White Paper: HIPAA & Privacy: Who, What, Where, When, and Why?

HIPAA & Privacy: Who, What, Where, When, and Why?

White Paper

MedAbiliti Software Incorporated

Introduction

Americans have always loved privacy. The Founding Fathers, having tasted persecution from governments overseas, came to America because they wanted to be left alone. They wrote the Constitution and the Bill of Rights to reflect their suspicion of governmental intervention in a man's private affairs.

After the East was more populated and cities had formed, waves of settlers decided there were too many people and too many laws and they moved West so they could be free to do as they pleased. Most Americans grew up on cowboy movies, that quintessential American independence hero. Nobody knew anything personal about the Lone Ranger, after all, not even what his face looked like. So, you could say that privacy is a core value of the American culture and has been from the very beginning.

Though there is no explicit Constitutional right to privacy, since 1890 at least, when Louis Brandeis, later a famous Supreme Court Justice, and Samuel Warren argued for two basic privacy rights -- the right to be protected from unauthorized publicizing of private matters and the right to be let alone -- in a famous Harvard Law Review article "The Right to Privacy," American common law has recognized some level of privacy rights. Today, all 50 states to one degree or another recognize an actionable right to be protected from privacy invasions; and nearly all the states have statutes imposing civil or criminal penalties for impermissible disclosure of medical information. The Hippocratic Oath, written in 400 B.C.E even speaks of medical privacy:

"Whatever, in connection with my professional practice or not, in connection with it, I see or hear, in the life of men, which ought not to be spoken of abroad, I will not divulge, as reckoning that all such should be kept secret."

Why, Then, Do We Need HIPAA?

In the old days, when it came to you and your doctor, your privacy was a given. It was a simpler world. Your medical information was mostly in your doctor's head. He might jot down a few quick notes on things he didn't want to forget, perhaps some billing info, why you came to see him, and what he prescribed, but nobody looked at his scribbled notes. Not even you were allowed to look at his notes without his permission.

And nobody needed to look at a doctor's notes anyway. You usually lived all your life in the same little town, with one family doctor, who treated the whole family until you, or he, died. You trusted him with the most intimate details of your physical and emotional life. You paid him by pulling out some cash from your pocket when you went to see him. If you needed an operation, he arranged it in your town or the nearest big one. Oftentimes, he knew you better than you knew yourself, and nobody was looking over his shoulder into your private matters.

Nowadays, you might live for a few years in one place, then need to relocate some place else, and then your career might send you somewhere else again. That's very common. Your medical care may be in the hands of an HMO, where your primary care physician may change from time to time even if you don't move yourself. When you do move, information about your prior medical care needs to be relayed to your new doctor in your new location, so he knows what to do with you. You are, after all, total strangers. If you need an operation, you probably want a second opinion first, and then you may travel many miles -- perhaps to another state -- to a hospital you feel is best qualified to help you, where your treating physicians are meeting you for the first time in the context of your current medical problem. They not only don't know you, they may not even know your doctor. Everything that they need to know about you medically is of necessity in written medical records.

The circle of those needing or wanting access to your medical data has widened too, and today it includes not only your doctor but your insurance company, sometimes your lawyer and his staff, as well as your employer, and sometimes governmental agencies. When you get a doctor's bill today, it's likely a computerized system that sent it, and after you relay it to your insurance company, if you're tech-savvy, you may use a computer service to OK and pay the part for which you are responsible. Universities and medical researchers, too, would like to have access to aggregate health statistics, for there can be real clinical benefits from studying such aggregated patient data, and your information may be in that larger pool they are interested in gaining access to. Marketing groups have their own dreams of what they could do with the data.

Getting that information to everyone with a legitimate right and need to have it nowadays likely involves electronic transfers, and each transmission presents an opportunity whereby your medical and other private information could be intercepted by those with no right to it, or misused or mishandled by those who care less about your privacy than you do, with the real danger that your most private and vulnerable information will be made public by ways in which you would be embarrassed or damaged.

With this increased flow of medical information, there is an increased potential for misuse or for just plain old human error that can cost a patient his privacy. Worse, if hackers can break into your system by means of planting viruses, trojans, worms and other malware, they can likely access your patient records too. Our expectation of privacy, inevitably, has narrowed, as it must in such an environment, but that doesn't alter the strong desire to protect what we can.

As Brandeis and Warren wrote in their article, when the world changes, the law must change too:

"That the individual shall have full protection in person and in property is a principle as old as the common law; but it has been found necessary from time to time to define anew the exact nature and extent of such protection. Political, social, and economic changes entail the recognition of new rights, and the common law, in its eternal youth, grows to meet the new demands of society. "

The world has changed, and computers are the single most significant cause. The power they hold for privacy invasion led Congress to pass, as part of the Health Insurance Portability and Accountability Act of 1996 (HIPPAA), provisions designed to protect Americans from the increased danger of privacy loss that electronic transmission of data poses. Electronic transmission includes by fax, email, instant messaging, VPNs, on web based services, or via the Internet. HIPAA is the first federal intervention into the private health insurance sector, and it's a kind of national recognition that computers and the internet, as they used to say, change everything, and that medical data storage and transmission are uniquely vulnerable to abuse and require substantive protection. HIPAA authorized the federal government to establish a national standard for medical record privacy.

HIPAA's primary goal was not privacy but to guarantee continued health care coverage to employees and their dependents who have group health insurance, without regard for medical condition and without additional periods of preexisting condition exclusion, if and when employees change jobs or group insurers. This provides for portability and renewal of health insurance coverage to those already with such coverage. That's most Americans. Its stated goals are:

"...to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes."

