The HIPAA Compliance Process – What Does It Look Like?

Fundraising & Grants Innovations Internet Resources Interns & Volunteers Government Special Populations Community Resources Training Troubleshooting Planning & Management

Tech News is proudly supported by IBM

The HIPAA Compliance Process – What Does It Look Like?
By Clark Slayter
Everest Consultants, Inc.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to address two concerns the public had regarding the U.S. healthcare industry. These concerns were the increasing cost and complexity of obtaining healthcare and the loss of confidence in the traditional belief of patient/doctor confidentiality. In enacting HIPAA, the Federal government created regulations that impact all organizations that provide any type of medical treatment, do any medical claims processing, or provide any health plan coverage. These regulations will also eventually impact many of the organizations that provide services to these "covered entities." [See "HIPAA and the Transmission of Sensitive Health Records" by Lisa Radcliffe, TECH NEWS, www.unitedwaynyc.org/technews/v5_n1_a4.html.]

Don't Procrastinate on Compliance
If you're like over 80% of the organizations covered by HIPAA, you filed the Transactions and Code Sets (TCS) extension form on or shortly before October 16, 2002. For many organizations, it was at that point that HIPAA changed from some nebulous future thing into an "Uh-oh, I'm late" reality hit. If you're still early in your HIPAA compliance effort, you shouldn't take any comfort in the fact that you may have lots of company. It is critical for you to begin or advance your efforts until your plan to meet the various compliance deadlines is in place.

The penalties for not meeting the compliance targets range from being forced to provide a hurriedly developed compliance plan, probably at greater than expected expense, to fines starting at $100 per violation, up through criminal penalties consisting of $250,000 fines and serving time in jail.

Everest Consultants, Inc. has identified four phases in the overall HIPAA Compliance Process:

      1) Awareness
      2) Assessment
      3) Remediation
      4) Ongoing Operations

Viewing compliance as an opportunity, rather than an imposition, will help your staff deal successfully with the effort required to transition. Remember that HIPAA's overall objective is to deliver healthcare more effectively and less expensively while restoring consumer confidence in the medical industry. Keeping this positive perspective in mind, let's take a look at what's involved in each of the phases.

Awareness
During the Awareness phase, your organization becomes familiarized enough with the HIPAA requirements to determine how best to proceed with compliance efforts. If you have any questions in this regard, refer to www.cms.gov/hipaa or www.hipaadvisory.com for more information. By the date of this article's publication, this phase should be well under way, if not already completed.

By now you should have identified a few key staff members to serve as leaders in your compliance effort – making them responsible for understanding what HIPAA compliance entails and how, specifically, it must be realized in your organization. These individuals should determine which aspects of your organization deal with medical treatment, access to medical records, and/or processing claims and billings for treatment. You should also promote a general awareness of the compliance requirements in all your staff. Your employees' realization that you value their input in strengthening the organization can be a tremendous motivating factor.

Assessment
The focus of the Assessment phase is to review your organization and identify what areas might be affected by HIPAA regulations – taking a detailed look at those areas and determining what changes must be made in order to become compliant. If you are not well into the Assessment phase, you're running late on your compliance effort. Until you complete the Assessment phase you don't know how long it will take or what steps are needed to meet the HIPAA standards. Given the fast approaching, federally mandated target dates in April 2003 for both the Privacy Rule and the testing of your transactions support systems, you need to quickly determine what it will take to meet those deadlines. Remember that you should be documenting your efforts along the way, so that you can demonstrate "due diligence" in compliance should your agency ever be called on it.

HIPAA compliance target dates are fast approaching: April 2003 is the deadline for meeting the Privacy Rule and for testing your agency's transaction support system(s).

As a first step in the Assessment phase, the staff members you've identified to lead your compliance effort should have access to all functional areas and physical facilities in your organization to determine which of these might be affected by the HIPAA guidelines. A general rule is that you should examine any aspect that deals with client medical information, billing or paying for medical care, or providing health coverage. Exercise the talents and interests of your staff wherever possible, enlisting them to participate in this Assessment process. Often, staff has already identified organizational needs and potential improvements.

By the time you've completed your Assessment, you should have a list of items in need of correction, as well as a list of items that are already compliant.

As an example, let's consider an organization operating out of two facilities:

Facility A exists to provide meals and shelter to the homeless. Facility B provides housing and care to persons with AIDS, and also provides meals to these and other homeless people, and handles billing to state agencies for the AIDS services. Facility A and the meals area of Facility B are unlikely to be affected by the HIPAA regulations. While it doesn't hurt to do a walk-through of these areas to confirm that they're exempt from the guidelines, it isn't critical. However, Facility B's AIDS housing and care unit, as well as its billing functions, require a thorough review.

