|
Florida
NASW Chapter Newsletter.
January
2003
HIPAA – Big and Hungry, but
Manageable.
Michael Freeny, LCSW
Clinicians are increasingly
encountering the word “HIPAA”. It appears in
mailings for CE courses, in discussions about privacy,
in requests for extensions and compliance dates. Many
mental health professionals feel confused, overwhelmed,
or frankly clueless about this strange beast called
HIPAA. Even those brave souls who try to learn about it
find that information is often contradictory or
perplexing. What follows is a brief overview about what
you need to know, where you can find it, and how
important this should be.
What is
HIPAA?
HIPAA is a shorthand term that
stands for a collection of new federal rules regarding
the management of medical and mental health information.
The rules, or standards, grew from the original Health
Insurance Portability and Accountability Act (HIPAA) of
1996, which allowed people to take their employer
sponsored health insurance with them upon leaving a job
(so called COBRA). The HIPAA rules about medical records
have been in development at HHS (Health and Human
Services) for years and are now nearing deadlines for
compliance. All of healthcare is abuzz with HIPAA talk.
The rules were developed to bring
some consistency and efficiency to the process of
sharing medical information, making insurance claims,
and getting paid. Increasingly, national providers and
insurers have struggled with the differing laws and
rules of 50 state venues. The idea is to national
standards for quick, easy, and painless processes for
sharing and authorizing treatment. In fact, these
regulations fall under the optimistically named
“Administrative Simplification Compliance Act”. HHS
has the role of defining rules for electronic claims,
remittance, and eligibility information and standards
for protecting the privacy and security of medical
information.
Who
and What is Covered?
The regulations directly cover
three health care entities; providers, insurers, and
claims clearing houses, collectively called “covered entities”. This includes any provider of health services, hospitals,
clinics, agencies, and mental health providers.
Originally the scope of the legislation covered only
those entities that use or transmit electronic medical
information.
Many professionals hoped for a
loophole to dodge the regs by sticking to a
“paper-based” practice. However, to avoid
discouraging health providers from adopting information
technology HHS expanded the scope of the rules to
include ALL medical records.
To qualify as
“electronic”, information need only have been
typed in a letter on a computer, faxed to or from a
computer, a message left as voice mail, or transmitted
electronically by anyone in the chain of filing a claim,
even the insurer.
What’s
Involved in Complying?
Complying with the rules involves
new behaviors, new policies, and some training. Both
small and large providers must research and document
their compliance with current rules (a gap analysis),
develop or tweak policies to comply, test certain
systems, clarify some contracts with vendors, prepare
new disclosures, and train staff in proper functioning.
Although the rules cover a lot of
ground, three areas are of most immediate concern to
providers: Privacy Standards, Security Standards, and
Transaction Code Sets (not as scary as it sounds.) .
The Privacy
Standards
Although some sources report that
the privacy regulation is a mind numbing 1500 pages
long, it is realistically about 40 to 80 pages long. The
regulations become effective on April 14, 2003 and all
“covered entities” must be in compliance at that
time.
The most visible result of this
compliance will be the mandated use of a “Statement of
Privacy Practices” issued to clients by all covered
entities regarding how they protect, share, and disclose
personal medical information. Anyone with health
insurance will receive a Statement of Privacy Practices
early next year. Many physicians are already having
patients sign one. After 4/14/02, all providers must use
them. The regulations expect that this document will
replace the traditional ‘consent for release of
information” in most routine circumstances.
Psychotherapy notes are handled separately from
other patient information and will still require an
authorization for release. .
The privacy rules detail a number
of things the provider must decide for their own
Statement of Privacy Practices. Although there are some
sample templates available, the provider will want to
know what is required, what is discretionary, and what
they have told the client is the actual policy. HHS is
responsible for enforcing compliance and violations
include both civil and criminal penalties from $100 to
$250,000.
Security
Standards
The security rules work in
conjunction with the privacy rules to secure the private
medical information (called Protected Health Information
- PHI). These standards address protecting and securing
the privacy, integrity, availability, accessibility, and
storage of medical information. This includes passwords,
backups, faxing, archiving, access, transmission, etc.
The rules don’t specify any hardware or software
requirements, but instead establish what must be
accomplished. Again, the provider will need to develop
behaviors, policies, procedures, and training to guard
client data in any form (written, electronic, or oral).
.
The transactions and code set
standards are probably the least understood of all the
adopted regulations, even by those one would expect to
know, like billing companies and software vendors. All
covered entities are supposed to be compliant as of
October 15, 2002 unless they requested a one-year
extension from HHS. That deadline has passed, but many
sources report that these inscrutable, highly technical
code-set regulations are too murky for providers, so
most medical professionals are focusing their energy on
meeting the privacy and security rules.
What Needs to
be Done
Mental health professionals in solo
or agency practice can expect to devote some time and
energy to these broad new rules. The importance and
impact of the new regulations shouldn’t be
underestimated. Many vendors will be offering training
programs and compliance packages, but realize that one
size does not fit all and distributing forms without
understanding the meat of the regulations will be
perilous.
Most practitioners and
support staff will likely want to take a six-hour course
that covers the current rules and helps to develop some
documents and procedures for immediate use. Even as the
deadlines approach the approach should be systematic,
not frenetic.
There are a number of information
sources on the Internet and course offerings will
continue to filter through your mailbox. Mental Health
personnel and agencies should look for a course with
expertise in the particular needs and rules for
psychotherapists.
Like the elephant in the
living room, the hungry HIPAA can be tamed, but it
can’t be ignored.
References
www.naswdc.org
www.hippadvisory.com
http://aspe.hhs.gov/admnsimp/
http://www.clinicalCE.com
Home
clinicalCE.com
5764
N. OBT, # 128 Orlando,
FL 32810
407-884-6553
E-Mail:
info@clinicalCE.com
|
