The Health Information Portability and Accountability Act of 1996 (HIPAA) is considered by many to be among the most significant pieces of health care legislation in the history of the U.S. health system. Not since amendments to social security that created Medicare and the Tax Equity and Fiscal Responsibility Act (TEFRA) that created prospective payment, have interests in federal legislation been so pronounced as they are with HIPAA and future federal privacy legislation that is expected to follow. Like its legislative predecessors and recent preparations for Y2K, HIPPA is expected to have far-reaching implications for hospitals, payers, and provider practices (Maddox, 1998). The purpose of this article is to review the provisions of HIPAA and discuss selected areas of implementation impact that are significant for nurse leaders and other health care executives.
The Scope of HIPAA
Based on the scope and intent of HIPAA, we could realistically call it 'The Health Insurance Portability, Health Information Privacy and Administrative Simplification Act.' The legislation is lengthy, requiring 400 pages of text to explain its coverage contained in five 'Titles.' The introduction to HIPAA states that its purpose is: 'To amend the Internal Revenue Code of 1986 to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste and fraud, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes.' Simply stated, the policy-related objectives of HIPAA are to ensure health insurance portability, reduce health care fraud and abuse, guarantee security and privacy of health information, and enforce standards for health information. Each of HIPAA's five Titles identifies the requirements and standards essential to accomplishing these objectives.
When Congress passed HIPAA, it intended to standardize and thus simplify electronic data interchange (EDI) for the health care industry. The administrative simplification provisions contain several mandates to support EDI for health care transactions:
1. Compliance with uniform standards for information transactions and data elements.
2. Use of a unique identifier for each patient, employer, health plan, and health care provider.
3. Use of standardized code sets for the data elements used in EDI.
4. Compliance with security, electronic signature, and privacy standards.
The U.S. Department of Health and Human Services' (DHHS) proposed confidentiality regulations (published November 3, 1999) were promulgated in response to the legislation's requirement for privacy standards.
Information Technology and Electronic Data Interchange
DHHS has now published the first of nine standards required to support EDI. In addition to HIPAA's explicit objectives, this legislation is projected to have a significant impact on the use of information technology. Experts believe that enforcement of HIPPA will either discourage the use of information technology or accelerate the development and implementation of electronic medical records and use and expansion of Internet technology and applications for clinical and administrative purposes in health care (Drucker, 2000; Institute of Medicine, 1994; Morrissey & Weissenstein, 1996).
Among HIPAA's provisions, Title I covers health care access, portability, and renewability. Title II focuses on preventing health care fraud and abuse. Title III pertains to tax provisions and medical savings accounts. Title IV addresses the application and enforcement of group health plan requirements. Title V focuses on revenue offsets. These requirements will apply to almost every health care provider, payer, and clearinghouse in the United States (public and private).
Although the federal law does not require that health information be collected or electronically transmitted, it calls for standards to safeguard privacy and confidentiality of individually identifiable health information when it is transmitted and stored electronically.
Unlike previous federal legislation that may have only affected Medicare and Medicaid programs, the impact of this legislation extends to all health care providers, payers, and clearinghouses that transmit or maintain individually identifiable patient information in electronic form, throughout the United States.
The Focus of HIPAA
Individually identifiable information under HIPAA is defined as 'protected health information.' Therefore, any individually identifiable health information that is stored or transmitted in electronic format is protected. Electronic formats such as computer diskettes, storage on a computer server, e-mail, fax transmissions, magnetic computer tape, voice recordings, video images, and audio data among others are targeted by security and confidentiality standards. HIPAA also governs the progeny of electronic processes when they contain protected health information. Thus information from any administrative and clinical operation that produces paper printouts and reports (including faxes) are also covered.
Since almost all health care entities use electronic media to store and/or transmit claims, they must be in compliance with the administrative simplification provisions of HIPAA within 2 years of the release date of final rules. Small health plans (those with less than 50 members) have another 12 months, or 3 years to comply.
