So the question is, are you going to be ahead of the game or behind the eight ball next year when elements of the Health Insurance Portability and Accountability Act come into play?

The compliance deadline for the privacy rule portion of HIPAA, the nation's compendium of health care privacy regulations, is April 14. And if you haven't already at least developed policies and procedures for safeguarding protected health information — known as PHI — appointed a privacy official and trained your employees, chances are you'll find yourself behind the eight ball, industry experts say.

“The privacy rules are the number one priority for [home medical equipment] providers, because the compliance deadline is April 14,” says Cara Bachenheimer, a health care attorney with the Washington, D.C.-based firm Epstein, Becker & Green. “People are starting to wake up and smell the coffee, and realize they have to do something. … They needed to have started yesterday. It is not going away.”

That could be a blow to many HME providers who adopted a wait-and-see attitude as the Department of Health and Human Services — working from a 1996 Congressional mandate — crafted privacy regulations, then further debated and refined them. There was, providers thought, the chance that HIPAA might be terminally stalled and any money invested in it could be for naught.

That chance is gone. The 400-page final rule was issued in August.

In addition to the privacy rule compliance deadline, the act also allows for an Oct. 16, 2003, security compliance deadline, if HME providers filed a comprehensive compliance plan with the Centers for Medicare and Medicaid Servicves by Oct. 15 of this year. The security compliance segment of the rule “goes from how you lock down the building to how you lock your computer files,” says David Pfeil of East Brunswick, N.J.-based Arrow Professional Enterprises, which specializes in health care automation.

The act is thorough, covering everything from employee training to how documents are stored. “You have to have administrative, physical and technological safeguards in place,” says John Parmigiani, the former chief of the HIPAA security and electronic signature team for HHS who now is the national director of HIPAA compliance services for CTG Healthcare Solutions, a consulting firm in Cincinnati, Ohio.

For example, certificates of medical necessity, which often are transmitted electronically to payers, no longer can be sent over an open network without being encrypted or using a virtual private network, Parmigiani says.

Businesses must ascertain how they keep their records, who has access to the records and who should have access to the records. They must protect patients' health information from unauthorized access. “This comes down to the need to know,” Parmigiani says. “Do you need this to do your job? … Privacy is everybody's job, but not everybody's business.”

All in all, the provisions of the act can be daunting to providers.

“Providers don't know where to start. They don't know what to do,” Bachenheimer says. “They're overwhelmed.”

Indeed, one California provider's understanding could be representative of many providers' beliefs. “I don't really have much to do with [HIPAA], because we outsource all our billing,” she told HomeCare. “So it's really up to the company that does the billing.”

“Apparently, [this provider is] only aware of the coding/transaction sets regulations, not the privacy rule, which will absolutely directly impact her and her organization,” says Bachenheimer.

But how is one to sort through all the HIPAA issues? Industry players — including ahead-of-the-game providers — have some encouraging words and practical advice on complying with HIPAA.

Eating the Elephant

There's an old joke that asks, “How do you eat an elephant?” And the answer is, “One bite at a time.” That's the answer for complying with HIPAA, too, industry experts say.

“Turn it into bite-sized pieces so that you can consume and digest it,” recommends Neil Caesar of the Health Law Center, Greeneville, S.C.

“If you parcel it out into half a dozen tasks, it becomes much more manageable,” Bachenheimer says. “Get your calendar out and give yourself deadlines. It is doable, and the more time you give yourself, the better off you'll be.”

It is not imperative that HME providers understand every nuance of the law, either.

“For HIPAA, as for any sort of compliance [rule], the goal is not to learn the law,” Caesar says. “Your job is to create ways of doing things that comply with the law. You want to identify steps HIPAA actually requires you to take — appointing people, educating people about what they need to do. A lot of it is putting pen to paper and memorizing how you do things — here's what we're supposed to do and what we do. Here's how you handle something that's wrong, here's how you identify it and here's how you fix it.

