|
|
|
|
Feds Reach Out and Touch IT
|
 |
|
July 10, 2003
By Sean Doherty
|
>> continued from previous page
HIPAA
The Health Insurance Portability and Accountability Act of 1996 was developed as a two-step dance in health-care reform that puts the Centers for Medicare & Medicaid Services (CMS) in the lead, with the rest of the health-care industry to follow. And if anyone misses a step, HHS Office of Civil Rights will bring them in line. HIPAA's primary aim is to improve the efficiency and effectiveness of the nation's health-care system and promote the widespread use of EDI in health care. But it would be difficult, if not impossible, to accomplish this without assurances that patient health information will be kept secure and private.
Title I of HIPAA protects health-insurance coverage for workers and their families. Title II deals with administrative simplification and puts HHS in charge of national standards for electronic health-care transactions and national identifiers for providers, health plans and employers. And for IT, it establishes regulations to ensure the security and privacy of electronic health-care information.
HIPAA applies to health plans, such as HMOs, Medicare and state Medicaid programs, and health-care clearinghouses that process electronic health-care information. Under the administrative simplification requirements, size does not matter. If a provider transmits, for example, health-care claims, eligibility and enrollment information, referral and authorizations for health care, or payment and remittance advice in electronic form, it is subject to the requirements.
Final privacy rules for all but the smallest organizations went into effect on April 14, 2003. For the most part, the rules deal with notifying patients about their privacy rights, training employees to understand privacy procedures, and designating an individual who is responsible for adopting and implementing privacy procedures. But there are sections of the privacy rule that drive the security rules: Particularly, the definition of PHI and securing patient records containing it.
|
|
If you define PHI as a patient medical record in any format, paper or electronic, you would not be wrong. But it can be more or less than that, depending on who collects it and what it contains. PHI is any health information collected by a covered entity that identifies an individual and relates to his or her physical or mental health condition, past, present and future. For IT, PHI does not lose its character when stored or transmitted in electronic format. This is true even where the covered entity contracts with third-party business associates to perform essential functions.
HIPAA does not give HHS authority to regulate other types of private businesses or public agencies, outside of the health-care industry. For example, the regulations do not apply to employers, life-insurance companies or some public agencies that deliver government benefits, like Social Security and welfare. Note also that electronic media does not include paper-to-paper facsimile equipment or voice-to-voice telephones. Videoconferencing and voicemail systems also are excluded because these technologies are secure point-to-point transmissions with privacy protections in federal and state wiretap laws.
Under the privacy rules, covered entities must implement policies and procedures to safeguard PHI in any format, paper or electronic. As with GLBA, policies and procedures can take into account the size of the enterprise and the types of activities that relate to PHI. For example, a pharmacy will have different privacy policies and procedures than a doctor's office. The policies can be in written or electronic form. Communications between patients and covered entities--such as authorizations to access patient records and requests for records--also can be kept in written or electronic form. These records must be retained for possible retrieval for a period of six years. Here, IT can reduce a paper log to electronic form to facilitate access and reduce storage costs.
When you dig further into the privacy rules you hit a conduit in Section 164.530. There, entities must implement appropriate administrative, technical and physical safeguards to protect PHI. Further, they must guard from any intentional or unintentional use or disclosure of PHI. This opens the door to the security rules where entities must ensure the confidentiality, integrity and availability of all electronic PHI they create, receive, maintain or transmit.
|
|
|
|
|
|
|
|
RSS
