HIPAA is the Health Insurance Portability and Accountability Act, and it was passed with broad bipartisan congressional support in 1996. At the time the legislation was enacted, most behavioral health and human service providers were focused on three important provisions of HIPAA:
The legislation set into law the "portability" of pre-existing condition exemptions between employer group health plans. This feature was designed to broaden the parity of insurance coverage for Americans by preventing the common practice of denying coverage because of "pre-existing conditions." This feature of HIPAA received the most press coverage at the time of passage because of broad public sentiment against the "preexisting" excuse.
The second major feature of HIPAA was a set of measures to implement stronger fraud and abuse protections in healthcare.
The third major feature of HIPAA was summarized in the innocuous-sounding phrase of "administrative simplification." Because many in the field were focused, in large part by press coverage, on the other two provisions of the legislation, we didn't fully appreciate the significance of that little phrase. Besides, "administrative simplification" would be good for healthcare, right? How difficult could it be?
Today, that little phrase makes the other two provisions of the act pale in significance when it comes to impact on the healthcare system over the next two to four years. Because of this, many experts have characterized HIPAA as one of the most far-reaching pieces of healthcare legislation ever enacted.
The "administrative simplification" features of HIPAA are really composed of two major parts:
The first is truly aimed toward simplification and outlines broad measures for the standardization of a variety of healthcare transactions. It addresses standardized health information transactions; standardized code sets (e.g., CPT, ICD-9, etc.); and single national identifiers (numbers) for providers, health plans/payers and employers. The legislation also included provisions for a single national patient identifier, but Congress delayed the implementation of this controversial feature.
The second part of "administrative simplification" addresses security and privacy issues--and this is the focus of much concern in the field.
Why all the concern? I believe that behavioral health and human service organizations will face the most scrutiny from consumers because:
Compliance with the privacy requirements implies a technological capability that many organizations in the field do not have.
This industry deals with some of the most sensitive client information in the healthcare field. Our consumer population is highly sensitive about the release of information, and this legislation gives consumers a powerful mechanism to demand an accounting of who has seen what information, when and for what purpose.
The nature of some of our consumers' problems lends itself to suspicion and a need for verification. The remedies for consumers who can demonstrate an organization's noncompliance include both civil fines and criminal penalties.
There are requirements limiting the disclosure of psychotherapy notes that we believe will cause serious concern once the privacy and security regulations are finalized. We will have more to say on this in future issues.
Let's make one thing clear: If you are reading this article, you are probably covered by HIPAA. Overall, the legislation covers health plans, healthcare clearinghouses, healthcare providers and employers. The specific definitions of these entities are:
Healthcare provider includes those defined in relevant Medicare provisions, as well as any other person or organization that furnishes, bills or is paid for healthcare services or supplies in the normal course of business.
Health plan includes any individual or group plan that provides or pays the cost of medical care. I believe this includes behavioral health organizations acting as managed care organizations, and it might cover employee assistance programs.
Clearinghouse includes a public or private entity that processes or facilitates the processing of nonstandard data elements of health information into standard data elements.
For those still doubtful about their HIPAA "exposure," let's look at the specific definitions of the act. It specifically states that the definition of a healthcare provider is:
A provider of services as defined in section 1861(u) of the (Social Security) Act, 42 U.S.C. 1395x(u);
A provider of medical or other health services as defined in section 1861 (s) of the Act, 42 U.S.C. 1395x(s); and
Any other person or organization that furnishes, bills or is paid for healthcare in the normal course of business.
Among other things, "healthcare" is defined as follows: Services or supplies furnished to an individual and related to the health of the individual. Healthcare includes the following: preventive, diagnostic, therapeutic, rehabilitative, maintenance or palliative care; counseling; service; or procedure with respect to the physical or mental condition, or functional status, of an individual or affecting the structure or function of the body.
If, after reading this and other material pertaining to HIPAA (see "Additional Resources," page 41), you believe that you are not covered by this legislation, I strongly suggest you obtain a competent legal opinion from an attorney with experience in healthcare, including interpretation of Medicare regulations and HIPAA itself.
In addition, HIPAA covers any "business partner" of a covered entity. A business partner includes a person to whom the covered entity discloses protected health information so that the person can carry out, assist with the performance of or perform on behalf of a function or activity for the covered entity. Examples include contractors or other persons who receive information for purposes noted above, including lawyers, accountants, auditors, consultants and billing firms.
Covered entities cannot disclose protected health information to business partners without satisfactory assurances that the partner complies with relevant HIPAA standards.
