FREE ESSAY ON HIPPA - EFFECTS OF HEALTH INSURANCE

HIPPA - EFFECTS OF HEALTH INSURANCE

Effects of the Health Insurance 
Portability & Accountability Act (HIPAA) 
Introduction
Just when Americans thought it was safe to turn on their computers after this year's
anticipated Y2K catastrophe, now comes the federal government's new Health Insurance
Portability & Accountability Act (HIPAA) -- privacy regulations that will create new,
insurmountable challenges for today's healthcare industry. The Y2K bug is estimated to
have cost the health care industry upwards of $10 billion. By comparison, implementing
the HIPAA privacy and security regulations is estimated to cost the health care industry
$40 billion over the next two years. Beginning January 2001, US health care operations
will never be the same again. 
This paper will address the origins of these new federal privacy regulations with a
specific focus on the privacy standards and the Health and Human Services (HHS) proposed
rules on confidentiality of personal health information. In a Wall Street Journal/ABC
poll conducted on September 16, 1999, Americans were asked to identify those issues that
concerned them most for the coming century. Loss of personal privacy ranked as the first
or second concern of 29 percent of all respondents. Other issues, such as terrorism,
world war, and global warming, scored of 23 percent or less.
Background
Historically, an individual's access to his or her own medical records - and the ability
to limit that access to third-parties - was safeguarded by the patient, physicians, and
healthcare organizations (i.e., hospitals, clinics, etc.). However, with advances in
information technology, the issues of security and breeches of patient confidentiality
have become major priorities. 
When Congress passed the Health Insurance Portability & Accountability Act of 1996, it
contained hundreds of pages of proposed legislation intended to set privacy and security
standards for the creation and maintenance of patient health care databases. Congress set
a deadline for itself of fall 1999, to pass comprehensive legislation regulating the
privacy and security of information traditionally held sacred between patient and doctor.
If Congress did not meet its deadline, HIPAA authorized the Secretary of the Department
of Health & Human Services (HHS) to take on the program. In November 1999, after Congress
failed to meet its deadline, HHS issued proposed privacy regulations regarding the secure
treatment of electronic information and requiring a standardization of data used in
transmitting health care information electronically. After the uneventful passing of the
Y2K crisis, healthcare providers reevaluated the proposed regulations and began to
realize the impact of such privacy and security regulations.
Purpose
HIPAA addresses the protection of health information from its creation and establishes
uniform requirements for those handling such information. The new privacy regulations
effect all health care providers, health plan administrators, and health care
clearinghouses (hereinafter collectively referred to as health care operators) that
electronically transmit individual, identifiable health information in one of several
types of transactions. The regulations apply not only when a health care operator engages
in one of the listed transaction, but any time they use or disclose protected
information. In fact, the regulation covers such a broad variety of healthcare-related
transactions -- such as verification and coordination of benefits -- that only on rare
occasion will a health care operator not be effected by this mandate. 
The regulation governs the use and disclosure of individual, identifiable health
information that has been electronically transmitted or maintained by a health care
operator. However, not all health care information is protected under these regulations.
The new privacy regulation only applies when a health care operator places information
that potentially identifies an individual into an electronic format, and a reasonable
basis exists to believe that the information can or will be used to identify the
individual. This category of information is known under the new regulation as protected
health information. 
It is important to remember that individual, identifiable health care information can
easily become subject to these regulations whenever existing information is entered into
a computer or any type of electronic data system. This includes the scanning of older,
paper records into an optical storage device. As a general rule, protected health care
information may not be used or disclosed -- even within an organization -- unless the
health care operator receives specific authorization from the individual patient. 
The Privacy Act of 1974
Before considering the HIPAA Act, there is value in first reviewing the Privacy Act of
1974, as both generally promote respect for the public's privacy. Under the Privacy Act
of 1974, federal agencies were adopt minimum standards for the collection and processing
of personal information, and to publish detailed descriptions of these procedures. This
Act also limits the making of such records available to other private agencies or parties
and requires agencies to make records on individuals available to them upon request,
subject to certain conditions and exclusions. This is not unlike the HIPAA Act which
governs how health care operators (as opposed to the federal government) handles the
confidential information obtained from patients (as opposed to the public at large). 