Uniform National Transactions Standards
One of the most significant aspects of the legislation is the creation of uniform national transaction standards for all health plans, employers, providers, payers, and clearinghouses. Rather than allowing individual states and/or payers to continue requiring conflicting standards for transactions, code sets, and identifiers, HIPAA standardizes formats nationally in an effort to encourage widespread use of EDI. HIPAA requires DHHS to adopt standards for a variety of administrative and financial health care transactions:
* Health claims or equivalent encounter information
* Health claims attachments
* Health plan enrollment and disenrollment
* Health care payment and remittance advice
* Health plan premium payments
HIPAA also requires development and adoption of standards for unique identifiers for:
* Individuals
* Employers
* Health plans or payers
* Health care providers
Currently, DHHS has identified most of the code sets, transaction sets, and identifiers to be used by payers and providers in the electronic transmission of health information. The department has also published proposed rules related to security, privacy, transactions and code sets, and national provider and employer identifiers. When the final rules are issued, providers must implement new business and information system policies and procedures. Refer to the DHHS web site at http://aspe.os.dhhs.gov/admnsimp.htm for detailed information. The rules will redefine how providers access, transmit, and disclose health information electronically (see Table 1) (Moynihan & McClure, 2000).
Table 1. Proposed Transaction Standards
Standard Proposed Rule Published National Provider ID 5/07/98 National Employers ID 6/16/98 National Individual ID(+) N/A Security 8/12/98 Privacy 11/3/99 Transactions 5/07/98 Code Sets 5/07/98 Standard Final Rule Adopted National Provider ID National Employers ID National Individual ID(+) Security Privacy Transactions 8/17/00(*) Code Sets 8/17/00(*)
(+) Work on hold until federal privacy law enacted (*) Compliance expected by 10/16/02
All transactions (except claims) are expected to use the standard X12N (version 4010). Pharmacy claims must conform to the National Council for Prescription Drug Program (NCPCDP standard 3.2). Medical, dental, and institutional claims must comply with the X12N 837. Standards have not yet been adopted for claims attachments or first injury reports.
In addition to transactions, the following code sets have been adopted for medical diagnoses, procedures, and drugs: ICD-9-CM codes (ICD-10-CM, when available); for diagnoses: CPT-4 codes (CPT-5, when available) including national HCPCS for procedure and diagnosis codes.
Data Security Standards
HIPAA's security standards mandate adopting security standards to protect individual health information, while permitting access and use of this information by providers, clearinghouses, and health plans. The law also requires that an electronic signature be used when transmitting protected information. These standards will require that health care organizations/providers that are involved with EDI assess their own security and conduct audits to evaluate the effectiveness of administrative procedures, physical safeguards, technical security services, and technical security mechanisms.
The HIPAA standard for the electronic signature is a digital signature that uses cryptographic methods of originator authentication. It verifies the signer's identity using a set of electronic rules and parameters that also ensures the integrity of the data.
Because electronic methods for data interchange can significantly reduce the costs associated with manual transactions that are verbal and written, there is little controversy about having uniformity for transactions and data sets across all health care organizations and states. For example, it is hoped that phone calls from business offices for such functions as benefit coverage verification or precertification may be replaced by seamless computer transactions for these functions.
The Workgroup for Electronic Data Interchange (WEDI) estimates that EDI has the potential to save providers $90 billion and the overall system (including the federal and state governments, payers, and employers) $26 billion per year. Other studies show submitting claims electronically may save much $1.30 per claim. As an added incentive to using electronic claims submissions, the Health Care Financing Administration will begin charging $1 surcharge per paper claim filed for Medicare reimbursement in the future.
Many skeptics of HIPAA cite the failings of prior federal legislation to realize savings. Critics regard its security and privacy provisions as 'unfunded federal mandates.' Other observers are more optimistic because of the numerous advantages of EDI and industry-wide standardization. HIPAA balances additional administrative costs for security and privacy (considered by some to be an unfunded federal mandate) with savings or revenue enhancements attributable to reduced processing costs and improved cash flow (presumed to result from expedited claims processing and payment).