This review can be accomplished with an internal team of staff that might consist of your designated Privacy Officer and experienced employees working in the affected Facility B areas. This team should review the flow of medical information and ask a few key questions:

Is each person viewing the information seeing only what is necessary to perform his or her job?
Is client medical information secure, or is it discussed or left lying around in places accessible to the public?

The team should also perform a thorough review of the billing unit:

Is it necessary to bring in a consultant with IT expertise to ensure compliance?
If so, should this consultant perform a Security Rule review of your organization overall?

Remediation
The Remediation phase constitutes the practical effort to meet HIPAA requirements. Since the target dates for the various rules extend from April 2003 (for the Privacy Rule and transaction support systems) through 2005 for the Security Rule, there is a good chunk of time in which to bring your agency into compliance. It's also useful to note that this can and should be a one-time effort to implement the systems, policies, and procedures that will keep you in compliance for all future operations. You should prioritize your list of items, such as changing internal forms, documenting existing procedures, developing privacy policies, and structuring training. You should also look at a variety of options for addressing each of these objectives since there are usually several possible approaches. Once again, remember to use internal skills and pay attention to internal approaches wherever possible. Once you've decided how to address each item, document your plan and use it to measure your compliance progress.

Taking our earlier example:
Let's say you find that the dietary plan prepared by your Facility B AIDS care unit and sent to the Facility B meal preparation area contains unnecessary diagnosis information. This is easy to correct, but you decide to implement the change shortly before the Privacy Rule target date of April 14, 2003, since that is when you will order your new set of forms. You also find that you need a policy and procedures manual for your AIDS care unit, so you have one of your volunteers, who is a technical writer, start on that right away, because you need the manual before you can begin staff training. You could have purchased a policy manual template, but during your investigation, you found that most of the templates would not be used. After looking at several approaches to implementing the new Transactions and Code Sets, you also decide to switch to a clearinghouse to handle your billing. This is because you found out that your billing system vendor will not be updating your old version, so you would have to purchase a new system and this would cost more than your billing volume can justify.

Ongoing Operations
You enter the Ongoing Operations phase after you have implemented your corrective items. One of the HIPAA objectives is to institutionalize the processes and procedures that will maintain your organization's continuing compliance. The systems and processes you put in place during remediation must be designed to demonstrate ongoing compliance at any point in the future. This means incorporating audit logs and records that document when periodic reviews and refresher sessions take place. You have invested a great deal of effort in becoming HIPAA compliant by the time you reach this phase and insuring the systems you implement will keep you compliant is better than redoing that effort. The $100 per incident penalty can quickly add up to the $25,000 per year maximum for repeated violations if your processes and systems are not followed and maintained. Remember that additional penalties of up to $250,000 – not to mention, time in jail – are possible for intentional and repeated violations, although these are unlikely for most organizations.

Remaining compliant is a much better option than facing the potential, steep penalties for noncompliance which can escalate up to $250,000 and jail time.

A Final Note
One last statistic that may be of interest is an estimate that, in addition to the entities that filed the TCS extension, there are over a million other covered entities nationwide that didn't file. Most of these entities failed to file, not because they are already compliant, but because they have not yet made it to the Awareness phase. The Centers for Medicare and Medicaid Services (CMS), which is charged with enforcing HIPAA, has indicated that for now, enforcement will be "complaint driven," rather than actively pursued. This "complaint driven" policy may or may not apply for Privacy Rule compliance, since a different agency, the HHS Office for Civil Rights is responsible for that enforcement.

Whether you are well into your compliance process or just starting, remember that viewing HIPAA as an opportunity for all of your people to help improve your organization and deliver healthcare more effectively, will make a major difference in the success of your efforts. Amidst the confusing swirl that is HIPAA compliance at the moment, taking this "improve the organization" perspective may well be the best way to realize your goals.

You can contact Clark Slayter at cslayter@everestinc.com.

Everest Consultants, Inc. is a software consulting and application development company providing HIPAA expertise as part of the range of support we supply to our healthcare clients. This article contains a summary of information presented by Mr. Slayter on December 6, 2002, at a HIPAA compliance informational seminar sponsored by Foothold Technology. For information regarding an upcoming HIPAA compliance seminar sponsored by Foothold Technology on January 31, 2003, contact Nick Scharlatt at Nick@footholdtechnology.com.

Search Home About Tech News Events Link Library Feedback Site Map Subscription