What Does HIPAA Require With Regards to Privacy?

HIPAA mandates new rules governing electronic health care transactions, a national administrative standard for electronic transmission and data storage, so as to simplify processing health care payments by creating a national, common computer use and transfer standard, sets out who must comply with these standards, and sets forth what type of data is covered. With the national standards, all health care providers Ð including physicians and other practitioners, hospitals and nursing facilities Ð will be able to use the new standards, and all health plans will be required to accept these standard electronic transactions. For many, this means change.

The goal of HIPAA was to set a minimum for privacy in electronic transfers of medical data that no one in the United States may fall beneath. Where states have more stringent standards, those higher standards still apply in the relevant states; where states have less stringent rules, they are superseded by HIPAA.

The section on privacy is a small part of the Act, but its requirements are powerful. Any individually identifiable information about a patient transmitted electronically is protected by HIPAA, and the penalties for noncompliance can be significant. Additionally, even though HIPAA doesn't grant patients an individual right to sue under its provisions, now that HIPAA has set the privacy standard, it is trivial to predict that attorneys will be tacking on charges of Òfailure to comply with community standards of confidentialityÓ when suing doctors, hospitals and other health care providers when they catch them out of compliance.

Under its "Minimum Necessary Use and Disclosure" policy, HIPAA allows disclosure of a patient's private medical information for treatment, payment, necessary health care operations, certain research purposes (subject to some protections), and for "specified public and public policy-related" purposes. In a post-September 11th world, we can all figure out what the last item might signify. The least amount of information needed is to be evaluated and determined before being released for each allowed disclosure. An audit of existing organization policies must be taken to see where privacy and security issues may be lax. There are requirements for recordkeeping of all disclosures made, and the patient must be given a copy of that record on demand and may revoke permission once given.

HIPAA requires that the sharing of electronic information be done securely and privately, and it sets forth standards of transactions codes and identifiers designed to speed up the interchange of information between entities, using Electronic Data Interchange (EDI) standards. Health care entities must follow a number of verifiable steps within their organizations, such as designating a privacy officer and providing their staff privacy training.

Who Must Comply and When?

HIPAA covers health plans, private or governmental, HMOs, employer-sponsored health benefits plans, individual or group health insurers, billing companies, health registries, public or private, and all health care providers.

In short, if you work in the medical field or in medical research or related data aggregation and electronically transit personally identifiable medical information about anyone other than yourself, HIPAA means you.

Do you say, "But mostly I use paper records, so I'm not affected, right?"

Wrong. If any entity in the health care chain electronically transmits even one piece of personally identifiable medical information from a patient's record, say a bill by a billing agency, the entire medical record, both paper and electronic, becomes covered information as a "mixed medical record". For all practical purposes, it is easier and safer to comply with HIPAA's electronic privacy standards in all your dealings as a matter of policy than to try to carve out what you think may be uncovered data.

The transaction rules will take effect Oct. 16, 2003, for most health care providers and organizations, so the time is now to set up and train staff in reasonable security practices to safeguard the confidentiality of patient data. Time is needed to assess compliance needs, set up and then thoroughly test systems, and be ready under the new standards by the deadline. Under the Administrative Simplification Compliance Act, health care plans and providers must submit information on their compliance activities, including budget, assessment of compliance concerns, whether a contractor or vendor might be used to help achieve compliance, and a schedule for testing to begin no later than April 16, 2003.

How Do I Comply?

HIPAA wasn't designed to ruin your life, your practice, or your business, but it surely has the power to do so if not complied with properly. The penalties for violations of HIPAA are both civil and criminal, and include sanctions, monetary penalties, and criminal prosecution in cases of fraud.

Happily, the same power that makes computers such a threat to privacy also makes them capable of reigning in abuses. HIPAA regulations may seem daunting at first glance, but to a computer engineer, they represent merely another challenge that can be met. And once met, the system needn't be repeatedly reinvented. Carefully planned compliance systems, once designed and in place, can be relied upon to follow the HIPAA rules and insist upon them, to notice what a human might not in the mountain of data. It's what computers were built to do and do well.

The whole world is still learning how to use computers effectively. HIPAA merely sets a deadline for mastering certain computer security systems in order to have the structure to comply with its standards. The truth is, the whole world needs to learn to protect itself better in an electronic age, and complying with HIPAA regulations, far from hurting a company or individual, positions that company or individual to master what is needed for its own protection as well as the protection of patients. The complexity of health care, coupled with the power of computers, offer opportunities to those who recognize the value of developing a structure to improve security, efficiency, and organizational policies.

How MedAbiliti Can Help

MedAbiliti can help with the transition. MedAbiliti can provide the software, the system audit, and the training needed to ensure your organization is meeting all HIPAA requirements.

MedAbiliti understands how the complex health care delivery and reimbursement systems work, including government forms and the accounting systems employed, and can set up a personalized HIPAA-compliant data security system so you can meet the new federal standards for patient privacy and security. In the process, we can help you reduce redundant points of operation and optimize your information systems to ensure a consistent and structured workflow.

MedAbiliti can also help you recognize and close security holes so as to prevent health care information from falling into the wrong hands, and deploy secure, effective, and integrated networks that provide confidentiality and meet and exceed security requirements.

MedAbiliti can help you to realize the benefits of medical informatics opportunities you may not know you have, show you how to use custom informatics techniques to enable analysis of data sources, so as to develop and find value in aggregated computerized data, stripped of personally identifiable information, which is of great value to companies, researchers, and other organizations.

Please contact us at hipaa@medabiliti.com for more information.