“Basically,” he adds, “HIPAA is a tool, not a battering ram. It is part of the cross-check process. Your goal is to have a well-run program that ensures privacy and security.”

While Parmigiani doesn't underestimate the time and effort it will cost HME providers to comply with HIPAA, he notes that in well-run businesses, much of what HIPAA requires already is being done. “[HIPAA] is based on good business practices,” he says, noting that, for providers who follow such practices, complying with the act will be largely a matter of documenting policies and procedures, as Caesar said.

Kevin Minnis, HIPAA leader and contract manager for Health Care Diagnostics in Auburndale, Fla., agrees.

“When you hear HIPAA, everybody gets scared,” he says. “But I don't think it is as burdensome as [for] some of the other areas, like the guys writing the software. These [requirements] are good business. These things are not uncommon to us; some of them we already do.”

The difference, Bachenheimer says, is that these good business practices now must be put in writing. “Companies probably do a lot of this intuitively,” she says, “but it's not documented. Now it's a matter of documenting how you keep patients' records confidential. And you can't just say you've got [policies]. They have to be in writing, and you have to train your employees on the new policies and procedures.”

Where to Begin

With that said, the question remains: Where do you start, if you haven't started already?

First, Bachenheimer says, HME providers must appoint a privacy official to be ultimately responsible for the company's privacy efforts. “This does not have to be a new position,” she stresses. “If you're a mom-and-pop, obviously mom or pop will be that person.”

Next, providers must establish a compliance committee. At Health Care Diagnostics, for example, a team of 11 people — one representative from each department — has been meeting for a year, Minnis says. The committee has done an overview of where protected health information is stored in the company, who handles it, where it goes and what needs to be done to protect it from unauthorized access.

That's exactly what the committee should be doing, according to Caesar, who says providers must trace the existing flow of PHI both inside and outside the company and determine if the access is necessary or greater than it needs to be. They also must identify everyone to whom information is disclosed; review existing policies about providing PHI, and how they use it and disclose it; identify all systems used for electronic data exchange; and identify where PHI is archived.

“What you need to have done prior to spring,” he says, “is to use those findings and do a gap analysis, comparing what HIPAA requires and what you have in place.”

Early in the game, providers also need to determine if their states have any laws that are more restrictive than HIPAA, experts say. HIPAA preempts state law unless the state's law is stricter, in which case, the state's law prevails.

The committee also can develop a written policy on the new rights patients have to look at their health records. “It can be about 10 reasonable policies,” Bachenheimer says. “After that, you need to develop those statements of privacy practice. This is a multi-page document that will be added to a list of documents you give to the patient.”

“You basically have to give a patient a Miranda — a reading of [his or her] rights,” Pfeil says. “You have rights to medical records. You have the right to withhold your medical records.'”

Parmigiani puts it this way: “Make sure that everyone who comes to do business with you knows what your practices are. It's not a bad idea to have people sign that they got it — not that they read it, or understand, but just that they got it.”

Providers also should consider protecting themselves with confidentiality agreements, Parmigiani says. “I would think HME [providers] would need to have signed confidentiality forms from all the people who work there,” he says.

Training employees about privacy practices and patient rights is another key component of HIPAA. “Everybody — even part-timers — needs to be trained,” Pfeil says, noting that the owner of an HME company is criminally liable if an employee sells a patient list or otherwise leaks PHI. “There's teeth to this. This is mandatory — everybody has to be trained.”

Training can be done by your privacy official or by a third party. Minnis says his company trained everyone by using an e-mail, 10- to 12-part educational series.

It isn't just the patients and the employees that an HME provider must be concerned about, experts add. There's the matter, too, of outside parties who might see PHI. Providers must ascertain who those parties are and whether or not those parties need to see such records. Then providers need to take steps to protect themselves from liability.

“Providers need to execute contracts with associates … who are looking at private records,” Bachenheimer says, using as an example reimbursement consultants. Such parties, she says, need to sign a document promising that they will not disclose that information to another party.

