A year later, health-care institutions cope with HIPAA
It has been a year since federal regulations safeguarding patient information went into effect, and while most health-care institutions around New Hampshire are on solid footing with the new rules, certain provisions of the mandate are still causing concerns.
The Privacy Rule is the central provision of the Health Insurance Privacy and Portability Act of 1996. It is aimed at providing individuals with a level of protection for their health information and establishing new responsibilities for health-care providers to protect the information.
The Privacy Rule was implemented in response to the growing use and advances of technology and the increasing numbers of entities that have access to patient data.
To study HIPAA’s impact on health care, the Government Accountability Office studied the experience of a wide variety of health-care providers and institutions across the country when it came to HIPAA. The GAO report, “First Year Experiences Under the Federal Privacy Rule,” was released Oct. 4.
In a cover letter to U.S. Sen. Judd Gregg, chair of the senate Committee on Health, Education, Labor and Pensions, the GAO concluded that, overall, the nation’s hospitals and health-care institutions did well in enacting the Privacy Rule, but several provisions were still found to be problematic:
• The accounting of certain disclosures
• The requirement to develop agreements with business associates
• Access to patient information by researchers
• The burden of patient education about the ruling falling on providers.
According to Kathy Bizarro, executive vice president of the New Hampshire Hospital Association, the state’s hospital providers are in good shape meeting HIPAA requirements. “There have been no major issues. It has now become standard practice,” she said.
Under HIPAA, information used for treatment, payment, health-care operations, or in certain instances, public health, law enforcement and judicial proceedings and health-care research does not require a patient’s authorization to be released nor does a list have to be maintained of the providers who have received such information.
Other instances, such as the routine reporting of vital statistics to state health officials, do require authorization and accounting of disclosures. Patients also have the right to request the disclosure lists to see who has requested information on them.
Under the Privacy Rule, covered entities must keep a list of all the agencies to which they have disclosed patient information. This particular provision became especially onerous when tracking routine disclosures to state and federal agencies as mandated by law, according to the GAO report, since the provision could potentially touch every patient in a hospital, leading to the accounting of tens of thousands of such disclosures.
The requirement places a significant burden on smaller institutions or those working with manual systems, the GAO said.
The GAO’s recommendation is to exempt disclosures required by law from accounting and place a statement in patient privacy notices that such information will be shared with those agencies.
But the Department of Health and Human Services, in rebuttal to the GAO letter, said to hold off on making changes to the provision. Instead, the department recommended that covered entities use whatever tracking system best suited their needs.
But the provision, according to NHHA’s Bizarro, “has created a paperwork nightmare.”
Bizarro, who also chaired the state’s taskforce on HIPAA compliance, said, “The hospitals rarely get requests for the account, so they’re doing all this paperwork for nothing.”
She said she hoped that HHS would “continue to look” at the provision. “If the information is required to be disclosed, a statement in the notice should be enough. Some information could touch every record and to keep track of this is burdensome, particularly in public health disclosures. I hope they reconsider.”
The GAO report also raised questions about the requirement to develop a privacy agreement with business associates that have access to protected patient information.
Such associates could be anyone from software vendors to document-shredding companies. The GAO’s report cited instances of significant costs associated with meeting the provision, including substantial time and effort providing legal counsel in renegotiating contracts.
Although the GAO did not offer a formal recommendation on this issue, the report said some of the entities they interviewed suggested HHS provide clearer direction on when and how to enter into a business associate agreement.
In New Hampshire, according to Bizarro, business agreements had been a problem, “but have now calmed down.”
The GAO’s report also cited several instances in which researchers, public health entities and patient advocates found access to patient information delayed, or in some cases, denied, claiming “state and federal agencies reported having to take explicit action — including outreach efforts and changes in state law — to ensure that providers and health plans continue to report health information for public health activities.”
Bizarro said New Hampshire researchers and public health officials did not seem to encounter problems to this extent, adding, “I haven’t really heard of access being an issue, however, there does need to be an independent review board, and each patient has to sign an authorization. This creates a hardship to track all these signatures. It also can taint the research because you’re asking the patients to somewhat ‘self-select’ into the study.”
When patients are admitted to a hospital or see a physician in an office, they are required by HIPAA to receive a notice informing them of their rights. But it is possible that not everyone thoroughly understands the full ramifications of HIPAA because of the stress of undergoing hospitalization or illness.
Consequently, questions can arise much later after the admission or office visit. This situation led the GAO to recommend that HHS take a greater part in informing the public of their rights under HIPAA. (The agency has since added extensive information on its Office of Civil Rights Web site, issued public information notices and instituted a HIPAA hotline.)
On Oct. 16, the electronic data interchange, or EDI, requirements of HIPAA also passed their first anniversary. According to Bizarro, New Hampshire has not fared nearly as well under these rules.
She called the “standards” a “misnomer.”
The EDI standards in HIPAA were supposed to level the playing field, by requiring all entities to use the same computer interface codes to carry out electronic transactions. This was supposed to make such transactions occur smoother, swifter and thus, have claims and payments processed much more quickly.
Bizarro said that while many have been able to convert to the HIPAA-required format, “some fields, especially ‘user-defined fields,’ are very different from institution to institution. The interpretation keeps on changing. The answers need to come down from the federal level, but that hasn’t happened so far.”