COVER STORY

Breaking through the HIPAA hype

Forget the scare tactics. Here's how to get ready on your own, without spending a fortune.

By Wayne J. Guglielmo
Senior Editor

It's a rare day that FP Bob Patterson doesn't receive a pitch—via fax, phone, e-mail, or snail mail—from someone trying to sell him a HIPAA-related product or service.

Thus far, the Sanford, NC, solo-practitioner has resisted the come-ons. "Sure, I look to see what they're selling," he says. "But some of the HIPAA rules are still being decided, so it bothers me that people are trying to offer advice and products about something that's still up in the air."

Patterson isn't the only doctor who feels caught in the marketing cross-hairs. "A lot of consultants out there are hyping terrible scenarios designed to drum up business," says Richard G. Roberts, an FP in Belleville, WI, and chairman of the board of the American Academy of Family Physicians.

If the fear factor has worked on some doctors, it's turned many more off, especially those in smaller practices who can't afford to delegate the problem away. Overwhelmed and cynical, they've decided to bury their heads in the sand, hoping HIPAA will prove as benign as Y2K.

That's unlikely. "This is a vast piece of legislation, with deadlines and consequences for not meeting those deadlines," says Paul Zang, deputy director of the Michigan Osteopathic Association.

Indeed. For doctors, the Health Insurance Portability and Accountability Act of 1996 mandates sweeping day-to-day changes. At the heart of the law are a series of new standards—for electronic transmission, coding (medical and nonmedical data), identification, security, and privacy. Taken together, they will substantially alter how you manage patient medical records and other protected data, and how you communicate with billing services, health plans, fellow health providers, and other vendors. (See "A HIPAA glossary" for definitions of the new standards.)

Penalties are stiff, starting at not more than $100 for noncriminal violations, and escalating to $250,000 and/or 10 years in prison for criminal violations.

What, then, is the harried doctor to do? Fortunately, there's a middle ground between fear-mongering HIPAA hype and outright denial. In fact, there's a wealth of free or relatively low-cost resources available to doctors in smaller practices, much of it from medical societies. Here, we tell you which resources the experts recommend, and provide a handy road map leading to HIPAA readiness (see "How to handle HIPAA on your own").

More of the law is nailed down than you think

Doctors who say the HIPAA sand is still shifting are only partially right.

True, a final rule for the "Security and Electronic Signature Standards" has yet to be published (this deals with administrative procedures, physical safeguards, and technical safeguards such as the authentication of sender identity). And yes, the final rule nailing down last-minute changes in the privacy regs—including one that substitutes patient notification with patient authorization—is still being digested as we go to press.

Meanwhile, much about HIPAA isn't in flux. Despite the changes, the privacy rule carries a no-excuses deadline of April 14, 2003. The code-set and electronic transfer standards are also in place, although their original compliance date, Oct. 16, 2002, has been pushed back a year.

To qualify for this extension, you must ask for it, either electronically or in writing. Electronic and paper submissions must include a summary of your proposed compliance plan. (If you file electronically, you must also include your budget and implementation strategy.) Both forms are available online from the Centers for Medicare & Medicaid Services (www.cms.hhs.gov/hipaa/hipaa2/ascaform.asp ).

"Everybody should apply for the extension," says Robyn Meinhardt, a health care attorney in the Denver office of Foley & Lardner. "There's no reason not to." That includes doctors who believe they can meet the deadline by this October, or those who are exempt from the standards because they conduct business in paper-only offices.

Once the extension ends, smaller practices may still be okay, says Meinhardt. "Many will come into compliance merely by using a billing clearinghouse"—which itself must be HIPAA compliant by next October's deadline. "Smaller offices will probably use this option until it becomes easier or more feasible to bill on their own."

Self-education—step one on the road to readiness

Getting up to speed on the privacy standards may be harder, but not impossible.

"First thing I tell doctors is don't panic and don't hire a consultant," says Janet Horan, director of socio-economic affairs at the American Osteopathic Association. "If you're in a small practice, you can probably do it yourself."

This can-do attitude is shared by other experts. "HIPAA is serious business, but you can handle it," says FP David C. Kibbe, the AAFP's director of health information technology. "And you needn't spend a lot of money, because there are good books and materials already out there." Some recommended ones:

•"Field Guide to HIPAA Implementation," put out by the AMA ($134.95 for members, $139.95 for others). This how-to manual includes a CD with documents, worksheets, and forms. To order, call 800-621-8335 or go online to the AMA.

•"HIPAA Privacy Manual: A How To Guide for Your Medical Practice," published by the AOA and free to its members with online access.

•"The HIPAA Administrative Simplification Tool Kit for Small Group Practices," published by the California HealthCare Foundation. Available in PDF format, the toolkit can be downloaded free-of-charge from the foundation Web site (www.chcf.org). One caution: The material was published in 2001 and may need some updating.

Other sources of information include:

•The Web sites of the Workgroup for Electronic Data Interchange (www.wedi.org) and the North Carolina Healthcare Information and Communications Alliance (www.nchica.org).

•The Department of Health and Human Services' Administrative Simplification Web site (aspe.hhs.gov/admnsimp).

•The American College of Physicians-American Society of Internal Medicine (www.acponline.org) also gives members free access to HIPAA materials.

•State medical societies. Recently, the Michigan Osteopathic Association sponsored nine all-day seminars for both Michigan DOs and MDs ($300 for members to $325 for nonmembers). Ask what HIPAA-related seminars or conferences your medical society has planned.

