HIPAA Regulations

by Andrew Wachler, JD
Wachler & Associates, P.C.

On April 14, 2001, the Department of Health and Human Services' final
privacy regulations became effective which will impact the way health care
information is handled.  The privacy regulations are part of the
administrative simplification mandate included in the Health Insurance
Portability and Accountability Act of 1996 ("HIPAA").  All health care
plans, health care providers who transmit health care information in
electronic form, and healthcare clearinghouses (including billing companies)
must comply with the highly complex final privacy regulations.  These groups
are referred to in the regulations as "covered entities."  The privacy rules
are effective as of April 14, 2001. With the exception of small health care
plans (which will have until April 14, 2004 to comply with the
requirements), all other covered entities must be in compliance with the
final rule by April 14, 2003.  While two years may seem like sufficient
time, many have already said that it will be difficult, if not impossible,
to come into compliance by the deadline.

We were asked to analyze the final privacy regulations for "The Health
Lawyer", a publication of the American Bar Association which is distributed
to over 9,000 health care and business attorneys around the country.
Because of the importance of this topic, we believe that you will find this
article of interest.  A copy of this article can be immediately accessed at
our website (click on publications section) at www.wachler.com.  If you
would like a hard copy version of the article please call us or e-mail us at
wapc@wachler.com.  In addition to the privacy article, the web site also
contains the article we published in "The Health Lawyer" analyzing the final
electronic transactions standards, as well as other compliance related
articles and a special analysis of Stark II that you may be interested in
reviewing.  We will be keeping abreast of further regulatory changes and
intend to prepare an analysis of the final security regulations once they
are published. 

The focal point of the privacy rule is the general restriction on the
dissemination of health care information pertaining to individuals.  Unless
a conveyance of health care information is permitted under the privacy rule,
it is prohibited. Health information protected by the rule encompasses all
information that includes identifiers from which an individual could be
identified. It includes health information that is transmitted or maintained
in any form, including oral statements and paper records.  As a result, the
privacy rule is far reaching. 

The privacy rule gives individuals access to and control over their private
health information.   Examples of the rights created by the privacy
regulations and measures that must be implemented by covered entities are
described briefly below:

* Health plans, providers, and clearinghouses must provide a written notice
to all individuals describing how health information about the individual
may be used and how the individual can gain access to the information.
* In general, prior to treating an individual, health care providers will
have to obtain a written consent from the individual agreeing to use of
health information for treatment, payment or health care operations.
* In order to use or disclose protected health information for any other
purpose, health plans, providers and clearinghouses will have to obtain an
authorization from the individual allowing the use or disclosure.
* Covered entities must undertake reasonable efforts to limit the amount of
health information disseminated to that minimally necessary to accomplish
the purpose of the dissemination.
* Disclosure of protected health information to business associates may be
made only once the covered entity has received satisfactory assurance
through a written contract that the information will be protected.
* Covered entities must appoint a privacy official who will be responsible
for the development and implementation of privacy policies and procedures.
* A contact person must also be appointed who will be responsible for
receiving complaints and responding to inquiries.
* The final privacy rule mandates privacy training of all members of a
covered entity's workforce.
* Covered entities must have in place appropriate administrative, technical
and physical safeguards to protect health information.

In addition to the privacy standards, covered entities must be in compliance
with the HIPAA final transaction and code sets standards regulations for
electronic transactions.  This regulation mandates the use of a single
national standard, the ANSI X12 standard, which governs both the format and
the content of information sent electronically between two organizations.
In today's environment, the most common transaction that falls under this
regulation is the claim.  However, the regulation also standardizes the
following transactions:

* Encounter information
* Health care payment or remittance advice
* Coordination of Benefits
* Health claim status
* Enrollment and disenrollment in a health plan
* Eligibility for a health plan
* Health plan premium payment
* Referral certification and authorization

In addition to the standardization of these transaction sets, HIPAA also
standardizes the code sets used within these transactions.  The following
code set standards are mandated:

* ICD-9-CM (vol. 1 & 2):  Diseases injuries, impairments, other health
related problems, their manifestations, and causes of injury, disease,
impairment, or other health-related problems

* CPT, CDT, or ICD-9-CM (vol. 3):  Procedures or other actions taken to
prevent, diagnose, treat, or manage diseases, injuries and impairments

* NDC: drugs

* HCPCS: Other health related services, other substances, equipment,
supplies, or other items used in health care services

All local codes and any other non-standard codes will not be allowed after
the compliance date of October, 2003.
 
Additional HIPAA final regulations will also be published in the future.
These regulations will address detailed security standards for the
electronic transmission of health care information and enforcement of the
mandate, as well as unique identifiers, electronic signatures, and
coordination of benefits.  All covered entities will be required to comply
with the requirements set forth in the final privacy rule and the other
rules resulting from the HIPAA administrative simplification mandate.
Violations of these regulations may result in the assessment of civil
monetary penalties and in some cases criminal penalties.

We have prepared and are preparing compliance programs for a variety of
health care clients.  We are currently working with numerous clients in
preparation for the varying HIPAA compliance deadlines.  We would be happy
to advise you regarding HIPAA compliance and implementation.  Should you or
your clients have questions regarding the administrative simplification
requirements, the privacy rules, the electronic transaction standards, the
proposed security regulations or any other compliance issues, please contact
us.



WACHLER & ASSOCIATES, P.C.

Andrew B. Wachler