AudiologyOnline Phone: 800-753-2160


Signia Xperience - September 2024

Having HIPAA Headaches? Let Software Provide Relief

Having HIPAA Headaches? Let Software Provide Relief
William Lesiecki, MA
January 5, 2004
Share:
This article is sponsored by Signia.

Hearing Care Professionals and hearing instrument manufacturers survived April 14, 2003, the date that the HIPAA Privacy regulations went into effect. They did so despite dire warnings from some prognosticators who viewed the date as some sort of "doomsday" when American healthcare providers and their suppliers would sink into a quagmire of bureaucracy.

Whatever your views on the HIPAA privacy regulations, the hearing industry, along with every other area of healthcare, has entered a new era of healthcare information management.

Over the last year, much information about HIPAA has been provided through articles in industry trade publications and in seminars offered by professional associations. These organizations have also posted useful material on their web sites, including information on how the new regulations will affect the way hearing professionals interact with their patients, discussions of how HIPAA will influence the way businesses are run, and advice for professionals on how to comply.

Now that you have spent a year working in a HIPAA world, one question everyone should be asking is, "Am I doing the things I really need to do in order to fully comply with the HIPAA regulations?" If the answer is "no," or "not sure" then there may be a problem, because the regulations require hearing professionals to do a number of things differently when it comes to handling their patients' protected health information (PHI). When it comes to HIPAA, what hearing professionals need to be concerned about, above all, is that they are handling PHI in full compliance with the new privacy rules.

HIPAA experts advise, that when it comes to compliance with the law, the most important thing that hearing professionals must do is to be organized and diligent in how they handle patient data. In addition, it recognizes that it is more important than ever before to track and document those activities that are governed or dictated by HIPAA regulations.

PROTECTING PATIENTS

Protecting Patient Privacy

HIPAA safeguards the privacy of health information created or maintained by any healthcare practitioner engaged in providing medically related services to end users (i.e., patients). Hearing Care Professionals need to carefully comply with office-based practices required under HIPAA, and be diligent to handle PHI in a way that protects patients' integrity.

Some of the key administrative practices that Hearing Care Professionals should have in place to comply with HIPAA are:

  • Practices must now limit access to PHI to the "minimum necessary" to accomplish a given task.

  • Practices must provide patients with the right to request access to their protected health information.

  • Practices must track disclosures of PHI, and provide patients, upon request, with a list of such disclosures.

  • Practices must provide patients with the right to request an amendment to their PHI.

  • Practices must provide patients with the right to request restricted disclosures of their PHI.

  • Practices must provide patients with a Notice of Privacy Practices, and track acknowledgement that it has been received.

  • Practices must get their "Business Associates" to sign business associate agreements.

  • Practices must provide patients with the right to request confidential communications regarding their health information.

  • Practices must provide patients with the right to designate a "personal representatives" who may represent them in healthcare matters.

  • Practices must provide patients with a mechanism to submit complaints when they feel their privacy rights have been compromised. Hearing care professionals are now required to log and track complaints, and the actions taken to resolve them.

  • Practices are required to document that their employees have received HIPAA training.
HIPAA is do-able

Does all of this mean that HIPAA creates an enormous burden for a hearing care practice? Is HIPAA just a "paperwork nightmare"?

The answer is "no." In fact, many of the things that HIPAA encompasses and requires are simply good business management practices, things that most hearing professionals were already doing in some form.

Complying with HIPAA is like most of the tasks that are part of running a hearing care practice. In most cases, it is easier to perform these tasks with the right tools, especially tools that allow automation of repetitive processes.

One tool that can make it easier to comply with HIPAA is practice-management software. Currently, a number of such software products are available to hearing professionals. Some of these systems can even integrate with NOAH, providing more integration to diagnostic and fitting information, and therefore integrate all the information used to order hearing instruments and related products for a particular patient.

Commercially available software products, such as Siemens Practice Navigator™, help professionals comply with HIPAA regulations more efficiently. Researching the available products is the best way for professionals to determine which can provide the greatest benefits to their practices, especially in connection with handling PHI.

A lot of data to handle

The HIPAA privacy regulations guarantee patients complete access to their PHI records and the right to amend them. The PHI that hearing professionals keep for each patient is contained in a designated record set (DRS). A DRS consists of all the information used by a practice to make decisions regarding an individual patient's treatment and care. Therefore, the DRS can contain a large amount of information.

To comply with the regulations, hearing professionals must have a means to keep track of all the PHI that makes up the DRS. In hearing care, elements of the DRS can include, but are not limited to:
  • Chart notes

  • Diagnostic exam results (e.g., audiogram, speech tests, real-ear data)

  • Diagnostic results or information of any kind received from any facility other than one's own

  • Hearing instrument programming information

  • Clinical reports to or from another professional or facility (e.g., communications with a physician)

  • Case history

  • Demographic information and identifiers

  • Ear impressions or other data sets representing ear anatomy

  • Hearing instrument parameter descriptions

  • Authorizations of any type that are required from or signed by your patient

  • Medical reimbursement forms, authorizations, billing slips, etc.

