HIPAA locks the gate
Lawyers, health-care providers get ready to tighten patient privacy rules this month

Issue April 2003 By Lynne Feibelmann

Ready or not, health-care providers across the state will be hit with new federal regulations on patient privacy this month.

After spending thousands of dollars and hundreds of hours tightening policies, large health-care providers say they have procedures in place to ward against leaking patient information, according to attorneys and compliance officers.

But it may take a bit longer for smaller health-care practices to comply with the new rules.

As of April 14, any individual or group that provides and pays for medical care - including health-care providers, plans and clearinghouses - will be required to provide their patients and consumers greater privacy protection.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) has new national health privacy standards, which prevent the rampant dissemination of patient information that has occurred in recent years.

"The underlying goal of the privacy rules is (regulating) how covered entities use and disclose information," said Michael Costa, senior associate in the health business practice group at Greenberg & Traurig and chair of the MBA's Health Law Section Council.

Because electronic records and the Internet have made information about an individual's health conditions available, drug companies have been able to buy lists of patients and consumers from pharmacists and doctors to use for advertising and research.

Valid written authorization is now needed from each individual before doctors, pharmacists and insurers can release information for reasons not related to treatment, payment or health-care operations.

"Previously information could be sold or leaked," said Costa. "That activity is now restricted to ensure the privacy of the individual. Getting authorization from 1,000 people to participate in a research study will be difficult.

Releasing private information can be detrimental to a patient. Individuals with fatal diseases could be fired or charged higher insurance if employers learn about their health conditions, said Costa, who counsels hospital systems, managed-care organizations and health agencies on fraud, corporate compliance and complex transactions.

"Privacy is a pre-eminent right," he said. "Information about our persons could have significant consequences if it was revealed."

Costa said Massachusetts health-care laws, which total 275, are strict, but the new federal regulations will establish a floor of privacy rights. "HIPAA says whichever law provides the greatest protections for the consumer takes precedent," Costa said.

For instance, if HIPAA states patients have a right to receive their records free of charge and Massachusetts law requires a charge, HIPAA preempts. Under the new regulations, patients have the right to amend their records and the power to grant permission for use of their health information, including all information created and received about their physical or mental-health condition, which identifies them, to specific parties for certain purposes.

Christine Solt, health-care attorney at Choate, Hall & Stewart, said all patients have more access to their own information, including mental health patients.

"Doctors used to withhold information for their protection, but under the new regulation they can only do so if releasing the information would be a threat to the patient," she said.

Kalisa Barratt, director of corporate compliance at Bay State Medical Center in Springfield, agreed that patient privacy rights have been expanded.

"Privacy has been brought to the forefront. Without that kind of protection we can't be guaranteed the patient is telling the doctor everything needed to know (about their condition)," she said.

Preparing for compliance

Preparing for compliance has required health-care providers, health-management organizations and billing services across the state and the country to educate their staffs, coordinate HIPAA teams and audit policies, procedures and application systems.

"This is a major shift," Costa said. "My clients are investing resources, time and money to be in compliance with regulations and to not misappropriate medical information."

Although Costa said many of his clients throughout the country would not be ready by the April 14 deadline, he is confident his clients in the commonwealth will be in compliance.

"Massachusetts is the health-care capital of the world and will be at the forefront of HIPAA compliance," he said, adding that since many Massachusetts providers operate in other states, they welcome a national standard.

One of Costa's Massachusetts clients is a large nursing home chain that has 30 facilities.

"Because they are an elderly population, their information is disseminated more," he said, referring to Medicare and Medicaid billing and records. That chain is one of many that have completed several training steps outlined by Costa.

Joined by health-policy consultant Kati Enscoe and several attorneys, Costa has been conducting five-part training programs since last October.

He suggests that all health organizations establish privacy oversight committees, track privacy regulations, establish process for handling privacy complaints and develop sanction policies for failure to comply with privacy policies.

On a daily basis, Costa said compliance means changing the culture and environment of health care. "It's using lowered voices when talking about a person's condition and flipping over records in hospital doors so they're not read," he said.

Other Massachusetts health-care providers

Throughout the state, many institutions have implemented training with their own legal and compliance departments. At Newton-Wellesley Hospital, compliance officer Eileen McCarthy said her staff has been trained and will be ready to adhere to the new privacy regulations on time.

"We are implementing many operation changes, including the way patients are registered in the system," she said.

Additional paperwork includes submitting privacy notices to patients and registering acknowledgement of receipt.

Bay State Medical Center in Springfield has been working toward compliance for a couple of years, according to Barratt. The staff already has been educated on HIPAA's general requirements.

"We are training employees, students and volunteers," she said. "Some need to be well-versed in policies and others don't."

The center's second step in training, which began at the end of February, included drafting a manager's guide.

"It's a massive task to prepare everyone, and we have six weeks to do it. The minutia is mind-boggling," Barratt said, adding that a HIPAA hotline will be implemented to address employees' questions.

In addition, at least half of Beth Israel Hospital's 2,500 employees has been trained online in HIPAA regulations, according to Sandy Leitao, program director in the office of business conduct.

"Direct-patient-contact training (was) held for those who are on the frontline and are affected by the new privacy regulations," she said.

That 10-session training contained 20 to 30 vignettes and instructions about privacy-notice signage.

"Our main goal is to promote awareness. We have very good privacy practices already in place," she said.

Prior to the new HIPAA regulations, Massachusetts General Hospital also had many of its own privacy policies and procedures, according to Deborah Adair, privacy officer and director of health information services.

"We are refining our existing polices," she said. "The privacy notice is new and we have training on its use, including how to track it internally."

Training and implementation has cost the Partners Health Care System hundreds of thousands of dollars. "We budgeted the additional dollars last year, but it was not as exorbitant as predicted," Adair said.

Although most Massachusetts health providers will be prepared on time, Costa said 80 to 90 percent of his clients in 20 states wouldn't be in compliance by the deadline.

"There is a range of reasons why people won't be up to the plate," he said, adding that industry-wide compliance costs will total $25-$30 billion. "There is confusion about the regulations, a lack of funds to educate and doubt regarding enforcement."

According to Solt, small practice groups rather than major health plans will most likely miss the deadline because they are "less HIPAA savvy."

In order to enforce the regulations, Costa said health insurance companies could deny payment.

In addition, health-care providers found in breach of the new regulations, will face civil and criminal penalties ranging between $25,000 and $50,000. The government has the authority to conduct compliance audits, courts can subpoena documents and patients themselves can report misbehavior online by filling out government complaints with the Office of Civil Rights.

"If (health-care providers) don't comply they run the risk of penalties but they have to get caught," Costa said. "The government won't crackdown on everybody but will (penalize) a few, creating a ripple effect."