Privacy Provisions
Determining whether HIPAA applies to a particular individual or company is an important first step in identifying a HIPAA implementation strategy. HIPAA directly applies to three types of covered entities: health care providers, health care clearinghouses, and health plans. Definitions for each category are broad. Employers (even those not serving the health care industry) may find themselves subject to HIPAA regulations when they fund an employee benefit plan that pays for a worker's health care, as the employers' benefits would be considered a health plan. Therefore, health information received when administering the plan must be protected in full.
In addition to entities covered directly, indirect applications also apply to business partners of covered entities. In this case, indirect applications of HIPAA's confidentiality requirements occur when an individual or company sees or uses health information while providing services to a covered entity. Typically, this occurs when services are outsourced. Under the proposed privacy regulations, there must be a 'business partner agreement' between the covered entity and each person to whom the covered entity discloses protected health information in order to carry out its work.
HIPAA specifies 11 elements to be included in a business partner agreement. Chief among these is a provision giving patients the right to sue under state law for breach of the agreement; as well as a promise to comply with all of the covered entity's policies relevant to use and disclosure of personal health information that was obtained under the agreement.
Providers must maintain chain of trust agreements with all parties with whom they share individually identifiable patient information. These agreements must include language that requires each data partner to certify to the other, and to each organization in the chain of trust, that they are HIPAA compliant. Third-party reviewers are the most cost-effective and practical way to fulfill this requirement. The alternative would be for each organization to be required to either certify itself and/or audit every business partner in its chain of trust. Partners in the chain of trust include all payers, providers, employers, clinical service vendors (such as labs and radiology), and others with whom the institution shares patient-specific information.
HIPAA mandates administrative procedures to protect privacy, including certification of compliance, chain of trust partner agreements, contingency plans, formal mechanisms for processing records, information access controls, internal bodies standards, personal security, security configuration and management, security incident procedures, security management processes, security training, and termination procedures.
In addition to these administrative requirements, HIPAA details numerous technical security mechanisms that are considered necessary for health care organizations to protect data. They include audit controls, authorization controls, data authentication, communication and network controls, encryption, and various types of authentication for event reporting, integrity controls, message authentication, message integrity, and user authentication. Failure to comply with security requirements may result in substantial penalties. A detailed set of civil and criminal penalties involving fines and imprisonment is also prescribed under HIPAA provisions.
The Downside of Proposed Privacy Regulations
The proposed privacy regulations issued by the DHHS in November 1999 may never go into effect unless Congress intervenes by enacting new privacy statutes before all HIPAA standards are finalized. The controversy of proposed standards has been considerable with thousands of comments being received by DHHS during the public comment period. Nevertheless, transaction and code standards were finalized in August 2000. They may never be put to full use if individual privacy legislation is not passed, permitting establishment of the individual identifier.
In addition to the controversy over an individual ID (patient ID), controversy has arisen over several other provisions related to who may be covered by HIPAA and under what circumstances. For instance, covered entities may not use or disclose health information unless authorized by the patient for purposes of treatment payment or operations. Even then, disclosure of protected information is expected to meet a 'minimum necessary disclosure' standard. Covered entities do not have to get authorization from patients to provide information necessary for appropriate activities, including activities associated with functions such as quality assurance improvement and safety monitoring, research, and law enforcement. Additionally, patients may request limits on the use of their personal health information for treatment, operations, or payments.
Another problem with the privacy regulations is that a baseline has never been established on the current state of patient protection (to determine the effect the proposed regulations would have). Also, having a patchwork of state laws makes compliance difficult. Multi-state entities will continue operating with uncertainty about which privacy standards will apply. Regardless, in the coming years, congressional interest in the privacy debate is expected to increase.
