Business Development and Marketing Support in Healthcare
 

        "Never mistake motion for action." Ernest Hemingway

    

HIPAA and the US Healthcare System - The Ponderous Process of Securing Patient Information

Author: Valerie Kellogg – Managing Director USA

The US Health Insurance Portability and Accountability Act (HIPAA) of 1996 has a double focus:

· Insurance reform
· Administrative simplification

The insurance reform is designed to protect the health insurance coverage of employees and their families when employees either change or lose their jobs. While this is an important aspect of HIPAA, what most concerns us in this article is the impact of the second part of the act, the administrative simplification.

These provisions set forth requirements for the Department of Health and Human Services (DHHS) to establish national standards for the security and privacy of health data, as well as for electronic healthcare-related transactions. The requirements affect providers, health plans and employers, and is intended to improve the efficiency of the health care system by promoting the use of electronic healthcare transactions. However, in order for patients and providers to embrace electronic transmission of data, they must be assured that the data is secure and the patient’s privacy has been protected.

Effect upon Healthcare Providers’ Offices

A key part of HIPAA is the use of electronic transactions and the protection of patient data. Improving the efficiency of the insurance claims system, and hence of the healthcare system as a whole, is a Herculean task that is long overdue in the US. Once the HIPAA requirements have been satisfied, the office will have only one way to submit a claim, a vast improvement over today’s 400 different ways to submit a claim for reimbursement.

In order to encourage the use of electronic transactions, HIPAA requires that every provider who performs business electronically (i.e. virtually every doctor’s office that has a computer), use the same healthcare transactions, code sets and identifiers. Books have been produced that advise the physician how to go about getting the business into compliance. Generally the idea is to start with the office manager, then to have this manager train the other employees. Nevertheless, even in a small practice, coming into compliance may take six months or more. While the efficiency is expected, in the long run, to cut down on costs, critics say that performing all of the checks and training required by HIPAA will cost many millions of dollars.

Effect upon Hospital Radiology Administrators

Administrators must use “business associate agreements” for any entity that may handle secure healthcare information received from a healthcare provider. “Entity” could therefore include any on- or off-site facility that stores information related to patient data. The entity must ensure that such protected health information (PHI) is kept in a secure area, following the requirements developed by the DHHS. In addition, such contracts should be drawn up separately from other contracts between the healthcare provider and the entity, so that any updates to HIPAA may be easily reflected in the contract.

Process redefinition often required

Developing the HIPAA requirements has taken some years, but conforming to these strictures is no easy task either. In many cases a healthcare provider or a medical device company that handles PHI in some way, must first look at the processes carried out, determine who exactly has access to PHI, then re-examine whether those persons really need such access, and to what extent.

For example, is a secondary system such as a data warehouse or a medical device company testing a device with a group of patients, then the entity may have to trace the entire process of receiving, processing and handling PHI. Job descriptions may have to be rewritten if it is determined that some people do not need access to PHI in order to perform their job functions.

IT systems are likewise significantly affected by HIPAA. For any entity that handles or receives PHI in its IT system, there must be a very high level of security. This will consist of a combination of firewalls, security checks, system upgrades, and even additional security doors in hallways leading to the IT systems. Again, the entity must define who can use the system and to what level, and must be able to produce an audit trail showing who did what and when with the PHI.

Each company impacted by HIPAA will have a different list of priority tasks, based on its organization’s complexity and whether it is involved or not in the following functions:

· The Employee Retirement Income Security Act (ERISA) Health Plan operations
· Employer on-site health services, if any
· Business associate agreements, discussed above
· Patient authorizations
· Limiting of the use of data
· Limiting of access to data

Each company will also need to look at how far from meeting the HIPAA requirements it is, and will then want to assign highest priority to those items in which it is furthest from compliance.

Deadlines

Given the enormity of the task facing the healthcare provider, the associated entity and any company handling or receiving PHI, it should come as no surprise that initial deadlines have come and gone and been extended. At the time of printing, April 16, 2003 was the testing deadline for electronic transactions and code sets, with October 16, 2003 as the date set for compliance for those who requested extensions. The HIPAA Security Standards were only just recently completed; the final Rule was published in the Federal Register on February 20, 2003.

WEDI, EDI and SNIP

There is plenty of assistance at hand for those entities which determine that HIPAA applies to them. For example, the Workgroup for Electronic Data Interchange (WEDI) Foundation, formed for charitable, scientific and educational purposes, has as its mission to implement electronic commerce and EDI in the delivery of healthcare services and information. Its goal is to improve the efficiency of the healthcare system, and hence WEDI is heavily involved in assisting providers and entities with HIPAA compliance.

One way that WEDI carries out its mission is through the regional Strategic National Implementation Process (SNIP). SNIP not only works to implement the new standards, but also significantly helps the healthcare industry to meet these standards. It acts as both a regional sounding board and a resource when implementation problems arise.

Major step towards healthcare reform?

Even though the next presidential election is still many months in the future, talk is already heard on Capitol Hill about another attempt to reform the US healthcare system. Senator Trisk, who is a practicing surgeon as well as a senator, is one of the leading voices calling for another stab at desperately-needed change. The nationwide implementation of HIPAA, especially with its standard transaction codes and higher security for PHI, should serve as a firm step towards the renovation of the healthcare system in the US.

Bottom line for medical device companies

HIPAA clearly has a significant impact upon all patient care centres where PHI is stored, created or transmitted. But what might be the strategic significance of this legislation for medical device companies?

First, companies should review their products to see if the devices connect in some way to the patient care IT systems. If so, then is data transmitted or received in a secure manner that meets HIPAA regulations? Or does the device itself collect information that is downloaded or directly transmitted to an IT system, whether large (hospital-wide) or small (physician's wireless device)? Does the device provide restricted access to data, open only to those healthcare workers who need access? Is a healthcare facility able to program or otherwise adapt access to the device's data, to the degree that they have decided is appropriate at their facility?

Secondly, look again at the devices produced. If the device does not interact in some way with the healthcare IT system, then should it? Would this be a feature that could be attractive to the user? Or could the device be upgraded to include product features that could make life easier for the healthcare facility?

HBS Consulting feels that HIPAA presents other opportunities for the alert marketing manager, as well. Alliances with companies offering complementary products, and with, for example, a healthcare IT or software company, could result in a suite of products that are not only HIPAA compliant, but in addition push forward the boundaries of wireless e-health in the healthcare system. Present such a suite of products, with consulting aid as needed, training and product upgrades (for both HIPAA addenda and for new product developments), and present it in such a way that the company (or companies) involved builds a partnership with its customers.

HIPAA must not be ignored by medical device companies as 'not our concern.' The astute marketing manager or strategy development vice president will view the legislation as a generator of business opportunities.