Hearing Care Professionals and hearing instrument manufacturers survived April 14, 2003, the date that the HIPAA Privacy regulations went into effect. They did so despite dire warnings from some prognosticators who viewed the date as some sort of "doomsday" when American healthcare providers and their suppliers would sink into a quagmire of bureaucracy.
Whatever your views on the HIPAA privacy regulations, the hearing industry, along with every other area of healthcare, has entered a new era of healthcare information management.
Over the last year, much information about HIPAA has been provided through articles in industry trade publications and in seminars offered by professional associations. These organizations have also posted useful material on their web sites, including information on how the new regulations will affect the way hearing professionals interact with their patients, discussions of how HIPAA will influence the way businesses are run, and advice for professionals on how to comply.
Now that you have spent a year working in a HIPAA world, one question everyone should be asking is, "Am I doing the things I really need to do in order to fully comply with the HIPAA regulations?" If the answer is "no," or "not sure" then there may be a problem, because the regulations require hearing professionals to do a number of things differently when it comes to handling their patients' protected health information (PHI). When it comes to HIPAA, what hearing professionals need to be concerned about, above all, is that they are handling PHI in full compliance with the new privacy rules.
HIPAA experts advise, that when it comes to compliance with the law, the most important thing that hearing professionals must do is to be organized and diligent in how they handle patient data. In addition, it recognizes that it is more important than ever before to track and document those activities that are governed or dictated by HIPAA regulations.
PROTECTING PATIENTS
Protecting Patient Privacy
HIPAA safeguards the privacy of health information created or maintained by any healthcare practitioner engaged in providing medically related services to end users (i.e., patients). Hearing Care Professionals need to carefully comply with office-based practices required under HIPAA, and be diligent to handle PHI in a way that protects patients' integrity.
Some of the key administrative practices that Hearing Care Professionals should have in place to comply with HIPAA are:
- Practices must now limit access to PHI to the "minimum necessary" to accomplish a given task.
- Practices must provide patients with the right to request access to their protected health information.
- Practices must track disclosures of PHI, and provide patients, upon request, with a list of such disclosures.
- Practices must provide patients with the right to request an amendment to their PHI.
- Practices must provide patients with the right to request restricted disclosures of their PHI.
- Practices must provide patients with a Notice of Privacy Practices, and track acknowledgement that it has been received.
- Practices must get their "Business Associates" to sign business associate agreements.
- Practices must provide patients with the right to request confidential communications regarding their health information.
- Practices must provide patients with the right to designate a "personal representatives" who may represent them in healthcare matters.
- Practices must provide patients with a mechanism to submit complaints when they feel their privacy rights have been compromised. Hearing care professionals are now required to log and track complaints, and the actions taken to resolve them.
- Practices are required to document that their employees have received HIPAA training.
Does all of this mean that HIPAA creates an enormous burden for a hearing care practice? Is HIPAA just a "paperwork nightmare"?
The answer is "no." In fact, many of the things that HIPAA encompasses and requires are simply good business management practices, things that most hearing professionals were already doing in some form.
Complying with HIPAA is like most of the tasks that are part of running a hearing care practice. In most cases, it is easier to perform these tasks with the right tools, especially tools that allow automation of repetitive processes.
One tool that can make it easier to comply with HIPAA is practice-management software. Currently, a number of such software products are available to hearing professionals. Some of these systems can even integrate with NOAH, providing more integration to diagnostic and fitting information, and therefore integrate all the information used to order hearing instruments and related products for a particular patient.
Commercially available software products, such as Siemens Practice Navigator™, help professionals comply with HIPAA regulations more efficiently. Researching the available products is the best way for professionals to determine which can provide the greatest benefits to their practices, especially in connection with handling PHI.
A lot of data to handle
The HIPAA privacy regulations guarantee patients complete access to their PHI records and the right to amend them. The PHI that hearing professionals keep for each patient is contained in a designated record set (DRS). A DRS consists of all the information used by a practice to make decisions regarding an individual patient's treatment and care. Therefore, the DRS can contain a large amount of information.
To comply with the regulations, hearing professionals must have a means to keep track of all the PHI that makes up the DRS. In hearing care, elements of the DRS can include, but are not limited to:
- Chart notes
- Diagnostic exam results (e.g., audiogram, speech tests, real-ear data)
- Diagnostic results or information of any kind received from any facility other than one's own
- Hearing instrument programming information
- Clinical reports to or from another professional or facility (e.g., communications with a physician)
- Case history
- Demographic information and identifiers
- Ear impressions or other data sets representing ear anatomy
- Hearing instrument parameter descriptions
- Authorizations of any type that are required from or signed by your patient
- Medical reimbursement forms, authorizations, billing slips, etc.
- Financial transaction data that relate directly to PHI (e.g., record of billing or payment for services)
For hearing professionals, an essential part of properly handling protected health information is establishing documented policies and procedures, and clearly spelling out those policies to their employees.
This effort has several components. One is determining who in a facility should be permitted access to what data. The basic principle to follow is that access should be available only on a "need to know basis." Not every employee of a practice requires access to everything in a patient's DRS; all that should be accessible to any staff member is the information the person needs to perform his or her job. For example, an office administrator whose job does not require knowing a patient's clinical hearing loss data should not have access to that information. But how can you limit access? It is impractical to have a separate locked file cabinet for each item of PHI in a patient's DRS. This is where practice-management software becomes an important tool with regards to HIPAA regulations.
Figure 1.
Each staff member can be assigned individual security level and access rights.
