|
| |
 |
 |
| Fundraising & Grants Innovations Internet Resources Interns & Volunteers Government Special Populations Community Resources Training Troubleshooting Planning & Management |
|
| Tech News is proudly supported by IBM |
 |
|
HIPAA and the Transmission of Sensitive Health Records By Lisa Radcliffe Regional Director Peter Martin Associates The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191) or HIPAA, was enacted as part of the Clinton Administration's incremental health care reform. The law requires the U.S. Department of Health and Human Services (DHHS) to create standards for the definition, management and exchange of any health information that identifies individual patients. When information is not individually identifiable, however, the law does not apply. HIPAA is the first national standard for digital data. Historically, standards have existed on both state and national levels for paper record-keeping. Under existing law, some types of information are considered privileged and require certain standards of non-disclosure, including information regarding minors, HIV/AIDS, substance abuse programs and legal or medical counsel. Understanding, implementing and enforcing such paper standards is far different than the corresponding process involving databases, pocket PCs, Palm Pilots and the Internet storing and transmitting the same special class of data. HIPAA was created, in part, to set standards in this brave new technological world. The need to manage health care costs, the practice of risk pooling among insurance companies and the implications of wireless connectivity have compounded the need for such standards. The Act has several key components, one of which is "Administrative Simplification." The underlying intention is to simplify the process of applying for and receiving payment of health care benefits among disparate health care providers, payers and reporting systems nationally. Simply put, the standard code for a treatment in any doctor's office in New York would match the code for the same treatment offered by a doctor in California. Treatment providers could use this single numeric code to bill for said services, and payers such as insurance companies, would then reimburse based on that code. Additionally, this process mandates the use of unique identifiers for providers, health plans, employers and individuals receiving services. At this time, a ten-digit numeric identifier is proposed for providers, health plans and individuals, while the nine-digit employer identification number (EIN) is proposed for employer information. Currently, over 400 electronic data information (EDI) formats are in use. As a result, programming computer systems or managing the paperwork to fulfill the reporting requirements has been a difficult and expensive process. Another component of HIPAA is informed consent. In theory, an individual receiving services must sign a consent form to authorize transmission of information for the purposes of securing payment and/or additional treatment and diagnosis. It is intended to limit the amount of information shared with third parties to that information which is essential. Upon written request a patient has the right to a list of all third parties to whom the information has been released. Additionally, he/she can receive copies of his/her medical records and can demand corrections of potentially harmful errors. To support this process, HIPAA contains provisions that impose minimum standards for data encryption, system security and data integrity. After the final HIPAA standards are adopted, small health plans have 36 months to comply. Others, including health care providers, must comply within 24 months. The worrisome aspect of medical data becoming highly portable is an increased risk of potential security breaches. Handhelds in particular facilitate the downloading of full patient records to be used both on and offline by clinical workers out in the field or doctors working in mobile units. How is critical data secured and protected? New biometric devices that require voice, eye or fingerprint scanning for authorized use, as well as encryption programs, are designed to avert security problems, but understanding of the appropriate measures and implementation of same remains spotty at best. There are some HIPAA provisions that acknowledge this genuine concern. The law provides for significant financial penalties for violations. The penalty for generally failing to comply has a $100 per violation charge, with a maximum penalty of $25,000 for all violations. However, wrongful disclosure of information carries stiffer penalties. Each offense may lead to a $50,000 fine, imprisonment of not more than one year or both. The same offense under false pretenses merits a $100,000 fine, imprisonment of not more than five years or both, and the additional intent to sell that information increases penalties to $250,000, imprisonment of not more than 10 years or both. HIPAA has broad implications for all parties to health information, from health care professionals to insurance companies to employers providing benefits. Until HIPAA is fully defined, understood and enforced, the scope of these changes may be difficult to assess. To review the final regulations in their entirety you can download them from DHHS's Web site, at http://aspe.os.dhhs.gov/admnsimp/. The anticipated compliance date for the privacy regulations is February 26, 2003. You can contact Lisa Radcliffe at lradcliffe@petermartin.com. |
|
| Search Home About Tech News Events Link Library Feedback Site Map Subscription |
|