Hippa - Effects Of Health Insurance Effects of the Health Insurance Portability & Accountability Act (HIPAA) Introduction Just when Americans thought it was safe to turn on their computers after this years anticipated Y2K catastrophe, now comes the federal governments new Health Insurance Portability & Accountability Act (HIPAA) -- privacy regulations that will create new, insurmountable challenges for todays healthcare industry. The Y2K bug is estimated to have cost the health care industry upwards of $10 billion. By comparison, implementing the HIPAA privacy and security regulations is estimated to cost the health care industry $40 billion over the next two years. Beginning January 2001, US health care operations will never be the same again. This paper will address the origins of these new federal privacy regulations with a specific focus on the privacy standards and the Health and Human Services (HHS) proposed rules on confidentiality of personal health information. In a Wall Street Journal/ABC poll conducted on September 16, 1999, Americans were asked to identify those issues that concerned them most for the coming century.
Loss of personal privacy ranked as the first or second concern of 29 percent of all respondents. Other issues, such as terrorism, world war, and global warming, scored of 23 percent or less. Background Historically, an individuals access to his or her own medical records and the ability to limit that access to third-parties was safeguarded by the patient, physicians, and healthcare organizations (i.e., hospitals, clinics, etc.). However, with advances in information technology, the issues of security and breeches of patient confidentiality have become major priorities. When Congress passed the Health Insurance Portability & Accountability Act of 1996, it contained hundreds of pages of proposed legislation intended to set privacy and security standards for the creation and maintenance of patient health care databases. Congress set a deadline for itself of fall 1999, to pass comprehensive legislation regulating the privacy and security of information traditionally held sacred between patient and doctor.
If Congress did not meet its deadline, HIPAA authorized the Secretary of the Department of Health & Human Services (HHS) to take on the program. In November 1999, after Congress failed to meet its deadline, HHS issued proposed privacy regulations regarding the secure treatment of electronic information and requiring a standardization of data used in transmitting health care information electronically. After the uneventful passing of the Y2K crisis, healthcare providers reevaluated the proposed regulations and began to realize the impact of such privacy and security regulations. Purpose HIPAA addresses the protection of health information from its creation and establishes uniform requirements for those handling such information. The new privacy regulations effect all health care providers, health plan administrators, and health care clearinghouses (hereinafter collectively referred to as health care operators) that electronically transmit individual, identifiable health information in one of several types of transactions.
The regulations apply not only when a health care operator engages in one of the listed transaction, but any time they use or disclose protected information. In fact, the regulation covers such a broad variety of healthcare-related transactions -- such as verification and coordination of benefits -- that only on rare occasion will a health care operator not be effected by this mandate. The regulation governs the use and disclosure of individual, identifiable health information that has been electronically transmitted or maintained by a health care operator. However, not all health care information is protected under these regulations. The new privacy regulation only applies when a health care operator places information that potentially identifies an individual into an electronic format, and a reasonable basis exists to believe that the information can or will be used to identify the individual. This category of information is known under the new regulation as protected health information.
It is important to remember that individual, identifiable health care information can easily become subject to these regulations whenever existing information is entered into a computer or any type of electronic data system. This includes the scanning of older, paper records into an optical storage device. As a general rule, protected health care information may not be used or disclosed -- even within an organization -- unless the health care operator receives specific authorization from the individual patient. The Privacy Act of 1974 Before considering the HIPAA Act, there is value in first reviewing the Privacy Act of 1974, as both generally promote respect for the publics privacy. Under the Privacy Act of 1974, federal agencies were adopt minimum standards for the collection and processing of personal information, and to publish detailed descriptions of these procedures. This Act also limits the making of such records available to other private agencies or parties and requires agencies to make records on individuals available to them upon request, subject to certain conditions and exclusions. This is not unlike the HIPAA Act which governs how health care operators (as opposed to the federal government) handles the confidential information obtained from patients (as opposed to the public at large).
The Privacy Act of 1974, has four basic policy objectives: o To restrict disclosures of personally identifiable records. o To grant individuals more rights to access records agencies maintain on them. o To grant individuals the right to seek amendments to agency records maintained on themselves. o To establish a code of fair information practices which requires agencies to comply with statutory norms for collection, maintenance, and dissemination of records. Security According to the HIPAA, the security standards that apply to the health care operators must address reasonable and appropriate administrative, technical, and physical safeguards to: o Ensure the integrity and confidentiality of the information.
o Protect against any reasonable anticipated threats or hazards to the security or integrity of the information, including unauthorized use or disclosure. o Ensure compliance by officers and employees of the health care operators. Personnel Security Organizations that handle individual health care information must establish control policies that regulate appropriate access to the information in their possession, while assuring its confidentiality. An effective policy would first determine those staff members who are granted authorization to the information, and then govern how and when such authorization is maintained, modified, or terminated. Issues to consider are: Training.
Employees should be trained regarding what information, systems, or applications they have authority to access, together with their responsibility to limit such access. Identification: Health care operators should supply authorized personnel with Personal Identification Numbers (PINs) or key cards by which users can be authenticated as part of the control process. Information Systems Security Management Information systems security management requires formal policies and procedures for granting (or denying) access to various levels of health care information, including user authentication and accountability practices. In order to meet regulatory compliance, three key areas must be in place: 1. security measures for all information systems; 2.
security testing, including intrusion testing, performed regularly on systems and networks; 3. virus protection, and a response procedure when a virus is detected. documenting all policies and procedures in the integration and daily work of the Information Systems Management Department. installing software that maintains review schedules for testing security features. creating a system for on-going and periodic system checking.
updating and formatting a frequent virus checking system and procedure. Security Incident Procedures To ensure that violations are managed quickly, health care operators are required to have documented damage control procedures for reporting security breaches. Such procedures should address data backup, data storage, and proper disposal of data, in addition to assigning responsibil ...