Monday, May 7, 2007


The Health Insurance Portability & Accountability Act of 1996 (HIPAA) is one piece of legislation that our government did right. This explains its background, objective, and key points.

Brief history

The Health Insurance Portability & Accountability Act (HIPAA) became Public Law 104-191 in August 1996. It became the law despite numerous unsuccessful challenges by special interests (e.g., insurance providers, physician groups). Congress and the Department of Health & Human Services (DHHS) overcame the attempts of the special interests. They had the clout to do so since at least 60% of all healthcare claims are paid by the federal and state governments.

HIPAA’s necessity arose from the entangled economics of the healthcare industry. During the 1980s two significant changes restructured the healthcare model. The first was the job tenure. Employees and employers changed attitudes towards the notion of job tenure. Consequently, there was more job hopping. In many cases, a new job with a new employer reduced or even eliminated the employee’s health benefits. The second was the unexpected increase in the cost of delivering and administering healthcare. Doctors and hospitals discovered how to work the system of Medicare and Medicaid. While it is true that the funding created new technologies (many of which extended life spans), a good portion of the money that these special interests received went to their pockets. The mission of hospitals changed. Instead of concentrating on delivering health care to its patients, hospitals started consolidating in order to better compete for business.

In the early 1990s, the healthcare industry adopted standards for Electronic Data Interchange (EDI). Instead of paper, information was passed electronically. It was (and still is) an effective way of cutting costs and speeding up the claim processing cycle. Unfortunately, it did so at the expense of the security of patient information.

One of the election issues that the Clinton administration promised to resolve was the healthcare mess. It prompted Congress to explore ways and means to make healthcare portable—this was meant to mitigate the problem of job hopping. Since it was addressing that, Congress tackled the related issues of fraud and abuse of the funding spout of Medicare and Medicaid & the protection of sensitive patient information as health records were passed from one entity to another. The result was HIPAA.

HIPAA’s objective

The law’s objective is to improve the efficiency and effectiveness of the U.S. healthcare system. This objective requires the implementation of certain safeguards when reviewing, process, or storing patient and healthcare payment information.

It gives patients new rights of privacy. It limits access to and use of protected healthcare information to those who actually provide the healthcare.
HIPAA focuses on three major areas:
  1. Transactions
  2. Privacy
  3. Security.
Key Features
  • Patients can access their own protected healthcare information (PHI)
  • Covered entities (e.g., insurance companies, physicians) are restricted in their use of PHI. (Prior to HIPAA, as many as 150 persons had access to a patient’s PHI during a typical hospital stay!)
  • EDI transactions follow HIPAA-mandated standards. (Prior to HIPAA, proprietary formats abounded. Clearing houses had to reformat incoming and outgoing data.)
  • Access and security is protected by law. Stiff penalties, fines, and even imprisonment add bite to the teeth of the law.
  • HIPAA applies to all government agencies and supersedes all state laws (especially the less stringent ones).
Transactions, the first major area

Three key changes were made to electronic transactions:
  • Only EDI and direct data entry (DDE) are the authorized methods for processing electronic healthcare transactions.
  • Only nine EDI formats are allowed.
  • Only three code sets are allowed. Code sets are discussed in another blog entry. Click here.
How successful were these changes?
  • Prior to HIPAA, the average claim cycle was 75 days. One out of three claims was rejected due to administrative errors. Today, the claim cycle averages less than 24 hours and only one to three percent are rejected because of administrative errors.
  • Prior to HIPAA, it cost 29 cents (in 2003 dollars) to process every claim dollar. Today, it costs 4 cents.
A new industry has emerged to assist covered entities with these requirements. Click here for an example.

