Navigating the HIPAA maze
Most people take for granted the confidentiality of their medical records. Although physicians, pharmacies and insurance companies regularly exchange health information about patients to conduct business, most patients assume those transactions are secure. To ensure that people maintain that sense of security about their medical information, Congress enacted legislation requiring the health care industry to meet standards of data privacy.
Over the last three years, counties have joined the ranks of private health care organizations in working to meet the mandates of the Health Insurance Portability and Accountability Act (HIPAA). Signed into law in 1996, the act protects health insurance coverage for workers when they change or lose their jobs. To accomplish that goal, the act calls for health care organizations — including providers, health plans and clearinghouses — to standardize the ways in which they transmit medical data electronically and to protect the privacy of individuals’ health information.
Because early public discussions about the law focused on HIPAA’s application to private health care organizations, counties have found little instruction about applying HIPAA to their operations. However, knowing that they will be required to comply with the law, they have created problem-solving networks and have forged ahead with assessments to determine which parts of their organizations must comply with HIPAA and which policies and procedures they need to change.
Deadlines and penalties
The U.S. Department of Health and Human Services (HHS) began issuing rules guiding implementation of HIPAA in 1999. Since then, counties have been changing their computer systems and health care procedures to comply with the law.
The deadline for implementing electronic data transaction standards and data code sets is Oct. 16, 2002. By April 2003, health care organizations will have to meet the standards for data privacy.
The penalties for non-compliance are steep. If organizations do not adopt the transaction standards, the individuals responsible for those transactions may face fines of $25,000 each per violation per calendar year, and they will not be able to communicate electronically with health care partners to send or receive payments for health services. If organizations do not adopt and implement privacy procedures according to the law, they may face fines up to $250,000 and/or their officers may face prison terms up to 10 years.
Facing large fines for failure to comply, counties have been searching for information to guide them in HIPAA implementation. Although finding information about HIPAA for the private sector and state government is not hard to do, finding information that specifically applies to local governments has been a challenge.
“It’s kind of easy to know what the laws are, but it’s kind of hard to know how they apply,” says Reidun Hanson, information security and privacy officer for the Hennepin County (Minn.) Medical Center. “HIPAA purposely did that. It didn’t prescribe. It said, ‘Know your organization, and in your organization this is what you’re going to need to do.’ But it didn’t say how.”
To fill in the gaps, counties have formed alliances with other counties in their states and nationwide to discuss issues of HIPAA implementation. For example, Thomas Simpson, director of business and community services for Multnomah County, Ore., organized monthly meetings for an Oregon county workgroup, and he started a nationwide listserv for counties.
“I hooked into a private sector listserv on HIPAA, and I was getting 20 to 30 e-mails a day,” he says. “A lot of them were dealing with things that just didn’t apply to counties. I thought, ‘Wouldn’t it be good for counties nationwide — especially because resources are so tight — to be able to ask questions of our peers and get one answer instead of eight? Why don’t we all try to figure this out together instead of doing it separately?’”
The listservs and workgroups allow participants to reach consensus, Hanson says. “There’s some comfort in having many people interpret [HIPAA] in the same way,” she notes. “But, then again, we could all be wrong.”
Surveying the landscape
Despite the lack of guidance from HHS, counties have begun implementing HIPAA. They have formed committees and assessed county operations to determine which policies and procedures they need to change.
To examine its HIPAA exposure, Fairfax County, Va., formed a committee consisting of the county attorney, security officer, IT manager, and representatives from the Health Department and Community Services Board. Besides identifying which operations provided and/or billed for health care services, and, therefore, were “covered entities,” the county had to identify “business associates” — those businesses or county departments that processed bills or had access to personal health information as a result of working with a covered entity.
“There really are very few agencies or groups that are not impacted in some way,” says Michael Huddleston, IT manager for the county’s Human Services Branch. “There are cases within the county where an agency may not be a covered entity but would be a business associate to another agency in the county.”
In Hennepin County, the most obvious covered agency — the Medical Center — started the HIPAA ball rolling. Last year, Medical Center staff members suspected several county departments would need to comply with HIPAA, so they prepared a survey and asked all departments to identify whether they handled any of the electronic transactions covered by the law.
