Introduction:
Even though we would like to think it is not the case, there may still be some hearing healthcare practitioners who are unfamiliar with, or unaware of, Public Law 104-191 - the Health Insurance Portability and Accountability Act of 1996, or HIPAA. This law is an expansion of the original Kennedy-Kassebaum legislation that was enacted to improve the portability and continuity of health insurance coverage for working Americans.
In its current form HIPAA has two main provisions: (1) that individuals are able to have continuing access to health insurance (portability) and (2) that standardized methods and procedures must be implemented by all health care providers and entities to insure the privacy and security of a patient's personal health information (accountability). It is this latter portion of the law that can have a significant impact on the business practices of all health care providers (e.g., hearing healthcare practitioners, physicians, dentists, druggists, etc.) and health care entities (e.g., health plans, hospitals, billing services, insurance companies, etc.).
Do hearing healthcare practitioners need to be compliant?
The unequivocal answer to this question is YES! Although there may be some hearing healthcare practitioners who are under the impression that they are exempt from HIPAA because they do not conduct certain electronic health information transactions, the fact is -- they must still be compliant with HIPAA's privacy and security regulations (Title II of the Act). HIPAA's privacy rules provide individuals receiving treatment for hearing loss (and/or other disorders that fall within the practitioner's scope of practice) with safeguards to ensure their personal health information is adequately protected, and appropriately used to provide quality patient care. HIPAA's security regulations address the practitioner's specific efforts to protect the integrity of the personal health information acquired, and provide methods and procedures to prevent unauthorized breaches of privacy.
The need to comply with HIPAA comes at a time when personal identity theft ranks as the most common form of consumer fraud. Hearing healthcare practitioners must be particularly sensitive to protecting the confidentiality of patient information, as each practitioner collects a significant amount of individually identifiable health information on each of their patients. Prior to the passage of HIPAA, there were no federal standards to ensure the confidentiality of patient health information. And, although each state may have some regulations concerning the privacy of personal records, few are comprehensive in scope and many provide little or no legal protection for the unauthorized use of health information. In some states, the laws protecting video rental lists are far more rigorous than those dealing with patient information. Compounding this situation is the fact that many state privacy laws were written years, if not decades ago, and have fallen "behind the times," making it unclear as to who in the contemporary health care system has the responsibility for maintaining the confidentiality of health information.
Are you prepared for HIPAA compliance?
Since its passage by Congress, literally thousands of questions have surfaced regarding what is necessary to comply with HIPAA's numerous provisions. In view of the fact that we couldn't possible list all of the questions and responses, your answers to the following ten questions can help determine whether or not you are prepared to meet HIPAA's privacy and security requirements.
If you answer Yes to all ten questions, you are in an excellent position to be HIPAA compliant. However, if you answer No to any of the questions you are probably not in a position to achieve compliance. And, the more often you answer No, the more likely it is that you will have to allocate considerable time and other resources to meet HIPAA requirements.
Question #1: Do you have a thorough understanding of your responsibilities for compliance with HIPAA privacy and security regulations?
Yes___ No___
Question #2: Have you made a comparative analysis of HIPAA's privacy, consent and authorization regulations versus those contained in your state laws?
Yes___ No___
Question #3: Have you made a commitment to take the measures necessary to protect the confidentiality, integrity and security of your patient's personal health information?
Yes___ No___
Question #4: Have you prepared written policy detailing the standard practices and procedures that are necessary to conform to HIPAA requirements in your practice or organization?
Yes___ No___
Question #5: Have you trained your workforce as to the policies and procedures necessary to meet HIPAA privacy and security regulations?
Yes___ No___
Question #6: Are you fully aware of your obligations to the patient if he/she asks how their personal health information has been used or disclosed?
Yes___ No___
Question #7: Do you have a continuity plan for resuming normal operations in the event of an occurrence (fire, flood, etc.) that results in the loss of patient health information?
Yes___ No___
Question #8: Have you obtained business associate contracts from all entities that may have access to some or all of your patient's personal health information?
