What is HIPAA?
Hipaa was an Act of
Congress. To be exact, it was The Heath Insurance Portability and
Accountability Act of 1996. The last Act of Congress to so dramatically
affect American business to this degree was the Americans with
In Hipaa, Portability
means being able to keep your heath insurance, like through COBRA, for
instance. That’s important to people, but that’s certainly not what the
HIPAA uproar is all about.
The HIPAA uproar is
about all about accountability. Accountability means that the Federal
Government is now regulating ALL U.S. health care providers, doctor’s
offices, etc. for complete privacy and security of ALL information
regarding their patients. Penalties for Hipaa violations include fines
starting at $100 each, and ranging all the way up to $250,000 and ten
years in prison.
Did you know that the
pharmaceutical giant Eli Lily sold the mailing list of patients who had
been prescribed Prozac? How about the fact that tennis great Arthur Ashes’
HIV status was office gossip that slipped out to the press, forcing him to
address it publicly? These and countless other violations of privacy are
exactly what HIPAA is intended to combat.
Information, (PHI) can be used by marketers, employers, insurance
companies, politicians, and any number of other entities to discriminate,
punish, hire, fire, market and even blackmail you. Somebody has to protect
that privileged information, and that somebody is YOU, the health care
professional. Why? Because an Act of Congress says so, that's why.
If you are a licensed
medical provider of any kind, no matter how small your office is,
you are, (or will soon be declared to be), a "covered entity" by the HIPAA
regulations. Anything else you've heard is simply not true. HIPAA is here
to stay, and unless you're considering a career change, you going to have
to take it seriously.
What should you do?
Educate yourself. Call
your local professional association and ask when the next seminar is
taking place. Once you attend, you’ll have a better idea about the
enormity of Hipaa. If you’d like to learn more right now, here’s a link to
a pretty basic presentation
Multnomah County Hipaa 101.
If you’d like to find
an available seminar near you, try these links…
Oregon Dental Association
Oregon Medical Association
Chiropractic Association of Oregon
You are going to have to
do a lot of the privacy work yourself, and that’s okay, because qualified
Hipaa help is hard to find. Even when you can find it, it will be
expensive, so all the work you can do yourself will save you money.
It won’t be particularly difficult, but it will take time. A lot of time.
The average two doctor office, with a staff of 6, will require 60 to 80
hours of work to become fully Hipaa Privacy compliant. Even then, there
will be regular maintenance required to remain compliant.
There are dozens of
software packages to help with the privacy rules that range in price from
$300 to $3000 and even higher. They are designed to facilitate everything
you need to do, and boy, is there a lot to do. Do not attempt to do it
without one of these packages unless you like punishing yourself. At this
time I’ve used three, and all of them were pretty easy to get started
with. If you need help finding one,
Security and Privacy
There are actually two
separate distinctly different HIPAA accountability sections. One deals
with privacy, and one with security, both physical and electronic. The
Hipaa Security Rule was finalized in February of 2003, and full compliance
is mandatory by April 21, 2005.
However, the actual
first date of security compliance has already passed. October 16, 2002 was
the deadline for compliance regarding your Transactions and Code Set
Standards for electronic billing. You should have filled out a request
for extension form by October 15, 2002, and if you didn’t, then you are
already in violation. You need a copy of a corrective plan of action
filled out and in your file cabinet if anyone comes to check, (which they
won’t, but do it anyway).
Unlike the privacy
rule, the security rule cannot be dealt with yourself simply by using a
software package and allocating enough time. The technical skills and
computer knowledge required to complete the Security Risk Assessment is
fairly extensive, and most small offices will have to outsource in order
to get an accurate picture of the steps they'll need to take to become
Security compliant. By starting on the security plan now, there will be
over a year before the deadline to budget for any required changes to your
Just like the Americans
with Disabilities Act of 1990, Hipaa will create a cottage industry of
Hipaa related services and businesses and consultants. That industry can
be an excellent resource for you, or an incredible boondoggle to try to
navigate. My own business,
Portland Technology Consultants currently performs HIPAA Security
services, but only for offices with less than 25 employees.
This article is not intended to scare
you, but to inform you. Make no mistake, there will be an enormous amount
of work involved, over the next few months and years, not only for doctors
and their staff, but for pharmacies, insurance companies and lawyers too.
Be sure you get
quality advice, service, and products and at fair prices. The best way to
do this is to talk among yourselves. Call and e-mail your friends and
colleagues to discuss progress, software, and any compliance problems and
solutions that might help others. Above all, don't worry! Just don't
procrastinate and you'll be fine. You made it through medical school,
Client & Web