Size can be both an asset and a liability when it comes to HIPAA compliance, says Dara Luangtraseut, privacy officer at the Marshfield (Wis.) Clinic.
The clinic has about 660 physicians and more than 6,000 employees, including dozens of lawyers, computer technicians and compliance officers who can carry out in-house planning for HIPAA's complex set of federal standards, Luangtraseut says.
But for all the available HIPAA help, the sheer size of Marshfield also means sensitive patient information is sent and stored in myriad and complex ways that a solo practice would never encounter. "I think there's a misconception out there that because you're bigger it's easier," Luangtraseut says. "It's a much more complex implementation."
HIPAA planners at large practices are getting a little nervous as they move closer to the first significant deadline of April 2003, when they and other providers must comply with HIPAA privacy standards.
Thanks to an exemption of which everyone seems to be taking advantage, HIPAA rules for electronic transaction standards, originally due Oct. 16, 2002, will be put off for a year. And HIPAA security rules, which are incomplete, are not expected to go into effect until late 2004.
Planners agree that the privacy rules will affect doctors and other staff more than the HIPAA mandates on security and data transmission standards will. But so far, physicians in larger practices are generally removed from the planning, while their colleagues in small groups already have to face the issue--even if that only means picking a consultant to do the work.
Doctors at Wake Forest University Physicians, a 486-physician faculty practice in Winston-Salem, N.C., don't have much of an opinion about HIPAA yet because "I don't think the full impact has hit them," says Larrie Dawkins, director of compliance.
Wake Forest and other large practices are waiting until September or October to begin HIPAA privacy training. When physicians enter training, they will confront such problems as making sure patients are informed of their privacy rights and know they can withhold certain information from caregivers.
These doctors also will have to deal with tighter computer login codes that strictly limit access to patient information, along with new rules on e-mailing patients.
Most large practices have the advantage of already having detailed privacy rules on the books--covering everything from unauthorized individuals looking up patients' medical records to talking about sensitive patient information in a crowded elevator, HIPAA planners say.
"Most large practices have reasonably secure systems," says Joe Milanese, HIPAA project and security manager for Dean Health System, a 422-physician practice in Madison, Wis. "HIPAA is just legislating the details."
Since HIPAA allows for wide latitude in interpretation, practices may have varying sets of privacy rules. For example, Dean has taken the unusual step of banning drug reps from all clinical areas.
"HIPAA says if you don't need to have access to information, you shouldn't be around it," Milanese says. "If drug reps are in the clinical area, they are overhearing things they're not supposed to overhear."
But even large practices with rules already on the books will probably have to make a lot of changes to comply with HIPAA's "minimum necessary" rule, officials of those groups say. Under this rule, they say, employees should be barred from certain areas, and their computer logins should allow access only to the patient information needed to do their job.
Luangtraseut says Marshfield has been examining job descriptions to determine minimum necessary standards for each employee. It's a balancing act. Though planners want to strictly limit access, "we don't want to interrupt workflow," she says.
Doctors, of course, have wide access to patient records, but they, too, will see new limits. For example, until HIPAA, each physician decided if he or she wanted to e-mail patients and what to say, but now e-mails at large practices are falling under institutional rules to comply with HIPAA.
Dean is instructing its doctors to keep e-mails "very superficial," such as explaining drug interactions, Milanese says. He adds that a completion of HIPAA privacy modifications, expected later in the summer, will probably require e-mails to be encrypted. That would mean that both doctors and patients would have to obtain encryption software, he adds.
Marshfield started planning for HIPAA relatively early, in January 2001. But Luangtraseut says the huge practice took six months to identify all the potential security breaches, a process called "gap analysis" in HIPAA-speak.
Part of the problem, she says, was getting staff input from all 40 of its central-Wisconsin locations.
The work will only get more intense. Luangtraseut says HIPAA requires that Marshfield send out privacy notices early next year to its 358,000 patients, explaining their rights and giving them opportunity to direct that information be withheld.
HIPAA says providers have to accommodate reasonable requests, such as directing reports on lab results to another address besides the patient's home. If the patient makes such a direction, "everyone in the system needs to know that" when dealing with that patient. That gets complicated at a large institution like Marshfield, she says.
Compared to privacy standards, HIPAA transaction standards are less complicated.
In fact, many large practices report that they could have met this year's October deadline, but they did not want to commit themselves to untried systems that could have caused reimbursement holdups.
"From the perspective of a large practice, you want to edge into it to protect your cash flow," says Dawkins of Wake Forest.
Though large practices have relatively sophisticated computer systems, most still are not 100% electronic. Those that are may not be compliant with the four HIPAA transaction standards applying to practices: claims transmissions, eligibility, claims status and specialty referrals.
Marshfield electronically transmits 75% of its claims transactions and 50% of claims status checks, mostly in HIPAA-complaint format, Luangtraseut says.