Testing, Testing …

In addition to establishing privacy policies and procedures by April, HME providers also must have started testing their transaction code sets by then. This entails sending test claims to the durable medical equipment regional carriers via software that has built-in safeguards designed to protect patient information. Your software vendor should have provided upgrades to your current software system that will make the software HIPAA-compliant.

Pfeil says HME providers should not assume that their software is compliant simply because their vendor tested it and said it was compliant. “I suggest that every provider do [its] own testing, because all [providers] have their own [unique] applications,” he says. “You may be technically sending your claim over to Medicare, but if things are in the wrong field, you're going to have a claim that crashes and burns.”

He says providers should start testing no later than the beginning of the year. “The closer we get to October of next year [when providers must have in place all policies and procedures regarding electronic transactions], the more people will jump on the bandwagon and say, ‘We'd better start doing something about this.’ Then the systems will get overloaded.”

The Bottom Line

So what will all this typically cost a provider to implement?

No one has a precise answer, but there's no doubt there will be some costs associated with implementation of HIPAA.

“This costs money and it costs time,” Caesar says, noting that software changes for those who need them could cost from $5,000 to $50,000. “Then there's going to be education on an ongoing basis, and that's going to cost a couple of thousand dollars a year. And there are training materials and consultants. A relationship with outside advisers could cost $2,000 to $5,000 a year, and then it's the cost of time. If you use someone [in house] to draft or to assess, that costs money and takes time.”

He estimates it could cost between $5,000 and $20,000 simply for the planning, and another $5,000 to $30,000 for the drafting process.

Peggy Hansen, compliance officer for Ascentra, a LasVegas-based HME provider with four companies stretching into northern Utah, says HIPAA so far has cost her company “$179 and my time.”

Parmigiani says the costs probably will vary for independent providers. “What environment are they in? I think it's different if you are in New York City rather than in Keokuk, Iowa,” he says, adding that HIPAA's emphasis is on “cost-effective, reasonable solutions that you document.”

Bob Achermann, executive director of the California Association of Medical Products Suppliers, says providers expect it to be costly. “All these changes always cost money,” he says. “But when you depend on the government for your revenues, you just have to follow the bouncing ball.”

Whatever the costs, Parmigiani says providers should see some financial rewards down the road. In addition to protecting a patient's information, HIPAA standardizes claim-submission practices and fosters electronic commerce. That should translate, he says, into swifter payment to providers and reduced costs, because electronic claim submissions are quicker and not as “people-intensive.”

And what happens if you're late and can't get your compliance act together?

“There are criminal and civil penalties. The fines are pretty stiff,” Bachenheimer says. “Obviously, the worst-case scenario is when you are intentionally violating the law, and for financial gain. It's up to $250,000 and 10 years in prison. If you knowingly violate the law and pass along private information about a patient, there's a $50,000 fine or up to one year in prison.”

Also, Pfeil points out, Medicare claims submitted on hard copy after April 14 will be penalized by $1 per claim.

How is HHS going to ensure that everyone is following the new regulations? That's not clear, but it seems sure some monitoring will happen.

“People think it is just for the big boys,” Pfeil says. “And maybe it is. The HIPAA police are not going to come in to a provider with three employees. They are going to go to companies with deep pockets who can foot the bill for a court case. And that will provide the legal basis for future decisions.”

Parmigiani says a provider's best defense is documentation. “Documentation is the key here,” he stresses. “When someone alleges a violation, the real defense is going to be what did you do, and do you have a record of it. What decision did you make relative to each one of these things?”

In the end, he notes, “there's no 100 percent security. Something is going to fall through the cracks.”

But it won't be because no one tried to plug the holes.

Providers Work to Stay Ahead of the Game

Are you wondering what other providers are doing about the Health Insurance Portability and Accountability Act and what their concerns are? HomeCare talked to some providers to find out.

Ascentra, Las Vegas, Nev.

