|Sponsored by the HealthcareTrainingInstitute.org providing Quality Education since 1979|
HIPAA is the Health Insurance Portability and Accountability Act, and it was passed with broad bipartisan congressional support in 1996. At the time the legislation was enacted, most behavioral health and human service providers were focused on three important provisions of HIPAA:
Today, that little phrase makes the other two provisions of the act pale in significance when it comes to impact on the healthcare system over the next two to four years. Because of this, many experts have characterized HIPAA as one of the most far-reaching pieces of healthcare legislation ever enacted.
The "administrative simplification" features of HIPAA are really composed of two major parts:
Why all the concern? I believe that behavioral health and human service organizations will face the most scrutiny from consumers because:
There are requirements limiting the disclosure of psychotherapy notes that we believe will cause serious concern once the privacy and security regulations are finalized. We will have more to say on this in future issues.
Let's make one thing clear: If you are reading this article, you are probably covered by HIPAA. Overall, the legislation covers health plans, healthcare clearinghouses, healthcare providers and employers. The specific definitions of these entities are:
For those still doubtful about their HIPAA "exposure," let's look at the specific definitions of the act. It specifically states that the definition of a healthcare provider is:
Among other things, "healthcare" is defined as follows: Services or supplies furnished to an individual and related to the health of the individual. Healthcare includes the following: preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care; counseling; service; or procedure with respect to the physical or mental condition, or functional status, of an individual or affecting the structure or function of the body.
If, after reading this and other material pertaining to HIPAA (see "Additional Resources," page 41), you believe that you are not covered by this legislation, I strongly suggest you obtain a competent legal opinion from an attorney with experience in healthcare, including interpretation of Medicare regulations and HIPAA itself.
In addition, HIPAA covers any "business partner" of a covered entity. A business partner includes a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of or perform on behalf of a function or activity for the covered entity. Examples include contractors or other persons who receive information for purposes noted above, including lawyers, accountants, auditors, consultants and billing firms.
Covered entities cannot disclose protected health information to business partners without satisfactory assurances that the partner complies with relevant HIPAA standards.
Step 1: Educate yourself, and promote awareness and education among senior management and the board of directors. HIPAA should be considered a serious compliance initiative, and every effective compliance program begins with a formal commitment from the governing body.
Because this compliance will require resources in the form of funding and staff time, senior management must be forthright in its approach to the compliance effort. (Web sites that offer downloadable presentation materials are listed in "Additional Resources.")
Step 2: Develop an organization project team for managing HIPAA compliance. Most organizations had some sort of compliance committee or team in place for Y2K preparations or have one for JCAHO, CARF or other accreditation and/or regulatory concerns. These teams can serve as a logical point to begin HIPAA compliance assessments and planning.
Step 3: Conduct an organizational risk assessment. This can be a complicated and time-consuming task. I suggest the following approach:
Step 4: Develop and implement policies and procedures to address identified risks. The most important point of this step is to implement "policies and procedures" revisions and additions. There might be adjustments to the overall project plan in this phase because:
Step 5: Develop and implement staff education and training. This is specifically required by the legislation, and is not a one-time event. Staff will need to be retrained when new technology and operational practices are developed and deployed. Organizations with high staff turnover will face the most cost and management burdens in keeping staff up to speed. Additionally, under the law, staff will have to be recertified in this at least once every three years.
Step 6: Provide continual auditing and monitoring of compliance activities. This goes beyond putting something on paper. In order to be judged compliant, an organization will have to document that it has followed those policies and procedures approved by senior management and the board of directors.
While there is some speculation about the fate of these regulations given the change in the White House, most industry observers believe that there is no legislative mandate for change in the coming years. Even in the event that the Bush administration rolls back HIPAA, market pressures, consumer concerns about privacy, payer pressures for standardized transaction formats and political pressures might restore the regulations. That is why it is important to:
Based on my understanding of the regulations and their potential cost impact to organizations, I believe that there might be a positive cost/benefit to compliance. I have completed development of some initial cost models based on various organization sizes, and my conclusions are:
While there is certainly variation in these estimates, my simulation modeling demonstrated that 90% of organizations should realize cost/ benefit value of at least $1.34. I believe that, overall, an organization can experience a positive long-term benefit in complying with HIPAA.
Reflection Exercise #3
Ethics CEU QUESTION 10
Others who bought this Confidentiality Course
Ethics CEU Answer Booklet for this course | Confidentiality
Forward to Section 11
Back to Section 9
Table of Contents
Majority of Providers Fail to Fully Comply with HIPAA Right of Access Xtelligent Healthcare MediaA report shows providers, overall, are still struggling with the patient's right of access rule in HIPAA, with 51 percent failing to comply with the rule. Excessive fees ...
More than 50% of healthcare providers not compliant with HIPAA right of access Becker's Hospital ReviewDespite recent policy push to increase patients' access to their health records, more than half of providers are out of compliance with the HIPAA right of access, ...
HIPAA Compliance in Response to a Subpoena | Cranfill Sumner & Hartzog LLP JD SupraWe are frequently approached by health care providers who have received a subpoena demanding patient records for a lawsuit to which the health care ...
Most providers not fully compliant with HIPAA access requirements, research shows Healthcare DiveMore than half of providers sampled in a recent study failed to comply with the HIPAA right of access, according to research published Wednesday on medRxiv, ...
How to Protect Your Business in a Digital World HomeCareThere's more to compliance than simply checking boxes with your accrediting organization. Health care companies that fail to safeguard their patients' electronic ...
CEU Continuing Education for
Social Worker CEUs, Counselor CEUs,Psychologist CEUs, MFT CEUs