The Privacy Act of 1974, has four basic policy objectives: 
o To restrict disclosures of personally identifiable records. 
o To grant individuals more rights to access records agencies maintain on them. 
o To grant individuals the right to seek amendments to agency records maintained on
themselves. 
o To establish a code of fair information practices which requires agencies to comply
with statutory norms for collection, maintenance, and dissemination of records. 
Security
According to the HIPAA, the security standards that apply to the health care operators
must address reasonable and appropriate administrative, technical, and physical
safeguards to:
o Ensure the integrity and confidentiality of the information. 
o Protect against any reasonable anticipated threats or hazards to the security or
integrity of the information, including unauthorized use or disclosure. 
o Ensure compliance by officers and employees of the health care operators. 
Personnel Security
Organizations that handle individual health care information must establish control
policies that regulate appropriate access to the information in their possession, while
assuring its confidentiality. An effective policy would first determine those staff
members who are granted authorization to the information, and then govern how and when
such authorization is maintained, modified, or terminated. 
Issues to consider are:
? Training. Employees should be trained regarding what information, systems, or
applications they have authority to access, together with their responsibility to limit
such access. 
? Identification: Health care operators should supply authorized personnel with Personal
Identification Numbers (PINs) or key cards by which users can be authenticated as part of
the control process. 
Information Systems Security Management
Information systems security management requires formal policies and procedures for
granting (or denying) access to various levels of health care information, including user
authentication and accountability practices. In order to meet regulatory compliance,
three key areas must be in place: 
1. security measures for all information systems; 
2. security testing, including intrusion testing, performed regularly on systems and
networks; 
3. virus protection, and a response procedure when a virus is detected. 
? documenting all policies and procedures in the integration and daily work of the
Information Systems Management Department. 
? installing software that maintains review schedules for testing security features. 
? creating a system for on-going and periodic system checking. 
? updating and formatting a frequent virus checking system and procedure. 
Security Incident Procedures
To ensure that violations are managed quickly, health care operators are required to have
documented damage control procedures for reporting security breaches. Such procedures
should address data backup, data storage, and proper disposal of data, in addition to
assigning responsibility in the event of a security incident. The damage control
procedures should also include: a disaster recovery plan, emergency mode operations,
equipment control, an organization security plan, procedures for verifying authorization
prior to physical access, maintenance records, need-to-know procedures for personnel
access, and sign-in procedures for outside (contract) vendors.
Security Management Process
Health care operators are required to establish risk reduction security policies to
insure accountability, prevention, containment, and correction of security breaches
including risk analysis, risk management, and sanction policies. Additional measures to
protect sensitive data includes: firewalls, intrusion detection devices, and audit logs.
Training
It is imperative that personnel be properly trained in order for a health care operator
to meet the HIPAA standards. Each organization must develop, implement, and maintain
records of awareness training for all personnel on virus protection, reporting data
discrepancies, and password management to ensure protection of health care information. 
Terminations Procedures
In order to meet the HIPAA standards, health care operators must establish termination
procedures for personnel leaving the organization including: changing the locks,
terminating user access to databases, denying access to the physical facilities, and
revoking control mechanisms (i.e., swipe cards and keys).
Market Refortm / Impact
The financial impact for organizations preparing for the Y2K bug was estimated to have
cost the health care industry upwards of $10 billion. Implementing the HIPAA privacy and
security regulations is being estimated to cost the health care industry $40 billion over
the next two years. 
According to a recent survey conducted by the newsletter HIPAA Alert, 80 percent of
health care operators, and 75 percent of insurers, are trying to build overall awareness
in their organizations about the new HIPAA requirements. Additionally, more than half of
healthcare industry professionals are completing their initial assessment process. 
Over half of billing clearinghouses and vendors are well into HIPAA compliance, planning,
and implementation. It is the health care providers and insurers who are behind in their
efforts, with less than a third of respondents saying they have begun planning and
implementation for the HIPAA compliance. One reason given for the slow movement of
providers was that they were waiting for the final rules to be set in place before moving
forward with implementation. 
Three-fourths of information system vendors indicated that they would complete internal
testing of the HIPAA-compliant systems within 12 months, and all billing clearinghouse
respondents reported they will be HIPAA-ready within 18 months. More than half of
insurers indicate that they will not be fully HIPAA-compliant for 24 months or longer,
possibly because of confusion over what is really needed to be compliant. 
Court Decisions
Inasmuch as the HIPAA law has yet to go into effect, there is no case law yet involving
this legislation. It will be interesting, however, to see how this legislation impacts
further interactions between health care operators and the people they serve.
