HIPAA Is About E-Business
Enhanced Profitability with Electronic Medical Information
by Uday O. Ali Pabrai, CEO of HIPAA Academy

Article Summary

The Health Insurance Portability and Accountability Act (HIPAA) is a watershed for the health care industry. HIPAA provisions will result in substantial investment in e-business initiatives that will remove friction and reduce costs substantially in the processing and handling of medical claims and transactions. HIPAA will also result in the deployment of security technology to protect patient and medical information.

HIPAA compliance must not be viewed as an exercise to meet government regulation compliance; it is rather a unique opportunity that will result in new efficiencies and enhanced profitability for the health-care industry.

Topics Addressed

• HIPAA and E-business: Aligned
• HIPAA Transaction Requirement
• HIPAA Privacy Requirement
• HIPAA Security Requirement

Disclaimer

The author encourages all readers and people interested in the legal aspects of HIPAA to seek competent legal advice regarding HIPAA compliance. This article does not constitute legal or other advice.

HIPAA and E-Business: Aligned

The Health Insurance Portability and Accountability Act (HIPAA) is about health information efficiency, privacy and security. The industries directly impacted by the HIPAA legislation include health-care and insurance organizations and businesses in the United States. The issues that relate to HIPAA deal with the transaction efficiency, as well as the security and privacy of patient and medical records and information. This is very similar to the needs for all businesses to secure information related to employees, customers and suppliers.

HIPAA is the watershed legislation for the health-care industry. HIPAA is enabling the development of national standards to bring about consistency in data formats for health-care transactions. Besides data format consistency, another key benefit from HIPAA compliance is the substantial reduction in paper-handling costs for health-care claims. These costs are likely to be reduced from $6 to $8 per claim to less than $1.

The Wall Street Journal had reported that the health-care industry spent as much as $8 billion to fix the Y2K problem. The estimates for HIPAA compliance are expected to be 2 to 3 times the number spent addressing the Y2K problem. While Y2K was about business continuity, HIPAA opens the door for enhanced profitability and new opportunities as a direct result of electronic medical records.

Healthcare business applications include patient scheduling, registration, clinical reporting, and billing. These business applications have to be secure and will need to integrate with the health organization’s security infrastructure. HIPAA mandates standardization in electronic healthcare administration. Further, healthcare transactions are quite varied and include:

• Insurance eligibility verification
• Insurance claims submissions
• Sharing of patient information between a doctor’s office and a hospital

Specifically, it is the Administrative Simplification portion of HIPAA Title II that is resulting in making the storage and movement of medical records and transactions more efficient as well as secure. It is the Administrative Simplification portion of the HIPAA legislation that is fueling initiatives within organizations to address health-care:

1. Transactions (as defined in the HIPAA Administrative Simplification regulation, “Standards for Electronic Transactions”, also referred to as “Transactions and Code Sets”)
2. Privacy (as defined in the HIPAA Administrative Simplification regulation, “Standards for Privacy of Individually Identifiable Health Information”)
3. Security (as defined in the HIPAA Administrative Simplification regulation, “Security and Electronic Signature Standard”)

The focus of this article is on e-business implications of these Administrative Simplification (AS) portions of HIPAA Title II. The HIPAA AS Title is the launch pad for e-business initiatives for electronic, and secure, medical information.

HIPAA Standard for Electronic Transactions

The HIPAA AS “Standard for Electronic Transactions” also referred to as the “Transaction and Code Sets” facilitates standardized information exchange between providers and payers. This Rule applies to all administrative and financial transactions covered by HIPAA starting as soon as October 16, 2002 for large organizations and October 16, 2003 for small organizations. The Electronic Data Interchange (EDI) standard ANSI ASC X12 was the standard for representation of healthcare claims, eligibility inquiries, enrollments and other transactions.

The fields within these transactions must be completed with entries from specified code sets. In addition to code sets, the transactions also contain identifiers, such as a Provider Identifier.

HIPAA requires EDI standards for:

• Health claims
• Health encounter information
• Health claims attachments
• Health plan enrollments and dis-enrollments
• Health plan eligibility inquiry and response (fast EDI transaction)
• Healthcare payment and remittance advice
• Health plan premium payments
• First report of injury
• Health claim status inquiry and response (fast EDI transaction)
• Referral certification and authorization (fast EDI transaction)

Under HIPAA, covered transactions are those that are created by “covered entities”, namely, healthcare providers (like physicians and hospitals), healthcare insurers, and clearinghouses (organizations that process healthcare transactions on behalf of providers and insurers).

HIPAA Privacy Requirement

Privacy is defined as having policies and procedures in place to control who has access to protected health information.

The privacy requirements of HIPAA outline specific rights for individuals regarding protected health information and obligations of healthcare providers, health plans, and health care clearinghouses. The privacy regulation grants healthcare consumers a greater level of control over the use and disclosure of personally identifiable health information. In general, healthcare providers, health plans, and clearinghouses are prohibited from using or disclosing protected health information except as authorized by the patient or specifically permitted by the regulation. The final rule’s applicability is expanded to include all personally identifiable health information, regardless of media format.

Any patient identifiable information is now Protected Health Information (PHI) regardless of the media form it is or was in. PHI is protected under HIPAA during data at rest or in transit. At rest can mean data that is accessed, stored, processed, or maintained. In transit can mean data that is transmitted in any form.