Ascentra kicked into action a few years ago when it first got wind of HIPAA, says Peggy Hansen, corporate compliance officer. “The problem with HIPAA is that when it first was introduced to our type of company, it was so vague,” she says. “We knew it was a big issue, but to what level did it need to be put into play in each of our [four home medical equipment] companies?”

It was Hansen's job to find out, so she set about educating herself on the proposed regulation by reading, attending seminars and taking online courses. The company also designated four point people, one in each location, to do “walk-throughs” — assessments of how information was handled, who handled it, when and why. The point people also took a look at the physical aspects of their locations and assessed what needed to be done to ensure the privacy of patients' information.

“A lot of it is common sense,” Hansen says, “but it's to the point where it is a major change in how you do business. You don't leave charts on your desk, you don't leave [computer] terminals turned where the public can see them. Filing has to be done and completed at the end of every day. The shredding has to be completed at the end of every day.”

At some locations, the reception area doubled as the intake area. “Those should probably be separate to ensure privacy,” Hansen says.

The company also established contracts with outside vendors privy to patient information, ensuring that the contractors would not divulge that information. It also put together information on patients' rights, filed for its compliance extension and now is solidifying its policies and procedures to ensure that all four locations are using the same forms, doing the same sort of training and have the same procedures in place. Hansen has ordered training materials that also will provide templates for forms to ensure compliance.

Because Ascentra has always taken confidentiality very seriously, Hansen says the existing policies have not “been that far off base. There are a lot of things we had in place.” Some of it simply needed documenting and put into the right verbiage. “But until you take it from the patient's point of view, there are hundreds of ways to jeopardize your company. “We still have a lot to do — a lot of fine tuning,” she adds.

Bach Medical Supply, Springfield, Mo.

Juggling both the upcoming HIPPA compliance standards and re-accreditation by the Oakbrook, Ill.-based Joint Commission on Accreditation of Healthcare Organizations, Stephen Bach, president and chief executive officer of Bach Medical Supply, nevertheless has managed to make strides on the HIPAA trail.

Six months ago, he appointed a compliance officer and established a committee of five people, one from each department, to oversee HIPAA compliance. They have charted where information goes, who sees it and why. They also have ensured that contracts are in place with everyone who might see PHI (“We even have a contract with our cleaning service,” Bach says) and are in the process of documenting all the policies and procedures related to protecting patients' health information. The software vendor has upgraded the company's software, and Bach Medical has gotten its compliance extension.

The company appears to be ahead of the game. But Bach is a bit cautious. “It's a day-to-day thing,” he says. “We're working on it.”

Already, some areas that need to be changed have surfaced. “We will have to make some changes, as will everybody, even those who thought they had confidentiality [down to] a science,” Bach says. “We'll need to make some changes to our customer service area. … It's a little more than I expected.”

The company also has bought screens that prevent anyone from reading a computer monitor unless he or she is directly in front of it. In addition, Bach says, “We immediately put a stop to e-mails with patients' names and pertinent information in them.”

Now, he says, only half jokingly, “Call me” on e-mails to physicians.

The company is more guarded about giving out information and already, Bach says, “We've had some upset family members because we wouldn't give out information on their family member. Caregivers have a hard time with this.”

Cost-wise, “it's been manpower expensive, and we'll have structural costs involved [in redesigning the customer service area].” He's also spent some money purchasing professional information “to be sure we're not missing anything.”

What the end cost will be he doesn't know. But, noting that his company always has been concerned with confidentiality, Bach does believe in the soundness of HIPAA. “It's common sense, good business practices,” he says. “That's the way I see it.”

Health Care Diagnostics, Auburndale, Fla.

Health Care Diagnostics has been grappling with HIPAA for about a year now, says Kevin Minnis, HIPAA leader and contract manager for the company. “We wanted to get ahead of the game, because after competitive bidding, we realized that the more proactive you are, the better off you are,” he says.

The company has established an 11-member committee to assess its current policies and procedures and “of course, we've filed our extension, so we have an extra year to prepare,” Minnis says.

