Manasquan, N.J. -- Changing corporate culture so protected health information (PHI) stays private is one of the biggest challenges of complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), according to experts who took part in the Managed Care Information Centers HIPAA audio conference.
Under HIPAA, PHI includes "oral information or information recorded, maintained, or transmitted in any form ... thats created, or received by a covered entity" and relates to an identifiable patients past, present and future medical care or payment, said Richard Marks, an attorney with the Washington, D.C., firm of Davis Wright Tremain.
The definition means that common practices such as keeping PHI in easily accessible charts that can be moved from one place to another risk breaking HIPAA rules, according to Sybil Ingram-Muhammad, HIPAA engagement manager with Beacon Partners, Boston.
In addition, organizations or sole-practitioners that use off-site transcription services also should be concerned that PHI could be faxed or e-mailed to the wrong office, or kept on an unsecured home computer, she said.
At stake: a penalty of one year in jail and a $50,000 fine.
"Its a penalty which, in the wrong circumstances, could result in somebodys being on the wrong end of a criminal indictment when they didnt think they did anything that they believe was wrong," said Marks.
He suggested that small, all-paper practices shouldnt think HIPAA doesnt apply to them because they dont process data electronically.
"By the time we get to 2003, 2004, it will be so difficult as a practical matter of economics to be submitting claims other than in electronic form that there really is not going to be any opportunity for people in the healthcare business to avoid being part of HIPAA. So, the notion it can be avoided is a pipe dream," Marks said.
Ingram-Muhammad said her assessment of healthcare sites revealed security breaches in which PHI was found in trashbins, in physicians lounges and on computer monitors, among other places.
Foresight and Flexibility
Preparing for HIPAA requires foresight as well as a sense of business and an awareness of what can go wrong, according to the experts who took part in the MCIC conference.
For example, Marks said the audit trail the law requires will make it easier for plaintiffs to win lawsuits against negligent providers.
"You have to ask yourself, What sort of operating policies must we prepare, and realize that those policies are not just going to guide you in business, but theyre also going to be among the early exhibits in any litigation, so theyve got to be prepared with that in mind," he said.
On the technical side, "One of the things youll want to do is identify where youre weak [and] where youre strong. Shore up those areas where youre weakest and move forward from there," said Ingram-Muhammad.
HIPAA compliance also requires flexibility, according to Mike Safran of Milliman USA.
Strategically, Safran said, you should be able to step back and ask, "O.K., if we were going to start our business today, looking at the environment were in, the industry were in [and] the competitive forces that are around us, how would we build this business?"
Also, dont rely on software vendors to make you HIPAA compliant, the experts warned.
"There is no such thing as a HIPAA-compliant product. The entity is what makes itself compliant," Ingram-Muhammad said.
Vendors who tell you theyre HIPAA-compliant dont know what theyre talking about, said Marks.
Address: The Managed Care Information Center, 1913 Atlantic Ave., Suite F4, Manasquan, NJ 08736; (732) 292-1100, www.themcic.com.
For more information contact The Managed Care Information Center, 1913 Atlantic Avenue, Suite F4, Manasquan, NJ, 08736, toll-free telephone 1-888-THE-MCIC (1-888-843-6242), fax 1-888-FAX-MCIC (1-888-329-6242), e-mail firstname.lastname@example.org or online at http://www.themcic.com.