Federal standards designed to protect the privacy of health information were announced December 20, 2000, by President Clinton and Donna E. Shalala, Secretary of the Department of Health and Human Services (HHS). Among other requirements, the regulations mandate that providers get consent from patients for routine disclosures of medical information and special patient authorization for non-routine disclosures such as marketing or fund raising.
“The new rules we release today protect the medical records of virtually every American. They represent the most sweeping privacy protections ever written,” President Clinton said. Added Secretary Shalala, “Comprehensive protection of personal medical records is what Congress called for in the law [the Health Insurance Portability and Accountability Act (HIPPA) of 1996] and it’s what American patients and their providers want and need.” Clearly, the promulgation of these new rules will have an effect on every neurosurgeon in the United States by adding complexity and cost to the practice of neurosurgery.
The regulations cover healthcare providers who transmit health care data electronically, health plans and healthcare clearinghouses. Also bound by the regulations are Web sites on healthcare and online pharmacies. Compliance with the regulations is required by February 2003. HHS’s Office for Civil Rights has been given the task of enforcing the rule. The privacy regulations are the second of several administrative simplification regulations required by HIPPA.
In October 2000, a set of industry-wide standards for health data formatting and transactions became effective. These regulations established standard data content and formats for submitting electronic claims and other administrative health transactions. All healthcare providers are able to use the electronic format to bill for services, and all health plans are required to accept these standard electronic claims, referral authorizations and other transactions.
Broad Applicability
The security standards detailed in the December announcement apply to all health information that is electronically maintained or transmitted. The key words here are “health information” and “electronically maintained or transmitted.” Even solo neurosurgeons who do not participate in computer networks and have been shielded from HIPPA’s transaction requirements by using paper forms, stamps and envelopes will be subject to HIPPA’s security requirements if they electronically maintain or use any health information.
For example, if bills are printed from a practice management system, charts are transcribed and stored in a word processor or lab results are sent by modem to a printer at the office, the HIPPA security requirements will apply. The regulations provide protection for all types of personal health information created or held by covered entities including oral communications and paper records that have not existed in electronic form in the past.
The final version of the regulations, as reported in BNA’s Healthcare Policy Report (12-25-00), make a substantial clarification expressly prohibiting employers that sponsor health plans covered by the Employee Retirement Income Security Act from using protected health information for employment decisions.
Five Basic Principles
The regulations cover five basic principles:
Consumer control. Consumers are provided with critical new rights to control the release of their medical information. This includes advance consent for most disclosures of health information, the right to see a copy of their health records, the right to obtain documentation of disclosures of their health information and the right to an explanation of their privacy rights and how their information may be used or disclosed.
Boundaries. With few exceptions, an individual’s healthcare information should be used for health purposes only, including treatment and payment.
Accountability. Under HIPPA, for the first time there will be specific federal penalties if a patient’s right to privacy is violated. There are non-criminal and criminal penalties. The penalties of noncompliance range from a fine of $50,000 and up to a year in prison to a *$250,000 fine and up to 10 years in prison if the offender intends to sell or otherwise profit from the information.
Public Responsibility. According to the HHS, the new standards reflect the need to balance privacy protections with the public responsibility to support such national priorities as protecting public health, conducting medical research, improving the quality of care, and fighting health care fraud and abuse
Security. HHS states that it is the responsibility of organizations that are entrusted with health information to protect it against deliberate or inadvertent misuse or disclosure. The regulations require covered organizations to establish clear procedures to protect patient’s privacy, including designating an official to establish and monitor the entity’s privacy practices and training.
Confusion is Pervasive
As noted above, final health data formatting and transaction standards (“Health Insurance Reform: Standards for Electronic Transmission”) were released by HHS in August and became effective in October. These regulations also were a result of HIPPA. Secretary Shalala stated that the regulations on standardized electronic transactions were released under the assumption that privacy protections only recently announced in December would be in place at approximately the same time that the data standards are in effect. These standards are generally of a technical nature.
Confusion about the difference between security, confidentiality and privacy is pervasive. Security consists of those measures that organizations implement to protect information and systems. It includes efforts not only to maintain the confidentiality of information but also to insure the integrity and availability of that information and the information systems used to access it. In short, security establishes how health information should be protected from inappropriate access. The HIPPA security standards concentrate on the means and methods by which privacy and confidentiality are ensured.
Privacy refers to an individual’s desire to limit the disclosure of personal information. In the context of HIPPA, privacy determines who should have access, what constitutes the patient’s rights to confidentiality and what constitutes inappropriate access to health records.
Change in Culture
The HIPPA security standards, health information regulations and privacy regulations will require a change in how health networks are secured and used. These standards and regulations, which apply to every practicing neurosurgeon in the United States, will also require a significant change in practice management.
Neurosurgical practices will incur significant costs to implement the many changes that will be required. The paperwork burden on practices will be increased significantly and the flow of information between physicians may be impaired.
Think of faxing medical records from one office to another as that is now commonly done. That will no longer be possible. Recall that all medical records and other individually identified health information held or disclosed by a physician’s office in any form, whether communicated electronically, on paper or orally, are covered by the regulations. A significant investment will have to be made in office infrastructure to achieve compliance.
Neurosurgeons should note that they must receive patient consent before information is released. This means that consent must be obtained before sharing patient data for treatment, payment and health care operation purposes. In addition, specific patient consent must be sought and granted for non-routine uses and most non-healthcare purposes, such as releasing information to financial institutions. Patients have the right to request restrictions on the uses and disclosures of their information.
Practices must also adopt written privacy procedures. These must include who has access to protected information, how it will be used within the practice and when the information would or would not be disclosed to others. Steps must also be taken to ensure that a practice’s business associates protect the privacy of health information.
Time is Short
The upshot of this is that practicing neurosurgeons and their office staffs have another set of regulations with which they must comply. All concerned should take courses to become familiar with this complex system. Organized neurosurgery needs to take a unified approach to bring neurosurgeons the knowledge needed to comply.
Help with HIPPA compliance is abundant. Many consulting firms, publishers and other organizations are focusing their efforts on the regulations. Unfortunately, most neurosurgeons have not as yet developed an awareness of HIPPA. Special education courses for clinical personnel including physicians should be organized and completed quickly.
At some point, each practice will have to assess its vulnerabilities and determine actions needed to achieve compliance with electronic data interchange, security and privacy. Next, each practice must formulate a comprehensive compliance strategy. This strategy should regard HIPPA as an enabler for achieving the practice’s overall e-business strategy. A practice can then implement all policies and procedures needed to achieve compliance. Finally, practices should complete an audit of their new procedures to assure that the measures instituted adequately address threats and meet requirements.
Most physician practices have not even finished the most preliminary stage of preparedness for HIPPA. Indeed, many are not at all aware of the ramifications of the regulations. Now is the time for all neurosurgical practices to quickly begin the education, evaluation and strategic planning that will be necessary to achieve HIPPA compliance. Taking positive steps toward HIPPA compliance now will pay off down the road in lower costs, reduced legal risk and a smoother transition to the new operational, technical and cultural universe mandated by HIPPA.
John A. Kusske, MD, is Vice President of the AANS Board of Directors and former Chair of the AANS Managed Care Advisory Committee.