HIPAA Compliance and Confidentiality Violations
To comply with HIPAA regulations most health and benefit providers will have to: (a) replace or modify billing, claims, and other applications and middle-ware; (b) convert stored data into new formats; and (c) design, implement, and enforce security and privacy controls.
The consequences of failing to comply with HIPAA are substantial. In addition to the potential for private lawsuits under business partner agreements, DHHS has established civil monetary penalties for violations of confidentiality regulations. These fines may be as much as $100 per person per violation, but not more than $25,000 per year for violation a single regulatory standard. It establishes three levels of criminal penalties for knowingly obtaining or using individually identifiable health information in violation of any of the regulations. The lowest level involves fines as high as $50,000 and I year in prison. The second level, for using and disclosing personal health information under false pretenses, identifies fines as high as $100,000. Disclosing personal health information with the intent to sell, transfer, or use it for commercial advantage, personal gain, or malicious harm could bring fines as high as $250,000 and possible imprisonment for up to 10 years.
Besides statutory penalties, organizations have an additional compliance incentive because accreditation may be tied to compliance. Hospitals for example, may risk loosing accreditation by the Joint Commission on Accreditation of Healthcare Organizations because of overall HIPAA noncompliance. Other accrediting organizations such as those governing research grants and other private organizations such as the American College of Surgeons may also require HIPPA compliance. Noncompliance with HIPAA could eventually render a hospital or provider unable to conduct business or provide care because it is a HIPAA-defined business partner.
Preemption of State Laws
HIPAA regulations limit the authority of DHHS to mandate compliance to ensure confidentiality. Under HIPAA, the confidentiality regulations are seen as the minimum acceptable requirement; state laws that are contrary to, but more stringent than the federal regulations will remain in effect. In this regard they are often referred to as a 'floor' above which the states may construct laws that are more protective of confidentiality. Oddly, HIPAA regulations do not identify an authority responsible for deciding whether a particular provision of state law is preempted.
Summary
The HIPAA compliance clock is now ticking and all providers are required to meet HIPAA standards within 2 years of the release of each final standard (sometime in 2002). As with any over-arching organizational initiative, successful implementation will depend upon leadership and budgetary support from executive management. Due to the highly technical requirements for HIPAA compliance and the myriad of functions and processes involved, a multidisciplinary project team is needed. This team should comprise individuals who are knowledgeable in clinical processes and those who understand health information technology, security, and privacy. This team should include experts who understand HIPAA along with the organization's business processes and partners, e-commerce, organizational policies and procedures, compliance issues, process redesign, and change management.
Unlike Y2K, HIPAA is not a one-time event. It is the law and will be a permanent component of the health care industry, requiring both strategic and tactical planning. An organization's success in preparing for HIPPA will demand an active program of assessment, planning, and implementation. Compliance with security and privacy standards can be expected to increase costs initially. However, greater utilization of EDI may reduce costs and enhance revenues in the long run if processes and systems are improved. The risks and rewards associated with HIPAA are numerous. The time to begin preparation is now.
REFERENCES Drucker, D. (2000, July 10). IT prepares for health-care laws. InternetWeek, CMP Media Inc., p.14.
Institute of Medicine. (1994). Health data in the information age: Use, disclosure, and privacy in computerized medical information. Washington, DC: National Academy Press.
Maddox, P. (1998). Update on patient privacy legislation. Nursing Economic$, 16(4), 212-216.
Morrissey, J., & Weissenstein. (1996). Data security, Modern Healthcare, 26(40), 32-39.
Moynihan, J., & McLure, M. (2000). HIPAA brings new requirements, new opportunities. Healthcare Financial Management, 54(3), 52.
ADDITIONAL READINGS
Lutes, M. (2000). Privacy and security compliance in e-healthcare market place. Healthcare Financial Management, 54(3), 48. Stephenson, J. (1999). Patient privacy worries. Journal of the American Medical Association, 281(13), 222-223.
P.J. MADDOX, EdD, MSN, RN, is Coordinator, Health Systems Management Graduate Programs, George Mason University, Fairfax, VA.