Figure out where your office is lagging

Once you or a designated staffer know enough about HIPAA to feel comfortable, take time to compare your current privacy policies and procedures against the new requirements.

Measuring the gap between where you are and where you need to be can be done in a number of ways. You can use many of the resources listed earlier, or you can use your computer to conduct the analysis. Here are two useful electronic resources:

•"HIPAA EarlyView Privacy" is a CD-based self-assessment tool developed by the North Carolina Healthcare Information and Communications Alliance in conjunction with the Maryland Health Care Commission ($100 for members, $350 for nonmembers). The program leads users through a graduated series of questions to determine how a practice currently handles protected patient information. Responses are then matched against HIPAA privacy requirements to determine problematic "gaps" in privacy policies and procedures. A tool to assess security readiness is also available from NCHICA.

•HIPAAdocs is a Web-based self-assessment, training, and policy-generation tool. It's an ongoing, updatable service that costs from $850 to $2,400 a year, depending on practice size (there's a 50 percent discount on the first year's price if you sign up for a second year). Although designed for smaller practices, the service can be adapted for larger groups. For information, go to www.hipaadocs.com .

Bringing in the experts for a final review

Although the wealth of resources available can make HIPAA compliance a do-it-yourself job, you shouldn't avoid the experts entirely. None of the books or seminars or Web sites or computer programs is intended to substitute for final legal review by a HIPAA-savvy health care attorney. Such legal advice is especially crucial—say experts and the government itself—when redrafting business-associate contracts for HIPAA compliance.

Competent legal advice may be another necessity in the thorny area of pre-emption of state law. Generally, the privacy rule trumps state law that's contrary to or in conflict with it. There are exceptions, however, including when a state statute is stricter than the federal privacy rule. For example, your contract with a vendor, such as a bookkeeping service, might comply with federal law but not with a tougher state law.

Unfortunately, laws affecting physician practices are typically so scattered among different statutes within a state that deciding what trumps what is difficult. That's why individual doctors would be wise to seek legal counsel, making sure the contracts and policies they draw up will pass both state and federal muster.

By now it should be clear, HIPAA isn't going away. But that doesn't mean doctors in small practices must succumb to the scare tactics and marketing hype of vendors and consultants trying to make a quick buck.

Finally, hard as it is, try to keep an open mind about HIPAA, and especially the privacy aspect of it. Says the AOA's Horan, "When I speak to doctor audiences, I always say to them, 'Look, you're patients, too. How would you want your medical records treated?' Once we've had this discussion, their outlook changes a lot."

How to handle HIPAA on your own

As experts suggest, you can go it alone, with minimal outside help. Just follow these steps:

•Designate a trusted employee—your office manager is the most likely candidate—to take responsibility for HIPAA readiness.

•Together, learn as much about HIPAA as you can, making use of the low-cost resources available, especially those endorsed by your medical or specialty society.

•Conduct a gap analysis, documenting your current weaknesses and strengths.

•Formulate an action plan—a road map for getting from where you are to where you want to be.

•Develop a set of policies and procedures—and train the entire office team in their implementation.

•Run your revised contracts and other documents by an experienced health care attorney.

A HIPAA glossary

Privacy standards

Perhaps the most controversial of all the HIPAA standards, privacy has gone through several revisions since its first appearance on Nov. 3, 1999. The latest, in March, included a much-debated proposal to eliminate prior written consent—a formal acknowledgement by the patient that adequate privacy protections are in place—as a condition for treatment. Now that the proposal has survived the final rule, adopted in mid-August, doctors must simply inform patients of their privacy rights and receive patient acknowledgment that they've done so.

Among other privacy requirements: Physicians must permit patients to inspect and copy their protected health information, designate a privacy official, develop methods for disclosing the minimum amount of protected information to achieve a given purpose, and develop and use contracts that ensure business associates will also protect the privacy of protected data. The privacy rule will take effect next April.

Electronic transaction and code set standards

If you conduct any one of nine administrative and financial transactions electronically (file claims, request authorizations for services, run checks on insurance eligibility, etc.), HIPAA requires that you do so in a defined, standardized format. For each electronic transaction, you must use standard medical diagnostic and procedural codes when exchanging protected patient data. Scheduled to take effect this October, the electronic transaction and code set rule has been postponed a year, on condition that you file an extension with CMS by Oct. 15.

Identifier standards

HIPAA requires that a unique health identifier—in the case of doctors, an alpha-numeric code—be issued to health care providers, employers, health plans, and patients. The rationale: Lack of uniform identifiers makes exchanging data expensive and difficult. For employers, the currently used Employer Identification Number (EIN) has been proposed as the national standard in electronic health transactions. Critics argue that the proposal is unwieldy, since many employers now have multiple EINs. Still more controversial is the health identifier for individuals, which has raised privacy and other concerns. HHS has temporarily suspended action in this area.

Security and electronic signature standards

If the privacy rule determines who should have access to protected data, security is the means by which practices ensure that privacy and confidentiality are maintained. Six areas have been designated, including administrative procedures, physical safeguards, and technical security services. Under physical safeguards, for example, practices must control access to computer terminals through passwords and other procedures, and conduct security-awareness training. As we go to press, a final security rule is expected to be published soon.

WEB POLL

Are you ready for HIPAA?

Visit www.memag.com and vote in our poll.

Wayne Guglielmo. Breaking through the HIPAA hype.

Medical Economics

2002;17:105.