HIPAA regulations are not all final, but it's a question of when, not if. The law behind their development has been final for more than four years. It's the implementation of the law that remains mainly a work in progress.
The regulations cover significant territory: safeguarding electronic information, granting patients the right to review their medical records and telling physicians how much information they can legally share with one another, among other things. In addition, the regulations will require careful monitoring of how information processed by healthcare organizations is used by business partners.
The law will require technical and administrative changes as well as the development of policies to protect patients and information by which they can be identified.
Already finalized are rules requiring standard transaction formats and billing codes for documenting medical services and processing claims. These formats and codes replace the 400-odd formats currently used to electronically adjudicate claims.
While most of the other provisions have yet to be translated into final regulations, enough is known about them to enable organizations to begin changes in technology and processes, observers say.
"Once you buy into the fact that this is actually a law, there's really not much benefit in waiting for the final version (of the rules)," says Russell Jones, practice director of information security for Science Applications International Corp., a La Jolla, Calif.-based research and engineering firm.
HIPAA is grouped into three main categories. The first deals with what the legislation was initially designed to do: guarantee that people do not lose insurance coverage when they switch jobs. That's Title I, referred to as "Healthcare Portability." Also included in Title I are provisions prohibiting discrimination based on health and forbidding exclusion of coverage based on certain pre-existing conditions.
Title II, known as "Administrative Simplification," contains rules that seek to secure electronic patient information, standardize and simplify how medical transactions move and give patients specific rights with regard to the confidentiality of their medical information.
First under Administrative Simplification is the rule requiring the adoption of standards for electronic transactions and medical coding terminology (See chart). The final version of that rule was published in the Federal Register on Aug. 17.
In a written statement, HHS Secretary Donna Shalala commented that the standards mandated by the rule will facilitate a "faster, simpler, less costly and more efficient healthcare system."
Next under Administrative Simplification are the "unique health identifiers" designed to speed electronic transactions by ascribing a single identification number to each health plan, provider and employer.
"For the purpose of uniformity, in order to facilitate coordination of benefits, you wouldn't want three numbers identifying the same payer," says Dan Rode, vice president for policy and government relations at the Chicago-based American Health Information Management Association.
The status of an individual health identifier, which would give each patient a unique number, is indefinitely on hold as policymakers grapple with concerns about a new national identifying system, Rode says.
The third section of Administrative Simplification includes rules governing electronic security and the use of electronic signatures. HIPAA gives healthcare organizations significant latitude when it comes to developing the specific mechanisms they put in place to comply with the security standards.
The law requires strict access control, certification of network security, authentication of those accessing patient data and even physical safeguards. But how to meet those requirements will be up to each individual organization.
For instance, HIPAA's security standard requires unique user identification to confirm the identity of a physician before he or she retrieves privileged data. Compliance with this rule can take many forms -- including password systems and biometric identification systems such as fingerprinting -- as long as they can verify that the caregivers accessing data are who they say they are.
The fourth and final component of Administrative Simplification is causing the most uproar as it proposes tough rules surrounding patient privacy and confidentiality. Under the privacy provisions, patients are granted the right to review and request amendments to their medical records. The rules will also give patients the right to inspect their providers' notice of information practices, which spells out how each organization works to protect sensitive information.
Fine print, big impact. Within the privacy and confidentiality section is a controversial proposed rule that would limit medical communications among physicians and other caregivers to the "minimum necessary" required to deliver care, as well as a rule assigning liability to providers even if breaches are committed by a business partner.
Many industry insiders and observers agree that HIPAA's privacy provisions will be the toughest to implement and enforce.
"If we look at security standards from a pure (information technology) perspective, I would venture to say that most healthcare organizations, if not all of them, are going to be capable of meeting 75% to 80% of the security standards with very few changes," says Lisa Dahm, senior manager of HIPAA services and regulatory compliance for Deloitte & Touche in Houston. "Privacy and confidentiality is where it gets hairy."
The security rules, Dahm says, differ from the privacy rules in that security focuses on requiring the protection of information as an asset in the same way other businesses protect their property and data. The privacy rules, meanwhile, are patient-centered, designed to give consumers rights concerning how their information is used.
