insurance industry reimburses payers to cover the cost of implementation, which can cause a vicious cycle. “The government says ‘do it,’ the payers increase premiums to cover costs and the providers have to pay for it in increased costs for staff and supplies, and their increase in health insurance premiums for their staff,” points out Peltz. “The large institutions are pretty well set because they have the staff and resources. They all have HIPAA offices and staff,” says Posa. “The problem lies in small practices where HIPAA is just one more piece of regulatory compliance that needs to be dumped on someone's plate within the practice.” Dr. Mullen thinks the Center for Medicare and Medicaid Services (CMS) should first educate its own personnel on HIPAA. When his practice started learning about what changes would be necessary as far as electronic claims, Mullen says “no one at CMS had a clue what (they) were talking about.” He thinks the CMS, after educating its personnel, should run seminars and educational forums, and dispense material to those participating providers who need it. “After all, this entire process was created and mandated by the federal government so logic dictates they should own up to it as well,” he argues.