HIPAAnote Volume Two, December 2002
No. 46 HIPAA Regs -- Getting the
Team on Board: The Only Way to Ensure Compliance...
You’ve heard that HIPAA requires training and, if you’ve
looked at the rules, you’ve noticed that the proposed security
rule goes so far as to specify topics that must be included in your
training endeavors. Not so for the HIPAA privacy rule.
The HIPAA privacy rule (164.530.b, if you’re looking) only
says that “a covered entity must train all members of its workforce
on the policies and procedures with respect to protected health
information ... as necessary and appropriate for the members of
the workforce to carry out their function within the covered entity.”
So, does that make privacy training less critical? Hardly. Think
about what all this means in the provider environment:
Consider a typical hospital with 750 employees who have more than
casual access to PHI as part of their job functions. Each of those
employees might have 100 or more opportunities each day to use or
disclose PHI that either:
- Might be allowed by the rule;
- Might be allowed, but must be logged for disclosure tracking
purposes; or
- Isn’t allowed at all.
Now, let’s do the math -- Our typical hospital is presented
with 75,000 opportunities each day for using or disclosing PHI.
Even if you assume that 30% of your employees don’t work on
a given day, that’s still almost 20,000,000 decision points
per year!!! Assuming you have “3-sigma quality control”
(one HIPAA error per thousand, which is pretty generous without
training), that’s still twenty thousand violations of HIPAA
per year! Ouch.
How to resolve the situation? Extensive privacy training. Each
person in your facility with access to PHI needs to understand the
basic principles behind the HIPAA privacy rule, as well as, the
policies and procedures that you’ve chosen to implement those
principles. Why so much focus on the principles?
Healthcare professionals need straightforward criteria to make
decisions in a broad variety of situations. Your organizational
set of privacy policies are important to understand, but your procedures
are unlikely to cover every possible scenario requiring judgment.
The privacy rule places considerable emphasis on provider judgment.
Having a solid understanding of the principles behind the privacy
rule will help healthcare providers make good decisions relative
to the handling of PHI.
You definitely must train your workforce on your specific privacy
policies - HIPAA requires that, but don’t neglect the principles!
For more information about HIPAA training, see our web site www.HIPAAdvisory.com.
Tom Grove, Vice President
Phoenix Health Systems
No.
47 HIPAA Term -- What to make of the Limited Data Set
When the HIPAA Privacy Rule first became final, there were significant
concerns that the rule might make some critical important research,
public
health, and health care operations activities impossible to carry
out. In
particular, the concern that de-identified data wouldn’t be
sufficiently
useful to meet key needs in these areas caused HHS to rethink the
HIPAA
approach to some uses of data. The result of this thinking is the
limited
data set.
A limited data set is much like de-identified data, but removes
only the
direct identifiers:
- Names;
- Postal address information, other than town or city, State,
and zip code;
- Telephone numbers;
- Fax numbers;
- Electronic mail addresses;
- Social security numbers;
- Medical record numbers;
- Health plan beneficiary numbers;
- Account numbers;
- Certificate/license numbers;
- Vehicle identifiers and serial numbers, including license plate
numbers;
- Device identifiers and serial numbers;
- Web Universal Resource Locators (URLs);
- Internet Protocol (IP) address numbers;
- Biometric identifiers, including finger and voice prints; and
- Full face photographic images and any comparable images.
The result is a more useful data set, but one that still would
allow patients
to be identified. In order to protect the privacy of patients, use
of this
data is restricted to research, public health, and health care operations.
To provide additional protection, limited data sets require a data
use
agreement. These agreements limit uses and access to the data sets,
and
require that the recipients do not attempt to re-identify patients.
What does this mean to you in your organization? It means that
you need to
rethink the use of de-identified data and some research uses that
would be
better met by a limited data set.
To read more, see
the comments that spawned these changes.
Tom Grove, Vice President
Phoenix Health Systems
No.
48 HIPAA Regs -- Covered Transactions:
Look Carefully, Because It isn’t All About Claims
If you’re a payer or a clearinghouse, HIPAA is clear -–
you’re a covered entity. If you’re a provider, however,
the situation is less obvious. For a provider, to be a covered entity,
you have to conduct one of the covered transactions. For many providers,
including most hospitals, it’s easy –- if you bill electronically,
you’re covered. For many small physicians’ offices, the
situation is less clear. Examine this list of the covered transactions:
- Health claims or similar encounter information
- Health care payment & remittance advice
- Coordination of Benefits
- Health claim status
- Enrollment & dis-enrollment in a health plan
- Eligibility for a health plan
- Health plan premium payments
- Referral certification & authorization
So what’s the catch? Simple -- many small physicians’
offices still bill on paper, but conduct one of the other transactions.
The biggest offender? Eligibility inquiries. Many state Medicaid
programs support the use of credit-card style terminals for eligibility
verification, and that’s a standard electronic transaction.
Even if you already know you’re covered, there are strategic
implications. Using the credit-card style eligibility machines,
consider what happens once not only Medicaid, but all payers can
provide standard eligibility transactions. It means that all eligibilities
can be checked at the time of service, reducing the number of uncollectible
bills. To do that, you need either an eligibility function in your
existing systems, or some new software or service. In the rush to
get HIPAA-compliant claims working, don’t lose sight of the
other transactions, their benefits, and ways to obtain them.
For more about transactions, go to:
http://www.hipaadvisory.com/action/tcs/
Tom Grove, Vice President
Phoenix Health Systems
No.
49 HIPAA Term -- Designated Record Sets: Limiting the scope of HIPAA
privacy for patient access
HIPAA doesn't require healthcare organizations to provide full
and total access to all health information to the patient. That
right of access is substantially simplified by limiting the access
to the designated record set.
The privacy rule defines the designated record set as records that
contain protected health information (PHI), and are used to make
decisions about the patient. That list includes:
- Medical records, whether paper or electronic
- Patient databases, electronic and paper
- Billing records, both paper and electronic (includes those
maintained by business associates, such as collection agencies
or billing companies)
- Other clinical data such as case management or utilization
review documentation
Why is this important? In a healthcare facility, there are many
documents with patient information that don't meet this definition.
One example: There is often patient information in human resources
records created when employees are exposed to a patient's bodily
fluids. The employment records are not used to make decisions about
the patient, so there's no need to include them in the designated
record set. Therefore, you don't need to disclose those records.
What must you do as a healthcare organization? First, make a complete
inventory of all record sets, and determine exactly which are and
are not parts of the designated record set. Then define those records
as the designated record set in your organizational policies. Finally,
make sure that the policy is updated whenever your designated record
set is redefined.
Tom Grove, Vice President
Phoenix Health Systems
|