But that extra time doesn't mean the company is slacking off, he explains. “Our staff is pretty much educated as to what HIPAA is. We've implemented our privacy policy notice, so our updated private policy notice is in all of our active patients' homes now. We're reviewing our patient delivery tickets, our patient observation forms … We're doing a full review now, so if we do have to change anything, we [have time to] get it to the printer.”

To help ensure he's covering all the bases, Minnis has employed a 38-page checklist offered to members of The Med Group, a Lubbock, Texas-based group purchasing organization. It breaks down tasks into categories, gives target dates and other key information, and tips, he says.

While the company already has put its employees through a series of e-mail tutorials about HIPAA, the education process doesn't end there, Minnis says. “We're getting into role play. We may do it a department at a time,” he says. Having employees act out situations in which they must decide whether they can legitimately and legally release PHI could pay off well when a real situation crops up, he believes.

Performance Modalities, Kent, Wash.

While many ambiguities remain about what the precise requirements of HIPAA are, Allen Clark, president and chief executive officer of Performance Modalities, thought it wise to get on the road toward HIPAA compliance.

“We have enough [information] to be on track,” says Clark, who is also president of the Portland, Ore.-based Pacific Association of Medical Equipment Services, which covers Oregon and Washington.

So Clark assigned a HIPAA compliance officer to ensure the company was “on course to be HIPAA compliant,” and appointed himself and those who represented the company's divisions as the HIPAA compliance committee. So far, the company has worked with its software vendor to make sure the computer systems are compliant, has filed for an extension to be compliant by next October, and is working with the HIPAA self-assessment and compliance manual offered by VGM, a Waterloo, Iowa-based group purchasing organization.

The company also has discussed HIPAA with its employees, and “we've emphasized patient privacy more than we have in a long time,” Clark says, adding that Performance Modalities plans to hire a shredding company.

All of this has illuminated some areas that are working just fine and some that could be better, Clark says.

“I think what we are finding is that we have a lot of systems in place now, but we need to beef up the enforcement of [those systems],” Clark says.

So far, the march toward HIPAA compliance has not been costly, but Clark is guarded on that front. “I don't know if it will cost a lot of money,” he says, noting that so many aspects of HIPAA are not spelled out yet that it is difficult to say what costs will be involved. Clark says it is the potential cost of HIPAA that concerns him.

“My concern as an owner and as somebody who has been in the business for 20 years is the added cost of doing business and the reduced reimbursement,” he says.
— Susanne Hopkins

Privacy Procedures Checklist

Where should you be now, as the clock is winding down toward the implementation of the privacy component of the Health Insurance Portability and Accountability Act? John Parmigiani, the former chief of the HIPAA security and electronic signature team for the Department of Health and Human Services who is now national director of HIPAA compliance services for Cincinnati, Ohio-based CTG Healthcare Solutions, provides this checklist:

DONE:

• Develop an information privacy official job description.
• Designate an information privacy official.
• Announce privacy official to workforce.
• Identify locations of all medical records.
• Identify staff responsible for disclosure of Protected Health Information.
• Identify information systems containing PHI.
• Identify potential threats and vulnerabilities that could result in confidentiality breaches or perceived breaches.
• Evaluate the incidental use and disclosure and the privacy afforded by use of sign-in sheets, schedules on counters, director of charts, etc.
• Evaluate ability to hear conversations in public areas and modify layouts/provide privacy partitions as necessary.
• Define designated record set (including medical and billing records) for purposes of HIPAA privacy requirements.
• Define minimum necessary use, disclosure and requests.
• Define when de-identification of data will be required.
• Ensure that any more stringent state law is reflected in all privacy policies created or revised for HIPAA.
• Establish a committee to help create a Notice of Privacy Practices.
• Identify the various members of the workforce.
• Identify the specific training needs of each audience type.
• Determine the best method of delivery.
• Identify all business associates that receive or disclose PHI.
• Compare against existing contracts (e.g., check against Accounts Payable records).
• Review any existing business associate contracts to ensure appropriate language.

