CorrectCare

Meeting the Challenges of HIPAA: Are You Ready?
by Nancy J. Heywood, JD, CCHP

Despite the new federal regulations that enact the Health Insurance Portability and Accountability Act of 1996, the state of this law is anything but settled. HIPAA has a long and tortured history, and the secretary of Health and Human Services promises to amend the regulations before they are even enforceable. Still, HIPAA will affect the way corrections does business, and you need to be prepared to meet the challenge.

Congress enacted HIPAA to simplify and streamline the administration of federal and private health systems, thus improving efficiency and saving the industry, the government and health care consumers money. Simply stated, the act requires health care plans, clearinghouses and certain providers to use standard transactions and code sets when transferring health information electronically.

However, many observers raised concerns about privacy and security of personal health information, so the regulations come in three parts: data transfer, privacy and security. As of this writing, the data transfer and privacy regulations have been promulgated. The security regulations are still being drafted.

How do you know if you’re covered by HIPAA? First, you must determine whether your department or facility is a health plan, a health care clearinghouse or a health care provider. Jails and prisons with primary care doctors and nurses on staff are providers. Most jails and prisons pay for the cost of medical care for inmates, so they are health plans under this law.

Second, if your facility is a health care provider or health plan, you must determine whether you conduct certain transactions electronically (see “Are You Covered?” below). If you do, you are covered, not only by the data transfer regulations but also the privacy regulations and the yet-to-be-developed security regulations.

DATA TRANSFER
The regulations setting forth the standards for electronic transactions (45 CFR Parts 160 and 162) are relatively simple. Health plans, clearinghouses and certain providers are required to accept electronic transfer of data in a standard format for the transactions listed above.

Do you conduct (or store) any of those transactions electronically? If so, you are considered a “covered entity” and must comply with the regulations. If you conduct one or more of the transactions electronically, you are required to have the capacity to accept and/or send standard transactions.

For example, your jail has primary care physicians and nurses on staff. Thus, it is a health care provider. The jail uses a vendor for specialty care. The referral process and authorizations are processed electronically. Claims and payments are processed manually. Not only must you use the standard transaction codes for the referral certification and authorization, but you must also have the capacity to send and/or accept claims and payments as standard transactions (either the jail does it by itself, or by using a health care clearinghouse to accept and/or send the claims on its behalf).

PRIVACY
The privacy regulations are much more complex. They provide a federal minimum standard of confidentiality and accountability for medical information. If state law is more stringent, the state law applies. While electronic transmission of medical data brings an entity under the regulations of HIPAA, the privacy standards apply to all personally identifiable medical information—written, oral or electronic.

The privacy regulations require covered entities to obtain patient consents and authorizations prior to using and disclosing personal health information. Most of the rules apply to correctional facilities and their health care providers, but there are some exceptions. For example, most covered entities must obtain written consent in order to carry out treatment, payment or health care operations. Fortunately, the regulations make an exception for correctional facilities treating inmates, so a facility will not be held hostage to a manipulative inmate seeking to obstruct payment or other health care operations. Also, all covered entities may treat in emergency even without the patient’s consent.

Restrictions on the disclosure of medical information without inmate authorization also come with numerous exceptions. Health care providers may disclose information to correctional facilities and other law enforcement officials having lawful custody of the inmate if the information is necessary for the provision of health care to the individual; for the health and safety of the inmate or other inmates, officers or employees at the facility or those transporting the inmate; or for law enforcement or the administration and maintenance of safety, security and good order.

Medical information also can be disclosed to public health authorities and employers as required by state or federal law for reporting disease, injury or disability. It may also be disclosed to health oversight agencies, for legal proceedings and for certain law enforcement purposes, such as identifying or locating a suspect, fugitive, material witness or missing person, and it may be disclosed from one government program providing public benefits to another.