Yes___ No___
Question #9: Have you implemented reasonable physical safeguards to limit incidental disclosure of protected health information?
Yes___ No___
Question #10: If your own personal health information were being protected in the same manner as you are currently protecting the health information of your patients, would you feel confident that it was completely safe from accidental disclosure or disclosure to unauthorized personnel?
Yes___ No___
What do I do if I am not ready for compliance?
The deadline for HIPAA compliance - April 14, 2003 - is fast approaching. Suffice it to say, there will be a considerable number of health care providers and health care entities that will not be able to meet the deadline. Although there is little likelihood that the Department of Health and Human Services (HHS) will issue an extension for the compliance date, you must nonetheless implement the measures that are necessary for compliance.
This leaves two options available to hearing healthcare practitioners who did not answer yes to all of the above questions. First, thoroughly research HIPAA, develop policy and procedures, train staff, and put into action the steps necessary to become fully compliant. This option, although time consuming, may permit you to minimize your out-of-pocket compliance expenses.
The second option is to retain a HIPAA consultant to guide you to compliance. If this is a viable option for your practice, consider the following:
- Does the consultant understand the practice of hearing health care? It is important that your consultant has an understanding of the professional practice of providing treatment for hearing loss and associated disorders.
- Is the consultant capable of "being on the job?" Who will actually be doing the work? Is there back-up staff available? What are their qualifications? Is the consultant full service or an "area specialist?"
- What is the total cost for the consultant's services? The hearing healthcare practitioner should try to determine what the "average" cost for a HIPAA consultant can be. You do not want to pay more than you have to, but you want to be circumspect when offered a bid that seems "too good to be true."
Conclusion:
There is no doubt that HIPAA will appear to some - especially those who aren't ready for it - to be just another government "make work" project. Nonetheless, many believe that definite benefits will be realized when all health care providers and health care entities are in compliance. Patients will have greater assurance that their personal health information is secure from accidental disclosure and misuse. Providers will benefit from the lowered cost of doing business that result from standardizing the forms and format for the electronic exchange of health-related data. Finally, the public at large will benefit as computerization of personal health information allows de-identified data to be more readily available for use in the development of national health policy.
Readings and references:
The following information will provide a more in-depth understanding of HIPAA's rules and regulations and the potential impact it may have on your practice.
- Department of Health and Human Services HIPPA website: https://www.cms.hhs.gov/hippa/
- "AAA Reimbursement Committee Summarizes the HIPAA and How it Affects Audiologists," AudiologyOnline.com, 7/2002
- HIPAA Legal Issues and Information: www.hipaacomply.com/legal.htm
- HIPAA Comply FAQ's: www.hipaacomply.com/faq.htm
- HIPAA Compliance at Eli Research www.eliresearch.com/hipaa/frame.htm
- The Health Insurance Portability and Accountability Act (HIPAA) https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/Downloads/HIPAALaw.pdf
- Purchase the HIPAA Privacy Manual Through AAA: AudiologyOnline.com - dated - 2/2003
- "Organizational Ethics and HIPAA," E. Bordenave, AudiologyOnline.com: 1/27/2003
- HIPAA Online www.hcfa.gov/medicaid/hipaa/default.asp
- Health Data Management: www.healthdatamanagement.com
- HIPAA "How TO" Approach for Your Audiology Practice: https://www.audiology.org/Pages/default.aspx
About the authors: Paul Popp Ph.D., BC-HIS, MCAP is president of the North American Institute for Auditory Prosthetics (NAIAP) and Sound Advice Management Consultants [NAIAP/SAMC, 7771 O'Bryan Place, Centerville, Ohio 45459 - phone: 937.433.1232 or email:
NAIAPEdFound@aol.com]. Beth Lane ACA, CHP is executive director of the Hearing Healthcare Providers/CA and Hearing Healthcare Providers/AZ professional associations. She is also president of Beth Lane & Associates, a health care consulting practice specializing in HIPAA compliance [12722 Charloma Drive, Tustin, California 92780 - phone: 714.357.7500 or email: Bethlaneassoc@hotmail.com].