Implementing HIPAA - Guidelines For Initiating HIPAA Systems Implementing Projects

Hospitals, doctors, and other health care professionals-along with employers, insurance companies, and all others who handle individuals' health care information in electronic form-should begin preparing now to meet the high security and privacy standards required by the Health Insurance Portability and Accountability Act of 19961. Compliance requires implementing the technology and operational practices of security systems, which are the framework for enforcing HIPAA's new privacy rules. Initial planning and budgeting for HIPAA projects is best begun now, because statutory compliance deadlines create great time pressure, given the business process reengineering and new systems that are necessary.

Guidelines For Initiating HIPAA Systems Implementing Projects

What's next after Y2K? For the healthcare industry, and for the universe of employers and others who deal with medical records in electronic form, the answer is HIPAA-the Health Insurance Portability and Accountability Act of 1996. HIPAA is an omnibus privacy act for medical records. Regulations to enforce HIPAA will demand significant new security measures from all who handle medical records in electronic form. Unlike Y2K, HIPAA's deadlines are likely to move. HIPAA also will last long past its initial compliance deadlines, affecting healthcare and its costs for years to come.

HIPAA is very real. However, senior managers in the $1.1 trillion healthcare industry2 are just beginning to develop an initial awareness of HIPAA's complexity and likely impact. By and large, projects to implement HIPAA have not yet started in earnest.

This article offers an introductory briefing on HIPAA's likely requirements for security, which is the handmaiden of privacy. The briefing suggests ways for senior managers at affected hospitals, health plans, and other enterprises to initiate projects for complying with HIPAA's detailed security rules, which probably will become effective before similarly detailed regulations setting forth privacy requirements.

Among other things, managers at healthcare institutions are wary of spending money to deal with government regulations that are not final, and to buy unproven, expensive new hardware and software systems. Yet, once the Department of Health and Human Services (HHS) issues the regulations to implement HIPAA in final form later this year (as now seems likely), most entities will be allowed only two years to comply. This period will be far too short for efficient, cost-effective implementation of the complex new business processes and expensive new software systems that probably will be necessary because of HIPAA. Consequently, senior managers need to begin the planning and budgeting processes now, while conserving money and institutional focus, and avoiding vaporware3.

Introduction

The part of HIPAA of concern is a federal privacy statute for medical records. Privacy will be protected using new privacy and security standards. As proposed by HHS, these standards are formidable. In order to "ensure" security as required by HIPAA4 they will require a large proportion of the medical care industry to install new technology for encryption, and to adopt new business processes that are likely to be costly and, in many ways, wrenching.

Because this article is a preliminary discussion of how to meet HIPAA's requirements, and because there are many articles about HIPAA,5 I start with only a brief outline of the statute and its regulatory scheme. The focus is what to do about HIPAA, and why it is a long path that is best begun immediately.

My conclusion-or current hypothesisis-that the technology required for HIPAA compliance does not exist in systems or packages that can be installed easily or inexpensively, by adding them on to the hardware and software systems now in place at most hospitals, medical centers, and physicians' offices. Instead, the reverse is true. Further, while most major vendors of healthcare software systems are working on appropriate encryption add-on systems for their product lines, these encryption systems are still in development. They are unproven. They also may not indeed, they are unlikely to work with other vendors' systems with which they are interfaced. This presents significant problems to top management at medical institutions throughout the country, where the norm is to have installed a mix of systems from different vendors.

Management also will face substantial challenges in instituting security practices, and all their accompanying polices and other paperwork, that HHS seems intent on demanding under HIPAA. The new security demands-quite apart from the proposed privacy rules-will require true business process reengineering.

Consequently, there is a premium on management's learning about HIPAA in detail without delay, as preparation for the effort to select, acquire, and implement new systems, and adopt new procedures, to satisfy the statute as HHS is interpreting it.6 For most medical enterprises of any size, the two-year deadline for meeting HIPAA's security requirements is likely to be insufficient (even though the starting date for the two-year period for implementing HHS's privacy rules probably will be postponed until fall of 2000, because of the huge number of comments about the proposed privacy regulations that were filed with HHS).

Background

The part of HIPAA we are concerned with here is a federal privacy statute enacted to establish and protect patients' privacy rights in their medical records. What is generally referred to as HIPAA is actually the ironically titled "Administrative Simplification" title of a much larger statue amending the Social Security Act, and dealing with, among other things, healthcare insurance portability and Medicare fraud and abuse.

The use of "simplification" in the title reflects Congress's expectation that HIPAA will force the healthcare industry to adopt electronic data interchange, or EDI, for a range of healthcare administrative and financial tasks, and for many related clinical functions as well. Once the industry makes this transition, Congress hopes, the daily business of healthcare will be much more efficient, because it will be automated. According to Congress, that is likely to save money and improve patient care.

A number of assumptions underlie this approach. Among them is that technology has developed sufficiently so that an industry wide conversion to EDI is feasible within the time, generally two years from the promulgation of HIPAA's final implementing regulations, that Congress set. We will return to this assumption later.

While there is considerable room to argue about whether there is a widespread failure of doctors, hospitals, insurers, and others to protect the privacy of medical records,7 there is little question that the politics of medical record privacy are formidable. There is immense momentum to strengthen privacy protections, a momentum that gains with each month's new revelations of privacy violations on the Internet (though rarely do these celebrated incidents involve medical records).8 The politics are implacable. What member of Congress can go wrong advocating strong privacy protection for patients' records, or vowing harsh, swift justice to those who would disclose medical records improperly?

The politics of medical record privacy are also turgid. In 1996, in HIPAA, Congress gave itself a deadline of 42 additional months to pass medical record privacy legislation.9 If Congress missed its own deadline, then the Secretary of Health and Human Services was to propose and adopt appropriate final regulations within six additional months.10 (That deadline was Feb. 21, 2000, and the Secretary has missed it.) This safety valve is stark recognition of the controversy surrounding all aspects of medical record privacy.

Rulemakings

HHS Secretary Shalala issued a series of proposed rules dealing with privacy and security standards and with the standards for nine common healthcare transactions (such as making a claim for reimbursement from an insurer or other payor), patient and provider identifiers, and digital signatures. While none of these areas lacks complexity, the more technical areas of computer operations, such as transaction standards, are proceeding apace. The same cannot be said of the proposed privacy regulations and, to a lesser but still significant extent, the security regulations.

The implementing regulations define "protected health information," or "PHI," as individually identifiable health information transmitted or maintained in electronic form (or derived from electronic form, such as a printout from a computer), but not the same information if it is only on paper (and has not been printed from an electronic record)."11 "Covered entities" are hospitals, health plans, health clearinghouses, and others, such as employers, that hold, use, or transmit PHI.12

Transaction Standards

The transaction set standards13 are massive compendiums of computer code notations. They systematically assign labels to the myriad transactions common to the furnishing of, and payment for, medical care. The sets are available free from HHS's HIPAA website." 14While they are unexciting reading, a short time spent reviewing any one of the transactions sets can give senior managers an appreciation for the subject matter and level of detail that HHS, under HIPAA, seeks to standardize in electronic data interchange for the healthcare industry.

The...