HIPAA: The Healthcare Industry’s Latest Challenge

The United States Department of Health and Human Services recently enacted regulations pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) relating to protecting the security and privacy of individually identifiable health information (referred to as Protected Health Information or PHI) and standardizing electronic transactions. These regulations, which apply to virtually all healthcare providers, health plans and healthcare clearinghouses (referred to as covered entities), will severely impact the way that the healthcare industry, and those who advise healthcare entities, operate.

HIPAA and Its Regulations

HIPAA, a federal law enacted in 1996, was originally intended to ensure that individuals would maintain access to health insurance when changing jobs. Included in the law were means for regulations relating to administrative simplification provisions to be established to increase the efficiency of electronic healthcare transactions, while at the same time protect the privacy and security of patient information. The HIPAA regulations can be broken into three distinct parts: transactions and code sets, security, and privacy.

The first part of the HIPAA regulations, the transactions and code sets regulations, relate to electronic billing. HIPAA specifies standard formats for certain electronic transactions, including claim submissions and eligibility inquiries. These standards are significantly different from the current HFCA 1500 or UB 92 forms healthcare clients may currently be using. Compliance with the new electronic standards will require healthcare providers to do one of the following: contract with a healthcare clearinghouse or billing company to perform the provider’s billing and collection, upgrade their current billing software or purchase new software that is compliant with the HIPAA electronic standards. Compliance is required by Oct. 16, 2002. This portion of HIPAA is intended to improve efficiency and, in the long run, save healthcare entities money.

The second part of the HIPAA regulations relates to the security of PHI. These regulations essentially require healthcare entities to follow good business practices in safeguarding health information, both in terms of technical and physical security. These regulations require, among other things, access controls, audit trails, encryption if transmitting over an open network such as the Internet, and various other safeguards to prevent unauthorized and improper access to PHI. These regulations are currently in the drafting stage but are expected to be finalized shortly. Compliance will be required two years from finalization. It is important to note, however, that aspects of the privacy regulations (discussed below) impact security; therefore, covered entities may need to make security-related changes to their operations sooner to comply with the privacy regulations.

The third part of the HIPAA regulations, which could have the greatest impact on the relationship between accountants and their healthcare clients, is the privacy regulations. These regulations, which are extremely detailed, are designed to ensure that a patient’s PHI is only accessed by appropriate individuals and only for purposes of “billing, treatment or healthcare operations.” The regulations require providers to obtain a patient’s consent prior to the use or disclosure of any PHI, even for the provider’s own purposes. Compliance with the privacy regulations is required by April 14, 2003.

Business Associates

A significant aspect of the privacy regulations relates to business associates. Essentially, the privacy regulations recognize that covered entities will need to disclose PHI to outside entities that assist the covered entity in performing its duties. These outside entities include accountants, attorneys and other consultants hired by the covered entity. The privacy regulations require that the covered entity execute a business associate agreement with each of these outside entities prior to disclosing PHI to the entity. It should be noted, however, that while the business associate provisions of the privacy regulations are most likely to affect accountants, there are similar corresponding provisions under the transactions and code sets and security regulations.

The business associate agreement must be in writing and contain certain provisions. Among these provisions is an undertaking by the business associate to fully comply with all of the requirements of HIPAA and to appropriately safeguard PHI. The only uses or disclosures of PHI permitted by the business associate are those specified in the agreement or those required by law. The agreement can, however, permit uses and disclosures by the business associate for the business associate’s proper management and administration. The business associate agreement also must require the business associate to report known breaches to the covered entity and authorize the covered entity to terminate the agreement if the covered entity determines that the business associate has violated a material term of the agreement. In order to satisfy the business associate requirements, accountants will need to be familiar with the requirements of HIPAA.

Minimum Necessary Rule

Another significant aspect of the privacy regulations that may impact the way that accountants interface with their clients is the Minimum Necessary Rule. Essentially, this rule states that disclosures of PHI should be limited to the information necessary for the individual or entity to be able to perform the duties required of them. This means, for example, that employees within a hospital only access the amount of information necessary for them to perform their specific duties. As for the hospital’s interactions with business associates, such as accountants, the hospital will need to remove all PHI disclosed to the accountants unless the accountants need such information to perform their duties. For example, if an accountant is auditing a sampling of records, a determination should be made on a case-by-case basis as to whether the accountant needs to access all of a record or only a portion of it.

As a consequence of the HIPAA regulations, if accountants do receive patient information, they will need to keep the information private and secure and implement appropriate procedures that comply with the HIPAA requirements. This could cause some accounting firms to reevaluate how projects are staffed and how client work records are maintained in order to limit the individuals who receive access to patient information. In addition, as some accountants who service healthcare providers may be aware, a large number of healthcare providers have begun the process of complying with HIPAA and may soon be sending business associate agreements to their accountants for execution. Accountants should be familiar with the requirements of such agreements and should attempt to negotiate terms that are beneficial to them, yet compliant with HIPAA. As all of these requirements are new, complying with HIPAA will be a challenge for both the healthcare industry and those who advise healthcare clients. An evening technical session on HIPAA will be held on Jan 22. at Society headquarters. For information, call (800) 697-7272.