With less than a year remaining until the first in a series of new federal healthcare information standards takes effect, a survey of healthcare professionals nationwide shows that only about half of those affected will be ready.
The survey, taken in the first weeks of 2002 by Phoenix Health Systems, a healthcare information technology and outsourcing firm, polled the industry on its readiness to conform to new industry-wide standards for the protection of confidentiality and security of personal healthcare information and for the improved efficiency of healthcare information exchange via electronic data interchange (EDI) mandated under the Health Insurance Portability and Accountability Act (HIPAA).
Darlene Kauffman, associate director of medical economics for the Pennsylvania Medical Association and dubbed the 'HIPAA guru' by her colleagues, says the compliance readiness numbers are probably about the same locally as nationally.
Before HIPAA, healthcare providers protected patients' confidentiality following a patchwork of state laws that often left gaps in the protection of patients' privacy and confidentiality.
Personal health information could be distributed - without either notice or consent - for reasons having nothing to do with the patient's medical treatment or healthcare reimbursement, according to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR).
Currently, patient information held by a health plan may be passed on to a lender who may use it to deny the patient's application for a home mortgage or credit card, or to an employer who may use it in personnel decisions.
The HIPAA Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will take precedence over the new federal standards.
Pennsylvania has strong privacy laws in place, according to Kauffman. Determining which law to follow is under study by a task force of the E-PA Alliance, a nonprofit volunteer organization of technology users which is involved in improving Pennsylvania's economic competitiveness and quality of life.
'We are determining, almost phrase by phrase, where state law will pre-empt HIPAA laws,' explains Kauffman, who co-chairs the E-PA Alliance Education and Communications Working Committee. The DHHS, which drafted the new regulations, is in the process of tweaking the new standards based on public input after the final law was published in April of 2001.
Kauffman warns that waiting for possible changes or clarifications to begin working on compliance is not a good strategy.
'To implement this 1,500 page law, everyone is going to need a lot of education,' Kauffman says.
To meet the April 2003 privacy standards implementation deadline, healthcare providers should be in the process of, or have completed, an analysis of their current privacy policies, Kauffman adds.
'They need to go through every procedure in their practice, everything that involves patient information, document how they do it now, evaluate how it has to change, and how they're going to make that change,' Kauffman explains.
Each organization is required to appoint a privacy officer. In smaller organizations, these duties may be assigned to an existing employee, such as office manager. Larger and more complex organizations may need to establish a new position with support staff to ensure compliance.
Necessary changes may be as simple as keeping patient sign-in sheets out of view from the general public. Front-desk personnel will need to watch that discussions of patients' private information can't be overheard by others.
Richard English, M.D., director of the Family Practice Residency Program for the Wyoming Valley Health Care System (WVHCS), says his office will be moving computer screens away from the public eye, eliminating such simple things as sign-in sheets and protecting fax machines from casual observers.
In general, English says physicians usually have policies on privacy and disclosure for their employees in place, so not much will change.
'This whole issue is not new,' explains James Rakshys, director of advanced technology and newly appointed chief of privacy and security for WVHCS,' but the intensity is going to change.'
While hospitals won't be required to provide each patient with a privateroom, doctors and nurses will be expected to do what they can to keep bedside consultations private.
Conversations at the nurses' station will need to be kept as private as possible. Michelle Cibio, administrator of Health South Diagnostic Center, Camp Hill, expects very few changes at her facility.
'We're accredited by the joint Commission on Accreditation of Health Care Organizations
(JCAHO) so we already have a written policy in place,' Cibio explains. Cibio points out that the new law requires that 'reasonable' changes be made to protect patients' privacy. For example, the Center will not be required to put privacy glass around the receptionist's desk to protect information at the desk, but they will be expected to take common sense steps to keep information private.
They will eliminate the sign-in sheet that was left on the desk and included a patient's name, the referring doctor, and reason for the diagnostic study.
HealthSouth has also written a policy that determines who has access to patient information, that person's job description, and what information they need to complete their job. Only the minimum amount of healthcare information necessary to perform a task may be disclosed from a patient's file.
Employees must be educated about the company's privacy policy. This may be as simple as providing each employee with a copy of the privacy policy, or may include extensive training seminars. The size and complexity of an organization will most likely determine the method of education.
A patient must be provided with an organization's privacy policy up front, and told how their information can be used.
A record of who has received patient information must be kept in writing and available to the patient.
Adherence to the new privacy standards will be backed up with severe civil and criminal penalties for non-compliance.
The fines go as high as $25,000 for multiple violations of the same standard in a calendar year, and fines of up to $250,000 and/or imprisonment for up to 10 years for knowing misuse of individually identifiable health information. DHHS has delegated enforcement responsibilities to the DHHS Office for Civil Rights.
The cost of implementing the new privacy standards is difficult to determine, according to Kauffman. An organization's size and the amount of change necessary to become compliant will determine how much they spend.
Respondents to the Phoenix Health System survey, which included hospitals, physician practices of varying size, insurance companies and vendors, estimated that their organizations will spend upwards of $1 million to become compliant, however, most will spend less than $100,000.
Much of this funding will go to meeting the new electronic requirements of HIPAA, Originally scheduled to go into effect in October of 2002, the healthcare industry now has until October of 2003 to conform to the new electronic health transaction standards. A plan for attaining these standards must still be in place by October of this year.
The new standards are designed to establish one national electronic format for processing health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.
Up until now, health providers and plans have used many different electronic formats, each requiring its own software. Kauffman says this software was often quite expensive. The various formats were also unable to communicate with each other, slowing down the healthcare claims process.
The new rules require the use of specific electronic formats developed by the American National Standards Institute (ANSI) for most transactions.
Virtually all health plans will have to adopt these standards, even if a transaction is on paper or by phone or fax.
Standard code sets will be developed to be used in all transactions. For example, the coding systems that describe diseases, injuries and other health problems, as welt as their causes, symptoms and actions taken must become uniform. An parties to a particular transaction will have to use and accept the same coding,
These standards are intended to reduce mistakes, duplication of effort and costs.
'The costs (of implementing the new standards) are supposed to be astronomical up front and lead to significant savings down the road,' English says. 'I do believe that the improvements in efficiency and effectiveness of patient care, which should result from the ability to share healthcare information, will slow the rise of costs, improve communication, eliminate wasteful duplication of services and make healthcare safer.'