OTHER REQUIREMENTS

• Right to Access: The regulations establish a minimum standard of access to records for patients. Patients have the right to inspect and obtain a copy of their medical records, to seek amendments to those records and to have an accounting of disclosures.
• Business Associates: Covered entities are expected to require their business associates to follow these rules as well. At a minimum, business contracts are expected to include provisions that require the associate to abide by HIPAA rules.
• Policies and Procedures: HIPAA requires that covered entities develop policies and procedures implementing these regulations. An entity must identify persons or classes of persons in its workforce who need protected health information to carry out their duties. HIPAA does not restrict the scope of information that may be disclosed pursuant to a written authorization or if the disclosure is made to a health care provider for treatment purposes. However, for most other disclosures, the information is to be limited to the amount reasonably necessary to achieve the purpose for which it was disclosed.
• Privacy Officers: Each entity must designate an official to develop and implement these policies, as well as a contact person or office responsible for receiving complaints. Existing and new employees must be trained on the ramifications of this law. The entity also is required to develop sanctions for employees who do not comply.

WHAT SHOULD YOU DO?
Compliance with HIPAA may not radically affect the way you do business. Much of it depends on the existing state law in your jurisdiction. Because HIPAA states that more stringent state law trumps HIPAA, your department or facility may already have privacy procedures in place. However, you must thoroughly analyze existing state law and how it interplays with the new federal standards. Your agency or department should not be acting alone.

In New York, state agencies affected by these regulations (such as the Departments of Health, Insurance, Correctional Services, the Offices of Mental Health, Children and Family Services, Substance and Alcohol Abuse, etc.) have been meeting and planning a coordinated effort to bring both the technology and privacy issues up to HIPAA standards.

New York has numerous privacy laws, including an HIV confidentiality law that is probably more stringent than HIPAA. However, portions of the access to records law appear to conflict with HIPAA. A subcommittee of agency attorneys is reviewing existing state laws to determine which are more stringent. The committee may also prepare a petition to the Secretary of Health and Human Services to determine whether certain other state laws are preempted by HIPAA.

Led by the Office for Technology, agency subcommittees are also working on electronic data transfer, security, networking, education and awareness, and human resources issues.

Your own agency should review existing policies and procedures to see which may have to be changed. The regulations cross many disciplines, so review should not be limited to health services personnel and policies. Obviously, it’s essential to include information technology staff. In corrections, security must be represented in all undertakings. If your agency offers health services to employees (New York provides TB testing and hepatitis B vaccines to staff), the record keeping and security of those records must be HIPAA compliant.

Representation on your working group should include personnel, labor relations, legal, program and emergency response personnel. HIPAA regulations cover mental health records, so if your agency provides its own mental health services, that division must be included in the work group. If mental health services are provided by another agency, coordination with that agency is essential.

SEMINARS ON HIPAA
A word of caution about the many HIPAA seminars being offered. While useful to get a general overview of the law, they usually are geared to traditional health care providers, hospital administrators and the insurance industry. Their main objective is to sell a service, a gap analysis. Some presenters are not familiar with the various inclusions and exceptions for the field of correctional health care. Because HIPAA defers to more stringent state law, any seminar on a national level is limited to a general discussion. A thorough analysis on a state level is essential for compliance.

DON’T WAIT
The compliance date for the data transfer regulations is Oct. 16, 2002. The compliance date for the privacy regulations is April 14, 2003. It is really not a lot of time. Lawyers in your jurisdiction must analyze existing state law and ask for a determination by the Secretary of HHS as to which law, federal or state, is more stringent. Who knows how long that will take? Lawyers are not known for quick action, government lawyers even less so. Your agency cannot afford to wait for that determination before you begin your review and tentative revision of your policies and procedures.

About the author: Nancy J. Heywood, JD, CCHP, is associate counsel for New York State Department of Correctional Services. Employed there since 1986, she works primarily on medical/legal issues. E-mail her at docsheywood@aol.com.

[This article first appeared in the Fall 2001 issue of CorrectCare.]