At this juncture, if you are covered or believe you "are in the vicinity," I suggest a prudent approach: Assume you are covered and complete steps one through six of my compliance plan described below.
Step 1: Educate yourself, and promote awareness and education among senior management and the board of directors. HIPAA should be considered a serious compliance initiative, and every effective compliance program begins with a formal commitment from the governing body.
Because this compliance will require resources in the form of funding and staff time, senior management must be forthright in its approach to the compliance effort. (Web sites that offer downloadable presentation materials are listed in "Additional Resources.")
Step 2: Develop an organization project team for managing HIPAA compliance. Most organizations had some sort of compliance committee or team in place for Y2K preparations or have one for JCAHO, CARF or other accreditation and/or regulatory concerns. These teams can serve as a logical point to begin HIPAA compliance assessments and planning.
Step 3: Conduct an organizational risk assessment. This can be a complicated and time-consuming task. I suggest the following approach:
Examine current policies and procedures regarding information security and confidentiality. This should encompass both process issues and technical issues.
Perform a "gap analysis" on this set of policies and procedures to identify where adaptation, modification or additional policies and procedures are needed.
Set realistic, practical goals and objectives for developing and implementing compliance activities. Most organizations will, I believe, have some work to do in this area. A reasonable schedule backed by a detailed project plan will avoid "panic" once staff begins to realize the implications.
The assessment should include a clear understanding of the resources needed to address each identified risk, as well as the potential impact on the organization of adapting and modifying existing procedures and adding new ones. Many of the procedural revisions will involve the acquisition and deployment of resources. The team should be able to clearly quantify and explain the nature and extent of the resources needed.
Step 4: Develop and implement policies and procedures to address identified risks. The most important point of this step is to implement "policies and procedures" revisions and additions. There might be adjustments to the overall project plan in this phase because:
Step 5: Develop and implement staff education and training. This is specifically required by the legislation, and is not a one-time event. Staff will need to be retrained when new technology and operational practices are developed and deployed. Organizations with high staff turnover will face the most cost and management burdens in keeping staff up to speed. Additionally, under the law, staff will have to be recertified in this at least once every three years.
Step 6: Provide continual auditing and monitoring of compliance activities. This goes beyond putting something on paper. In order to be judged compliant, an organization will have to document that it has followed those policies and procedures approved by senior management and the board of directors.
The Clinton administration released the final security and privacy regulations on December 20, 2000. On a somewhat disturbing note, there is not one reference to the DSM-IV code sets. The implications of this oversight are unclear as of press time, and might, at the extreme, mean that behavioral health providers might not be able to use DSM codes as part of a "standard" transaction. In any event, the legislation gives covered entities 24 months from the date of release to come into compliance. That would be December 2002. In short, the clock is ticking.
While there is some speculation about the fate of these regulations given the change in the White House, most industry observers believe that there is no legislative mandate for change in the coming years. Even in the event that the Bush administration rolls back HIPAA, market pressures, consumer concerns about privacy, payer pressures for standardized transaction formats and political pressures might restore the regulations. That is why it is important to:
educate yourself and senior management about HIPAA
perform a risk assessment of your organization based on the current regulations
plan to make those changes that make good business and clinical sense
Based on my understanding of the regulations and their potential cost impact to organizations, I believe that there might be a positive cost/benefit to compliance. I have completed development of some initial cost models based on various organization sizes, and my conclusions are:
There is a potential cost/benefit to compliance that can be interpreted as $3.59 in benefits for every $1 of cost incurred.
The model is based on compliance modeling that involved the costs for a large behavioral health organization (Table).
The benefit items calculated included reduced days in A/R, additional fee collection, reduced claim denials, lowered cost per bill, reduced chart handling/costs, reduced staffing requirements, reduced documentation rework and increased clinical staff productivity. They totaled $5.9 million over a 5-year period.
While there is certainly variation in these estimates, my simulation modeling demonstrated that 90% of organizations should realize cost/ benefit value of at least $1.34. I believe that, overall, an organization can experience a positive long-term benefit in complying with HIPAA.
- Yennie, Henry; HIPAA: what does it mean for behavioral health; Behavioral Health Management; Jan/Feb 2001; Vol. 21; Issue 1.
The article above contains foundational information. Articles below contain optional updates.
Reflection Exercise #3
The preceding section contained information about what HIPAA means for Behavioral Health. Write three case study examples
regarding how you might use the content of this section in your practice.
Ethics CEUs QUESTION 7
What are the six steps to Yennie’s HIPAA compliance plan?
Record the letter of the correct answer the