From patient rights to the use of clinical information for research purposes, the nitty-gritty of HIPAA will hold providers accountable for everything they do with regard to handling and exchanging patient information. Among possible trouble spots are the "chain-of-trust" and business partner agreements mandated by the legislation.
Big-time accountability. Knowing that many organizations besides hospitals handle patient information, HIPAA's framers had to invent a way to hold those parties accountable as well; HHS did that with the business partner agreement, Dahm says.
The business partner agreement applies to third-party administrators as well as everyone from dot-com and disease management companies to attorneys defending physicians in a malpractice suit. HIPAA's language on this point is clear -- if a healthcare provider knows or should have known about the noncompliance of a business partner, the provider can be held liable for any ensuing damages.
That could open Pandora's Box.
"Have we deputized a new bureaucracy?" asks Mark Lutes of law firm Epstein, Becker & Green, in reference to providers' need to monitor the practices of their partners. "Arguably, yes we have."
HIPAA also requires that chain-of-trust agreements are signed between healthcare organizations and the third parties they contract with to process data. Because the differences between the chain-of-trust agreements and business partner agreements are negligible, final rules could merge the two concepts so that a single agreement with each business partner would cover both requirements, Lutes says.
In any case, "for HIPAA's purposes, you will be your business partner's keeper," Lutes says.
If the chain-of-trust concept is a new one to healthcare administrators, it shouldn't be, says Harry Reynolds, vice president of information technology for Blue Cross Blue Shield of North Carolina, who also has corporate oversight for HIPAA compliance.
"Anybody not managing their chain-of-trust right now . . . probably has a problem already," he says. "All of us in this industry have to be very careful as we sign up partners, that they are equally committed to the business we're in as well as to the security and privacy of our customers' information."
Patients' rights to review records. Perhaps one of the most administratively difficult tasks under HIPAA's privacy rules will be granting patients the right to review and request changes to their medical records if errors have been made.
"What if 6,000 patients hit a health system with a request to amend?" Dahm says. "There is no way our healthcare industry is prepared for that."
On the provider side, administrators wonder how the medical record rule will play out.
"If you gave a patient a list of people who had access to their record, what are they going to do with it?" asks Rita Aikins, information security and privacy officer for the Oregon region of Seattle-based Providence Health System. "Are they going to understand why a medical records clerk was in looking at their record?"
Limits on clinician access to patient data. Another privacy rule sparking debate during the rulemaking process is known as the "minimum necessary" requirement.
Draft language for this rule says that people to whom personally identifiable health information can be disclosed should be "limited to the minimum necessary to accomplish the purpose for which the disclosure was made," says Linda Magno, managing director for policy development at the American Hospital Association.
The AHA is concerned about the consequences to care this rule would have, Magno says. If in the course of a consult, for example, one physician shares with another an entire patient file, that physician may have violated the rule for not disclosing only what is necessary.
Making such determinations could be a very difficult thing, Magno argues. "Does a consulting urologist need information about the mental health condition of a patient? The problem is that you don't know. Medicine is not such a cookbook."
The AHA believes that if the rule is completed, it will be exceedingly difficult to put into practice. "We're concerned that the secretary has gone too far and tried to prescribe a standard that can't be easily defined," Magno says. By forcing physicians to justify when and why they share information, she adds, the rule is "potentially creating health hazards rather than improving everyone's care."
Providers with HIPAA initiatives already in place agree that security standards will not be as difficult to implement and enforce as the contentious privacy regulations. "Some of the impact of the security standard we're not going to feel because we already have processes in place," Aikins says.
Those processes include granting access to particular files instead of to entire databases and maintaining access records showing who viewed a file and when, and how it was changed.
Reinforcing current norms. The security standards also require that system emergencies can be properly and promptly addressed. To play by the proposed rules, healthcare organizations will have to develop and implement a contingency plan for data backup and disaster recovery.
Many organizations are already up to speed on this, mostly because Y2K preparations included developing such policies.
"We are making sure that our asset inventory is up to date, and that's a carry-over from Y2K," Aikins says.
As federal law, HIPAA will pre-empt conflicting state laws. But that doesn't mean those to whom the law applies can ignore existing laws in their state.
"You can't go to sleep in terms of your state laws," Lutes says. "You still have to remain aware of the privacy laws in your state. HIPAA only creates a floor, not a ceiling."