  • Financial transaction data that relate directly to PHI (e.g., record of billing or payment for services)
Accounting for PHI; handling your staff

For hearing professionals, an essential part of properly handling protected health information is establishing documented policies and procedures, and clearly spelling out those policies to their employees.

This effort has several components. One is determining who in a facility should be permitted access to what data. The basic principle to follow is that access should be available only on a "need to know basis." Not every employee of a practice requires access to everything in a patient's DRS; all that should be accessible to any staff member is the information the person needs to perform his or her job. For example, an office administrator whose job does not require knowing a patient's clinical hearing loss data should not have access to that information. But how can you limit access? It is impractical to have a separate locked file cabinet for each item of PHI in a patient's DRS. This is where practice-management software becomes an important tool with regards to HIPAA regulations.


Figure 1.
Each staff member can be assigned individual security level and access rights.

SOFTWARE CAN HELP

Controlling PHI access


Many hearing professionals find that when it comes to controlling access to PHI and to other aspects of HIPAA compliance, a good software system is invaluable. For example, such a system can allow for different levels of data access and security. Figure 1 illustrates how a system administrator can assign access rights and security levels to staff.

In addition to providing access security, there are many other ways that practice-management software can help meet privacy requirements. For example, HIPAA stipulates that PHI must not be visible in public areas of an office. Therefore, providers need to make a reasonable effort to shield PHI from view. But the realities of a busy office can make it difficult to keep such data out of sight, because of both the physical layout of the office and the inevitable need for staff members to step away from their computers from time to time, thus possibly leaving data files visible on the screen.

Software applications can provide utilities to deal with these and other situations. Figure 2 illustrates that an administrator can set "log off" function flags and also set "password expiration" dates.


Figure 2.
The administrator can set "log off" function flags and "password expiration" dates for each staff member.

Another element of PHI data security is requiring employees to agree to keep PHI confidential. Practice-management software can produce the necessary HIPAA agreements and then allow the database to maintain the record of the staff member compliance.

HIPAA also requires hearing professionals to ensure that all employees of a covered entity receive training on all aspects of HIPAA that pertain to their job functions and to the handling of PHI. Therefore, it is necessary to provide this training, and also to document that it has been accomplished. Figure 3 illustrates how training and other activities can be documented and tracked.


Figure 3.
It is necessary to log and track training activities to be in compliance with HIPAA.

Establishing business associates

When a hearing professional works with anyone outside his or her immediate staff to provide services to a patient, HIPAA requires the "covered entities" (i.e., the hearing professional) to execute a Business Associate Agreement (BAA) with that vendor partner.

The BAA is required by HIPAA to ensure that any vendor covered entities authorize to use PHI in providing service to a patient agrees to uphold all the same HIPAA regulations that apply to them. Hearing professionals must have a BAA in place with each and every hearing instrument manufacturer or other vendor they deal with in providing services to their patients.


Figure 4. Creating and tracking Business Associate Agreements can be fully automated.

Under the regulations, it is the hearing professional--not the vendor--who is legally responsible for having the BAA in place with the vendor. Note: Under its "modified Privacy Rule," HIPAA has extended the date for covered to get BAAs in place until April 14, 2004. Figure 4 illustrates how the BAA can be produced and tracked.

The BAA shown here, which is contained in Practice Navigator, is based on the agreement developed and recommended by the Hearing Industries Association (HIA) for hearing instrument manufacturers. This document is in a format containing language agreed upon by all HIA member companies and endorsed by the American Academy of Audiology and the International Hearing Society.

Compliance with HIPAA also entails documenting that certain "PHI transactions" have taken place. For example, HIPAA mandates that hearing professionals establish a formal procedure for receiving and tracking complaints from patients or their designated representative concerning any violation of their practice's privacy policy. The regulations spell out exactly what information must be maintained if a complaint is lodged.

A formal complaint procedure is just one of many "HIPAA events" that hearing professionals are required to track. Office-management systems contain templates that meet the requirements, making it easier to execute and track such forms as needed.


Figure 5.
Templates for addressing all the various "HIPAA events" are easily created, logged and tracked.

Figure 5 illustrates the access to and tracking of various HIPAA events. Note that all the forms contained in Siemens Practice Navigator are provided by license agreement from the Healthcare Analytics, LLC and based on its "HIPAA Compliance Toolkit."