The survey alerted the county to the complexities of its organization and to the difficulties that would be involved in HIPAA implementation. For example, county corrections departments typically are affected by HIPAA because they bill electronically for inmate health care. However, the Hennepin County Corrections Department does not bill electronically but requires inmates to pay for care out of pocket.
The county thought the Corrections Department was exempt from HIPAA but later determined otherwise; the department’s health care services are provided by the Medical Center, and the Medical Center bills the Corrections Department for its services. “The sheriff pays [the Medical Center for health care], but it’s not in a normal fashion,” Hanson says. “It’s more like one county department to another, so we’re trying to figure out what that will fall under.”
Like Hennepin County, many counties have several departments that work together to provide health care services for residents. “Government has some serious challenges in terms of figuring out how HIPAA impacts the county as a whole,” says Cheri Huber, privacy officer for Napa County, Calif. “There is a lot of sharing of information between programs. Drawing a line around the covered component is extremely difficult.”
Mapping out a plan
Once counties identify covered entities, they must evaluate all of their health information privacy and security policies for compliance. They also must review their electronic data formats and codes.
Currently, the Napa County Health and Human Services agency is conducting a data-mapping project to identify its policies and procedures for securing individual health information. “We’re following every piece of data that goes in and out of the agency through every step, every process, every activity that touches that piece of data,” Huber says. “We fully expect that it will point out where we don’t have procedures in place or we need to modify procedures.”
Following a similar exercise, Thurston County, Wash., found that it needed to develop a disclosure statement that explained to patients how their health information would be shared with other organizations. It also needed to create policies for communicating that information with patients.
Some counties have found that they need to make relatively few changes to health information security because their state laws are already as strict or more strict than the rules for HIPAA. (HIPAA preempts state laws only when state statutes are more lenient or are absent.) Fairfax County, for example, will have only a few privacy policies to change for HIPAA compliance. “The Commonwealth already had a privacy regulation established that covered 90 to 95 percent of the HIPAA requirements,” Huddleston says. “With the exception of the [transaction and code set standards], and some of the potential cryptography in the security ruling, we’re in good shape.”
While counties still are trying to assess their operations and policies, they are educating staff members and county officials about the new law. As the deadlines for compliance approach, counties are training staff members on how HIPAA will affect daily tasks.
In May, the Hennepin County Medical Center held a “Safety Fair” to raise awareness about HIPAA and a variety of other health care regulations. Staff set up informational booths and enticed other staff members to visit the fair by providing doughnuts as prizes during a question-and-answer session.
To comply with HIPAA, counties have to prove that they have trained all staff members regarding the law. During the first quarter of next year, Hennepin County’s Medical Center will begin training its 4,000 employees to ensure that they are knowledgeable about patient health information privacy and that they will respect the safeguards that are being adopted to protect that privacy.
“Training this many people is a huge effort,” Hanson says. “We’re going to try to do it as many ways as we can to reach everyone. We have to train everybody, and we have to prove that we trained everybody. We’ve never been able to pull off 100 percent yet, but we’re going to give it a shot.”
In preparation for training all of its employees, Napa County is working with five other California counties and Warwickshire, England-based Easy i to create an online HIPAA training program. The online program will incorporate training for HIPAA and information security issues, and it will include information specific to California counties.
Any county will be able to purchase the program once it is completed in November. Napa County plans to purchase it for all county employees because of its information security training, which covers best practices for e-mail, laptop computer and Internet use.
The online training tool will automatically track participants, which will help counties prove that they comply with HIPAA. Counties that do not use that or a similar tool must develop a way to track participants.
“This law calls for us to write down our policies and procedures and actually train our staff and document that,” says Sherri MacDonald, interim director for the Thurston County Public Health and Social Services Department. “At some point, somebody’s going to come in and audit us and see if we’re actually doing those things. We will need to produce documentation that tells them, ‘Yes, indeed, we are.’”
Despite uncertainties about how to apply HIPAA to local government organizations, counties are reviewing their policies and procedures regarding personal health information and making good-faith efforts to comply with regulations. “You’re going to be judged on whether or not you attacked this thing with due diligence,” Simpson says. “The more effort you put into it, the better off you’re going to be.”