Alliance for Children and Families, December 15, 2004
HIPAA Compliance is Attainable Goal
If you are like most agency executives, you have been hit for the past couple of years with hundreds of questions about HIPAA. This piece of federal legislation, like many of its ilk, expresses a noble interest, is much more complex than we want it to be, and affects many more areas than its original sponsors ever intended. This article will pare it down to size and show you that HIPAA compliance is not nearly as difficult as we once suspected it would be.
First, let’s agree on what HIPAA is. HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996.1 It was drafted with the goal of protecting the flow of health information generated by health benefit plans, particularly electronically exchanged information. Second, let’s agree on what it is intended to do. HIPAA is intended to prevent protected health information (PHI) from being accessed by non-authorized persons. It is essentially a statement of the interest in protecting an individual’s right of privacy. Third, let’s agree on what your responsibility is as the administrator of a child welfare agency (assuming that you have more than 50 employees).2 There are two main areas of concern. First, as an employer you are required to appropri- ately manage the PHI of those employees who have a health benefit plan with your organization. Second, as the provider of care to juveniles and their families, you are required to appropriately manage their PHI as they move through your agency and the child welfare system as a whole.
HIPAA and Health Benefit Plans
If you are a health plan sponsor, there is a wealth of PHI that is involved in analyzing benefit packages, confirming or authorizing an employee’s health care, or assessing an employee’s appeal of a coverage denial. Anytime your personnel management office rubs shoulders with PHI, it must jump through the hoops established by HIPAA to keep it private.
Most benefit plans and TPAs now have HIPAA compliance mechanisms in place, and as part of their service to you they will direct your HR staff about how to set them up and make them work. The confusion that reigned just after HIPAA’s enactment has now settled down as the health benefits industry tackled HIPAA’s regulations3 and created industry-accepted policies, procedures, and forms. Your major responsibility is to ensure that your HR department is obtaining board approval of HIPAA-required changes to health benefit plans; obtaining employee authorizations for managing their PHI; and training all employees who have access to PHI.
If you are self-funded and self-administered, then the entire HIPAA compliance burden falls on your shoulders. I will not attempt to describe your task to obtain compliance in your plan, as it is too complicated to describe in the context of this article.
HIPAA and Client Case Management
The impact of HIPAA on your day-to-day case management of young people and their families is one of those great unintended consequences of the legislation. Because just about everything that is included in a client’s case history is tied to a clinical diagnosis, your case management system automatically becomes a vast repository of PHI. For this reason, you must establish a HIPAA-compliant structure and attend to it accordingly.
You should start by identifying someone in your agency to be a privacy officer—a person who is responsible for developing and implementing HIPAA policies and procedures. Your privacy officer defines agency-wide privacy goals, drafts policies and procedures to implement them, and sets a timetable for achieving full HIPAA compliance. This person must not only understand your agency’s duties under the Act, but he/she must be aware of the interplay of related federal and state rules that affect HIPAA’s implementation at your agency.4
Anyone sharing agency information that is HIPAA protected is a business associate under HIPAA. Business associates must understand the general privacy concepts involved, com- prehend the importance of HIPAA compliance, and be trained to correctly work with your HIPAA policies and procedures.
Permitted Uses and Disclosures
One of the ways that HIPAA rules have eased compliance is by delineating six specifically permitted disclosures that do not require patient authorization.5 The most significant of these for child welfare agencies are contained in the second specific use—for Treatment, Payment and Health Care Operations (see sidebar). Under this provi- sion, you may continue your operations with minimal HIPAA impact, so long as you abide by HIPAA in all other respects.
Similarly, under the rules you may use your own agency-generated psychotherapy notes for treatment without getting client authorization (see sidebar). Psychotherapy notes under the Act are notes documenting a private counseling session, or a group, joint, or family counseling session, and that are separated from the rest of the individual’s medical record.6
Turn the Tables to Appreciate HIPAA
I asked the designated privacy officer of a Chicago-based child welfare agency about how HIPAA implementation has gone at his organization. He said, “In child welfare, confidentiality is not a new concept. We’ve done it all before. What HIPAA does is force us to think about how we use our paper and electronic files.” His organization is updating the platform underlying its case management system so that it is HIPAA compliant.
His best training technique is to turn the tables on his trainees. Recognizing that eyes glaze over when they hear the word HIPAA, he tells them, “Look, we’re not just providers here. We’re also consumers of privacy rules. You should be happy that someone else is looking after your personal health information just like you’re doing here. The intent is good. The rule is good.”