IN PROGRESS

• Identify individual who will collect privacy complaints (this person may be different than privacy official).
• Identify locations of all other clinical data, such as films, strips, billing records, etc.
• Identify the existence and location of any shadow records (e.g., copies of originals).
• Identify personal digital assistants, notebooks and other devices containing PHI.
• Identify all biomedical equipment containing PHI.
• Identify any independent databases containing PHI.
• Design reasonable safeguards to ensure minimum necessary disclosures of PHI.
• Review all documentation against HIPAA requirements.
• Address document deficiencies.
• Ensure that all HIPAA policies and procedures are readily accessible.
• Obtain legal counsel review of state law versus HIPAA as necessary.
• Define patient's rights and develop procedures for handling individual rights pertaining to:
  • Accessing information and when access may not be appropriate;
  • Requesting restrictions, the use and disclosure subject to restrictions and when restrictions may not be feasible;
  • Requesting amendment and when amendment may not be appropriate;
  • Requesting confidential communications (e.g., information sent to alternative locations by alternative means) and when such may not be feasible;
  • Accounting of disclosures for release of information other than for treatment, payment and operations;
  • Opting out of marketing and fundraising/underwriting communications;
  • Developing procedures for due process, with respect to any denial of individual rights;
  • Addressing notice of privacy practices requirements by informing patients they can opt out of directories, mailing activity, appointment reminders, etc.;
  • Developing procedures on how individuals are given the opportunity to agree, prohibit, or restrict disclosure to the individual involved in care;
  • Developing a privacy complaint receipt and response procedure.
• Consider revising the current consent form to include HIPAA specifics.
• Develop an authorization for disclosure of information.
• Ensure that the created Notice of Privacy Practices is consistent with all uses and disclosures of PHI.
• Consider getting a legal review of the NPP before distribution.
• Determine methods for distribution of the NPP.
• Determine how de-identification of PHI will be accomplished.
• Add system flags to manage restrictions, confidential communications, etc.
• Link minimum necessary procedures to information access controls.
• Evaluate all other current contracts and supplement with business associate language.
• Write business associate contract language.

Security Procedures Checklist

Want to get a head start on complying with the security aspect of the Health Insurance Portability and Accountability Act? John Parmigiani, the former chief of the HIPAA security and electronic signature team for the Department of Health and Human Services who now is national director of HIPAA compliance services for Cincinnati, Ohio-based CTG Healthcare Solutions, offers these guidelines (you'll note that some of the functions overlap with the privacy project plan):

DONE:

• Designate security officer.
• Communicate security officer designation to the workforce.
• Appoint HIPAA project manager.
• Appoint cross-functional HIPAA project steering committee.
• Establish HIPAA subcommittees: transaction and code sets, privacy, security.
• Conduct HIPAA readiness assessment.
• Inventory all:
  • Policies and procedures for privacy and security;
  • Information systems and criticality/sensitivity of information processed;
  • Business associates with whom PHI is shared;
  • Biomedical equipment that stores PHI;
  • Employees with dial-in/remote access to patient information systems;
  • Vendors with dial-in/remote access to patient information systems.
• Solicit HIPAA readiness plans from information systems vendors.
• Develop HIPAA compliance plan, budget and reporting system.

IN PROGRESS:

• Create new policies, procedures and forms as identified in the readiness assessment, including incident response.
• Further develop and confirm corporate risk profile.
• Conduct a risk analysis based upon the findings of the readiness assessment.
• Develop or update contingency and disaster-recovery plans.
• Establish facility security plan for safeguarding patient information.
• Implement destruction procedures for confidential trash and media containing PHI.
• Adopt backup, storage and retention procedures for all media containing PHI.
• Establish formal security and privacy training program (document training).
• Determine actions or items to be audited, adopt audit trail retention policy, and establish and conduct audit trail monitoring process.
• Define minimum security standards for information systems that process or store PHI.