Electronic data standards

HIPAA encourages the use of electronic data transmission as it improves efficiency throughout the entire healthcare system. In addition, Medicare recently (as of October 16, 2003) made it a requirement that all claims be submitted electronically. Many industry experts predict that this trend will continue into the private sector too and eventually standard practice will require electronic submission of all billing claims. However, again, this should not be looked at by the Hearing Care Professional as compliance "burden." Electronic submissions have many advantages including:

  • ability to pre-validate the claim

  • lower resubmission rates

  • claim status tracking

  • substantially faster payment on claims


  • Practice Navigator allows you to process billing claims either on paper or electronically. Utilizing the industry standard HCFA 1500 form, you can fill out the format and then save it in an electronic format. This file can then be uploaded to a web-enabled clearing house that Practice Navigator utilizes, which then passes on the validated file to the appropriate entity (Medicare, Blue Cross, CIGNA, etc.).

    Under the Administrative Simplification standards of HIPAA, a covered entity must comply with regulations set in place to streamline as well as protect the security and privacy of data being transferred electronically. Practice management software, such as Practice Navigator, is designed to allow functions like e-billing that comply with the HIPAA standards when submitting an insurance claim or billing a patient, making a once cumbersome and often frustrating process as easy as a few clicks of your mouse.

    Compliance is easier than it seems

    For hearing professionals making their practices HIPAA-compliant, the regulations may seem a little daunting. Choosing the right tool to expedite and facilitate the compliance process can ease the transformation.

    In evaluating software products that may be used to comply with HIPAA, here are some questions that hearing professionals may want to ask. Does the system:
    • Define different access levels for staff and define rights for each access level?

    • Set passwords for each staff member?

    • Allow for tracking of staff training?

    • Provide for a means of tracking PHI disclosures and produce reports for it?

    • Provide templates for various "HIPAA events"?

    • Produce a vendor BAA and track compliance by vendor?

    • Track any and all contacts made with a given patient?

    • Allow for integration for use with NOAH and both testing and programming models?
    Once the software for your practice is in place, complying with HIPAA regulations can become a seamless part of daily practice management.

    This article is based (in part) on a previous publication. See The Hearing Journal, July 2003, volume 7, pages 42-47

    Click here to visit the Siemens Hearing Instruments website.
    Need 2024 ethics hours? Explore available courses and start earning now!

    William Lesiecki, MA

    Audiologist and Director of Software & E-Business Solutions



    Related Courses

    Beyond Bedside Manner: Insights on Perfecting the Patient Experience in the Era of OTC
    Presented by Brian Taylor, AuD, Shareef Mahdavi
    Audio
    Course: #38160Level: Intermediate0.5 Hours
    Shareef Mahdavi is a patient experience expert. In this podcast he shares several valuable insights on how to create more remarkable and engaging patient experiences, designed to set clinicians apart from OTC retailers.

    Signia Expert Series: Competing in Today's Disruptive Audiological Environment
    Presented by Amyn Amlani, PhD
    Recorded Webinar
    Course: #32805Level: Intermediate1 Hour
    Hearing healthcare is evolving at a rapid rate. Origins of this evolution stem, in part, from the recent proliferation of disruptive innovations (e.g., OTCs/PSAPs, pharmaceuticals), along with changes in population dynamics. This course provides participants with evidence and hands-on tools that promote opportunities for increased audiology awareness, and increased adoption of services and technologies in this changing market landscape.

    In a Changed World, Optimizing Patient Outcomes Requires a Blended Care Approach
    Presented by Brian Taylor, AuD
    Recorded Webinar
    Course: #35366Level: Advanced1 Hour
    Although in-person care is likely to remain the gold standard after the Covid 19 pandemic, remote care (or eHealth) provides a boost in operational efficiency, offers added touchpoints that enhance patient outcomes and appeals to untapped segments of the market who until now have not sought help for their hearing difficulties. This 1-hour course will review how evidence-based practice and relationship centered communication can be implemented in a blended approach to hearing care, including use of Signia’s new suite of telecare services.

    Signia Expert Series: Partnering with Home Health Care Providers
    Presented by Catherine Palmer, PhD
    Recorded Webinar
    Course: #32807Level: Intermediate1 Hour
    An audiology partnership with home health providers for the purpose of improving communication during recovery and beyond will be described. Data related to the program including pre-testing of home health care provider knowledge of hearing and resources, uptake of the program, and post-test of knowledge will be provided.

    Segmenting the Market for Hearing Devices and Services: Achieving Pillar of Community Status
    Presented by Brian Taylor, AuD
    Recorded Webinar
    Course: #34610Level: Intermediate1 Hour
    Using the Transtheoretical Stages of Change model and MarkeTrak 10 data as a reference, this course will examine five different segments of the consumer market for hearing devices and services. How these segments differ and what an audiology practice can do to achieve pillar-of-community status for each of these consumer segments will be addressed.

    Our site uses cookies to improve your experience. By using our site, you agree to our Privacy Policy.