SOFTWARE CAN HELP
Controlling PHI access
Many hearing professionals find that when it comes to controlling access to PHI and to other aspects of HIPAA compliance, a good software system is invaluable. For example, such a system can allow for different levels of data access and security. Figure 1 illustrates how a system administrator can assign access rights and security levels to staff.
In addition to providing access security, there are many other ways that practice-management software can help meet privacy requirements. For example, HIPAA stipulates that PHI must not be visible in public areas of an office. Therefore, providers need to make a reasonable effort to shield PHI from view. But the realities of a busy office can make it difficult to keep such data out of sight, because of both the physical layout of the office and the inevitable need for staff members to step away from their computers from time to time, thus possibly leaving data files visible on the screen.
Software applications can provide utilities to deal with these and other situations. Figure 2 illustrates that an administrator can set "log off" function flags and also set "password expiration" dates.
Figure 2.
The administrator can set "log off" function flags and "password expiration" dates for each staff member.
Another element of PHI data security is requiring employees to agree to keep PHI confidential. Practice-management software can produce the necessary HIPAA agreements and then allow the database to maintain the record of the staff member compliance.
HIPAA also requires hearing professionals to ensure that all employees of a covered entity receive training on all aspects of HIPAA that pertain to their job functions and to the handling of PHI. Therefore, it is necessary to provide this training, and also to document that it has been accomplished. Figure 3 illustrates how training and other activities can be documented and tracked.
Figure 3.
It is necessary to log and track training activities to be in compliance with HIPAA.
Establishing business associates
When a hearing professional works with anyone outside his or her immediate staff to provide services to a patient, HIPAA requires the "covered entities" (i.e., the hearing professional) to execute a Business Associate Agreement (BAA) with that vendor partner.
The BAA is required by HIPAA to ensure that any vendor covered entities authorize to use PHI in providing service to a patient agrees to uphold all the same HIPAA regulations that apply to them. Hearing professionals must have a BAA in place with each and every hearing instrument manufacturer or other vendor they deal with in providing services to their patients.
Figure 4. Creating and tracking Business Associate Agreements can be fully automated.
Under the regulations, it is the hearing professional--not the vendor--who is legally responsible for having the BAA in place with the vendor. Note: Under its "modified Privacy Rule," HIPAA has extended the date for covered to get BAAs in place until April 14, 2004. Figure 4 illustrates how the BAA can be produced and tracked.
The BAA shown here, which is contained in Practice Navigator, is based on the agreement developed and recommended by the Hearing Industries Association (HIA) for hearing instrument manufacturers. This document is in a format containing language agreed upon by all HIA member companies and endorsed by the American Academy of Audiology and the International Hearing Society.
Compliance with HIPAA also entails documenting that certain "PHI transactions" have taken place. For example, HIPAA mandates that hearing professionals establish a formal procedure for receiving and tracking complaints from patients or their designated representative concerning any violation of their practice's privacy policy. The regulations spell out exactly what information must be maintained if a complaint is lodged.
A formal complaint procedure is just one of many "HIPAA events" that hearing professionals are required to track. Office-management systems contain templates that meet the requirements, making it easier to execute and track such forms as needed.
Figure 5.
Templates for addressing all the various "HIPAA events" are easily created, logged and tracked.
Figure 5 illustrates the access to and tracking of various HIPAA events. Note that all the forms contained in Siemens Practice Navigator are provided by license agreement from the Healthcare Analytics, LLC and based on its "HIPAA Compliance Toolkit."
Electronic data standards
HIPAA encourages the use of electronic data transmission as it improves efficiency throughout the entire healthcare system. In addition, Medicare recently (as of October 16, 2003) made it a requirement that all claims be submitted electronically. Many industry experts predict that this trend will continue into the private sector too and eventually standard practice will require electronic submission of all billing claims. However, again, this should not be looked at by the Hearing Care Professional as compliance "burden." Electronic submissions have many advantages including:
Practice Navigator allows you to process billing claims either on paper or electronically. Utilizing the industry standard HCFA 1500 form, you can fill out the format and then save it in an electronic format. This file can then be uploaded to a web-enabled clearing house that Practice Navigator utilizes, which then passes on the validated file to the appropriate entity (Medicare, Blue Cross, CIGNA, etc.).
Under the Administrative Simplification standards of HIPAA, a covered entity must comply with regulations set in place to streamline as well as protect the security and privacy of data being transferred electronically. Practice management software, such as Practice Navigator, is designed to allow functions like e-billing that comply with the HIPAA standards when submitting an insurance claim or billing a patient, making a once cumbersome and often frustrating process as easy as a few clicks of your mouse.
Compliance is easier than it seems
For hearing professionals making their practices HIPAA-compliant, the regulations may seem a little daunting. Choosing the right tool to expedite and facilitate the compliance process can ease the transformation.
In evaluating software products that may be used to comply with HIPAA, here are some questions that hearing professionals may want to ask. Does the system:
- Define different access levels for staff and define rights for each access level?
- Set passwords for each staff member?
- Allow for tracking of staff training?
- Provide for a means of tracking PHI disclosures and produce reports for it?
- Provide templates for various "HIPAA events"?
- Produce a vendor BAA and track compliance by vendor?
- Track any and all contacts made with a given patient?
- Allow for integration for use with NOAH and both testing and programming models?
This article is based (in part) on a previous publication. See The Hearing Journal, July 2003, volume 7, pages 42-47
Click here to visit the Siemens Hearing Instruments website.