Privacy, the second major area

This has the most significant impact on the healthcare industry. It’s actually easier to protect PHI than it is to secure its privacy (e.g., a PHI can be copied and the fact that it was copied may go undetected). Implementation of the privacy rules must not interfere with the access or quality of healthcare.
  1. Privacy rules apply to all forms of PHI, be it written, electronic, oral, etc.
  2. Patients have more control since there are now boundaries and safeguards that protect their PHI for all treatment, payment, operations (TPO) transactions.
  3. Patients must give written consent to a healthcare provider to access and use the patient’s PHI. Consent is general in nature and covers the entire relationship between the patient and provider. Note that written consent is typically a condition of service. Providers will generally refuse to deliver services without this written consent. Rule exceptions are limited to emergencies, over-the-phone prescriptions and appointments, and a few others.
  4. Patient authorizations are required for every instance that their PHI is disclosed out of the normal TPO circle (e.g., submission of PHI data for medical research). Providers carry the burden of recording and tracking patient consent, authorizations, and revocations.
  5. PHI may be shared with business associates (e.g., administrative services, laboratories) only to assist in the administrative function of TPO. The covered entities are still responsible and liable for the privacy and security of PHI. Their business associates are not liable nor do they have to meet the requirements of the covered entities.
  6. Covered entities must make reasonable efforts to limit the disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure.
  7. Covered entities must: (a) notify their patients of their privacy rights, (b) write their own policies and procedures and define their own minimum necessary standards for disclosure, (c) designate a privacy official whose primary responsibility is the protection and privacy of all healthcare information, and (d) provide a secure environment for PHI. A secure environment makes PHI available only to authorized parties on a need-to-know basis. All employees who may come into contact with any PHI must be trained on privacy rules and procedures.
PHI used for marketing and research are governed by their respective sets of rules. Marketing example: the names of pregnant women cannot be given to diaper market researchers without their permission. Research example: absent the patient’s authorization, PHI may be shared provided all identifying information is removed. Incidentally, the marketing rules apply to business associates.

Privacy rules apply only to covered entities. These entities constitute 98% of the healthcare industry. It applies to all health plans, clearinghouses and healthcare providers such as hospitals, doctors, nurses, and EMTs. The only entities exempt from these rules are those that continue to use paper.

Security, the third major area

Security compliance became effective in April 2005. The rules have a “performance” nature instead of a “prescriptive” one. The former outlines the standards that must be met whereas the latter dictates the means to achieve the standards. This means that covered entities are free to use their own methods to meet the performance standards.

There are nuances that make life easier for covered entities. These entities have the prerogative of deciding the most cost-effective manner of implementing the appropriate level of security for their environment. As long as these procedures and the framework are well documented, the entities are not required to implement practices that unreasonable, impractical, or not cost-effective (i.e., where the cost exceeds the value of the risk). In sum, organizations have the freedom to interpret (but it better be reasonable!) the security standards and develop their own practices.

The security provision does not require the adoption of new practices. The covered entity’s present ones may be sufficient. However, HIPAA since expanded the scope of security to encompass the covered entity’s business partners, it just about made it necessary to add and develop new practices.

HIPAA’s security rules revolve around the industry’s best practices anyway. It is really in the covered entity’s best interests to adopt these best practices. The entities achieve both objectives—meet HIPAA’s security requirements and adopt best practices—at the same time.

Security is well-covered in numerous articles. For that reason, we shall just enumerate the main areas:
  1. Access control, which means authentication, authorization, and auditing
  2. Administrative policies and practice
  3. Chain of Trust agreements; this is the primary tool that expands the scope of privacy and security requirements to the business partners of the covered entities
  4. Data protection
  5. Digital signatures
  6. Disaster recovery
  7. Encryption
  8. Identification
  9. Physical security
  10. Processor/Server protection
  11. Remote access and VPNs
  12. Software certification
  13. System protection and certification.
End Notes
Concluding remarks

I adapted this from a white paper I wrote for a previous employer in 2000—shortly after Y2K. The healthcare industry was bracing for the next “big” event, namely HIPAA.

I welcome any comments, updates, and/or corrections.

Sphere: Related Content

No comments: