HIPAA & Its Impact on Health Care Organizations

by Rodney Welsh

In general, HIPAA's administrative simplification provisions are designed to standardize administrative and financial electronic transactions, e.g. electronic patient billing, to reduce the costs and administrative burdens of health care. HIPAA also imposes comprehensive security and privacy regulations for the protection of an individual's health information.

For the last several years, health care providers, insurers and others have been struggling to implement the administrative simplification section of the Health Insurance Portability and Accountability Act (HIPAA) of 1996. The act addresses both health insurance reform and administrative simplification.

In general, HIPAA's administrative simplification provisions are designed to standardize administrative and financial electronic transactions, e.g. electronic patient billing, to reduce the costs and administrative burdens of health care. HIPAA also imposes comprehensive security and privacy regulations for the pro- tection of an individual's health information.

Most health care organizations have implemented the HIPAA privacy rules; the industry is still struggling with HIPAA's transaction and code set electronic data interchange (EDI) rules. HIPAA security is on the horizon. Did you know compliance with the final security rule is required by April 21, 2005?

Security and Privacy

The focus of the security standards is to safeguard electronic protected health information (PHI) and the systems that store, process and transmit that information. Major provisions of the standards deal with administrative, physical and technical safeguards necessary to accomplish this.

Most organizations will discover they have already begun to address key elements of the security standards as they prepared for privacy. Common elements such as assessing the PHI access needs of your personnel, prevention of incidental disclosures, restricting access to PHI, physical protection of PHI and training are a few areas where the privacy and security standards overlap.

Take Appropriate Steps

2004 is the year to assess and remedy HIPAA security risks. A key factor management needs to understand is that the security rule includes required standards that must be implemented as specified in the rule and addressable standards that can be implemented according to the rule or in any other way that accomplishes the security objective. This will require that you base your security decisions on a risk assessment (required by the rule).

The good news is that this will allow you to implement the security approaches most appropriate to your health care organization. But don't delay--security compliance will take time and will require budget planning. Ask your technology personnel when your risk assessment will be available for management review.

Use Qualified Resources

It's likely you have been able to rely on existing internal resources, already familiar with the traditional basics of privacy, confidentiality and EDI, to lead your HIPAA compliance efforts. However, the security rule may require expertise not available within your organization. Any resources you bring in to assist with HIPAA security also must be able to demonstrate familiarity with the privacy and transaction and code set rules. Security compliance will not be an isolated technical exercise; it must be implemented so it complements and supports the other rules.

More Rules?

The Department of Health and Human Services continues to propose and finalize rules related to HIPAA. Here are a few on the horizon for 2004.

• The final rule establishing a national pro-vider identifier was published Jan. 23, 2004;
• August: A proposed rule to establish standards for claims attachment transactions;
• Sept: A proposed rule to modify existing electronic transactions and code sets standards;
• September: A final rule to require, with limited exceptions, electronic submission of Medicare claims;
• And at some point, a proposed rule to establish a national payer identifier. For further information on these rules, visit http://www.cms.hhs.gov/hipaa/hipaa2/.

Ongoing Compliance

Managing your health care organization's privacy and security concerns in the context of increased electronic transaction standardization is now a way of life. It is a legal imperative and is expected of you by your patients and clients. Make sure your com-pliance team is providing you with the information necessary to make informed management decisions.

Rod Walsh is a Senior Managing Consultant in the Kansas City office of BKD, LLP. He can be reached at 816.701.0245 or by e-mail at rwalsh@bkd.com.