Recommendation
Health care operators who will be affected by the final ruling slated for December 2000,
should assess their current status to ascertain whether they will be in compliance with
HIPAA and, if not, what they need to do about it. Such assessments should include:
Educate organization staff members
What can a health care operator do to prepare for HIPAA? Their first step should be to
educate their senior management and line-staff. The HIPAA is a complicated and extensive
piece of legislation. It requires considerable education and a commitment from senior
management to secure the necessary human resources and financial resources. Especially in
larger health care operations, a chief security officer or similar senior management
officer is recommended to lead the organization's HIPAA efforts.
Coordinate a HIPAA Committee
Individual health care operators should each establish HIPAA committees. These group
should be responsible for the oversight of HIPAA education, communication, and timelines.
Needless to say, personnel from Human Resources, Information Services, Finance, and the
General Counsel's office should comprise the committee, in addition to personal from
medical records, medical staff affairs, managed care, and the business office. Such
committee should meet frequently during the establishment and coordination of the HIPAA
initiatives to make certain that compliance will be met, and then periodically thereafter
to insure proper maintenance. 
Audit Policies, Procedures, and Application Systems
Health care operators should audit their existing information systems to identify areas
that will require improvement in order to comply with the HIPAA rules. One method would
be to conduct a gap analysis. The analysis would serve as the foundation for creating a
timeline for meeting the HIPAA deadlines. The audit should include an extensive review of
all policies and procedures associated with the release of information, network and
application security, and medical record confidentiality. Such audits - both current and
future - should be under the direction of the HIPAA Committee referred to above.
Identify Risk Areas
As a result of the initial audit, each health care operator should be able to recognize
high risk areas and then develop a corrective action plan in response. Such action plan
will greatly depend on the identified deficiency. As a matter of necessity, those areas
with the highest risk should be addressed first, although these may also require the most
time, money, and manpower to correct. Most importantly, health care operators should
document each of their efforts towards compliance in the event that their labors are ever
questioned. 
Conclusion
Compliance with the upcoming HIPAA mandates will require the coordinated efforts of every
health care operator in the United States. However, despite how long, costly, and tedious
this process may be to these organizations, these initiatives are absolutely necessary to
safeguard the right of each American citizen regarding his or her health care records. 
In the current cyber-society in which we live - one that will only get more sophisticated
with time - such laws are imperative. The average cyber-junkie, familiar with the
information superhighway and all its little side-streets and alleys, can already find out
more information on the average citizen than most of us would want shared: our home
addresses, phone numbers, interests, hobbies, etc. In some ways, it is akin to George
Orwell's 1984. The only exception is, this time it is not Big Brother who is watching -
instead it is your next door neighbor or the kid down the street. Without laws such as
the Health Insurance Portability & Accountability Act, we could one day learn that our
most personal concerns - the health of our minds and bodies - is fodder on the Internet.

Bibliography
References
HIPAA Insurance Reform http://www.hcfa.gov/medicaid/
HIPAA Health Information Standards http://www.jhita.org/hipaarule.htm
Health Insurance Portability and Accountability Act of 1996 Administrative Simplification
http://www.hcfa.gov/facts/February 1997 Health Insurance Portability and Accountability
Act of 1996
Getting Ready for HIPAA Privacy Rules AHIMA article on preparing for HIPAA security
standards http://www.ahima.org/journal/features/feature.0004.5.html
Conducting Your Own Internal Assessment Journal of AHIMA article provides good checklist
to do your own assessment http://www.ahima.org/journal/features/feature.0005.4.html
Lemonine, B. The Business Journals. HIPAA compliance cost may exceed Y2K
http://www.bizjournals.com/
Part II Potential Effects of HIPAA: A Review of The Literature
Stephen Long and M. Susan Marquis
http://aspe.hhs.gov/health/reports/hipabase/
Department of Health and Human Services, Proposed Standards for Privacy and Individually
Identifiable Health Information http://aspe.hhs.gov/admnsimp/faqtxdif.htm
Proposed Rules Federal Register, 63, no. 155 (1998) http://www.access.gpo.gov
Implementing HIPAA Security Standards-Are you Ready? ( October 1999) 
http://www.ahima.org/journal/features/feature.0004.4.html
HIPAA supersite from consulting firm Beacon Partners, includes news, timelines and legal
info. http://www.hipaacomply.com