The final privacy ruling mandates the following requirements:

• Health plans and healthcare providers must inform their patients/beneficiaries of their business practices concerning the use and disclosure of health information.
• Direct healthcare providers must obtain written consent from a patient for use and disclosure of health information, even if the use or disclosure is related to such routine purposes as treatment or payment. A separate, specific authorization is required for non-routine disclosures. (Requirements for consent and authorization are forthcoming.)
• Finally, as a component of the consent process, patients are granted the opportunity to request restrictions on the use and disclosure of their health information.
• Within 60 days of a request, patients are entitled to a disclosure history identifying all entities that received health information unrelated to treatment or payment.
• Patients also have a right to review and copy their own medical records and have the corresponding right to request amendments or corrections to potentially harmful errors within the record.
• Healthcare providers and health plans are required to create privacy-conscious business practices, which include the requirement that only the minimum amount of health information necessary is disclosed.
• Business practices should ensure the internal protection of medical records, employee privacy training and education, creation of mechanism for addressing patient privacy complaints,
• The designation of an enterprise privacy officer or HIPAA compliance officer.
• Overall, covered entities are encouraged to use de-identifiable information whenever possible. Once information is in a de-identifiable form, it is no longer subject to the privacy regulation restrictions.

HIPAA Privacy Compliance Deadline

Although the HIPAA privacy regulations went into effect on April 14, 2001, no entity is required to comply with any standard or implementation regulation in the regulations until 24 months (or 36 months for small health plans) after that date which makes the compliance date at April 14, 2003.
As a practical matter, providers and other covered entities will need to use the remaining time to take those actions necessary to bring their policies, procedures and processes as well as contracts into compliance and to obtain the patient consents required under the regulations.

The regulations protect from the use or disclosure by a covered entity health information held electronically, on paper, or in any other form by a covered entity. Any use or disclosure of protected health information by the covered entity, including use for treatment of patients, marketing, medical research, and most other activities, are prohibited unless the use or disclosure complies with the HIPAA regulation.

HIPAA Security Requirements

Security is defined as having security controls and procedures in place to ensure the protection of information assets and control access to secured resources.

At a minimum, all health plans, clearinghouses, and healthcare providers that transmit or maintain electronic health information must conduct a risk assessment and develop a security plan to protect this information. They must also document these measures, keep them current, and train their employees on appropriate security procedures.

Under HIPAA, standards for security are covered by the rule, Security and Electronic Signature Standards. The rule for Security and Electronic Signature Standards outlines the requirements in five major categories:

1. Administrative Procedures to Guard Data Integrity, Confidentiality and Availability
2. Physical Safeguards to Guard Data Integrity, Confidentiality and Availability
3. Technical Security Services to Guard Data Integrity, Confidentiality and Availability
4. Technical Security Mechanisms to Guard Against Unauthorized Access to Data that
   is Transmitted over a Communications Network
5. Electronic Signatures

As organizations assess their infrastructure and applications there will be a need to develop and maintain security policies and procedures. The security policy along with HIPAA security compliance requirements will provide guidelines for end-to-end secure enterprise architecture.

HIPAA: Getting Started with E-Business Initiatives

HIPAA is about e-business initiatives inside organizations. This will not only provide more timely availability of information, enabling faster decision-making, but it will also enable substantial cost savings and increased opportunities for revenue. HIPAA initiatives will result in the development of applications as well as the deployment of technology. It is important to note that HIPAA is both a challenge from a technology perspective as much as it is a business process challenge. Careful attention needs to be paid to the business processes that would guide the application of the appropriate technology for HIPAA compliance.

Our advice is to take advantage of the HIPAA roadmap, and use it to accelerate the pace for the development of e-business applications and a secure, trusted infrastructure. Use it to build a resilient enterprise that is agile and increasingly virtual. This represents an enormous, unprecedented opportunity for the health care industry, and most important, your business.

Summary

HIPAA represents good business for the health-care industry. Forester Research estimates that business-to-business health care will boom from a $6 billion market in 1999 to about $348 billion in 2004. Forward thinking organizations need to examine how best to transform their business, remove the friction and increase the security of all electronic medical records.

It is the Administrative Simplification portion of the HIPAA legislation that is fueling initiatives within organizations to address health-care priorities. These priorities are primarily focused in the areas of:

1. Transactions
2. Privacy
3. Security

The scope of the Transactions Rule is to apply EDI to reduce cost and increase efficiency and response. The HIPAA Privacy Rule:

• Brings the patient closer to the process
• Requires the health-care organization to clearly specify what roles are authorized to manipulate what patient information.

The HIPAA Privacy Rule provides patients with the following basic rights:

• The right to access their record
• The right to amend their record
• The right to see an accounting of what disclosures have been made

The HIPAA Security Rule enables organizations to safeguard all medical information and transactions.

Organizations need to develop processes and applications that enable patients and providers to have access to the medical information and participate in transactions on-line.

About the Author
Uday O. Ali Pabrai, CEO of HIPAA Academy, is an accomplished expert in the areas of HIPAA, PKI, biometrics and enterprise security. A highly sought after speaker, Ali has delivered keynote and other sessions at numerous conferences worldwide including COMDEX, COMNET, Internet World and DCI’s Internet Expo. Ali created the industry leading CIW program and is the co-creator of the highly successful Security Certified Program (SecurityCertified.Net). At the HIPAA Academy, Ali developed E-Accelerator—a HIPAA security-related implementation methodology. Ali may be reached at pabrai@HIPAAacademy.Net.