Editor's Note: To understand how the changes in HIPPA affect Domino and Notes administrators, view Chuck's tip on "Conducting a HIPAA audit".
You may have seen newspaper stories recently about changes to privacy regulations for health care organizations. These new regulations went into effect on April 14 and are causing large amounts of confusion at doctors' offices, insurance companies, HMOs, and even florists who deliver to hospitals. The privacy rules are part of a large, complex federal law called the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
This article summarizes the various aspects of HIPAA and shows how it has affected (and will affect) computer operations at any organization involved with health care, which is a very large segment of the economy.
HIPAA has five general provisions…
Insurance Reform – This portion of HIPAA relates to how health insurance is handled when someone changes jobs or loses their job. It helps you to maintain continuous health coverage during career transitions.
Transactions and Code Sets – This portion of HIPAA standardizes the way that medical information is formatted and transmitted electronically. There are now a huge number of incompatible formats for storing health information on computers, and this part of HIPAA attempts to solve that problem.
Identifiers – This is a national registry of identification numbers for health care organizations, so the organizations can communicate with each other unambiguously.
Privacy – This part of HIPAA governs how the health care industry should handle your confidential health information. In theory, the rules are quite simple: No one should see your medical information, except for you and people who need to see it to give you good care. In practice, the rules are causing lots of problems. Here are some examples.
- You go to an appointment at your doctor's office. As you check in at the front desk, a nurse asks you how you are feeling. Is this appropriate, since another patient might overhear your answer?
- You are taken into an emergency room unconscious. The doctors get your name from your wallet. Should they put your name on the list of people to be visited by clergy? You might want such a visit, but you also might not want to disclose that you are in the hospital.
- A florist delivers flowers to a local hospital for Mr. Smith. The front desk at the hospital accepts the flowers for Mr. Smith. Does this acceptance of the flowers disclose that Mr. Smith is a patient at the hospital? If Mr. Smith had asked not to be listed in the hospital directory (which is every patient's right) should the hospital refuse the flowers?
Security – This set of HIPAA regulations takes effect in two years. Up until now, health care organizations have been focusing on the privacy rules. But now that the privacy deadline has past, computer security is the next area that organizations will turn to. The security requirements are quite extensive, with a wide variety of interpretations about what they mean. Some of the regulations are marked as "required", while others are "addressable." Addressable means that you are not required to do it, but if not you must explain why not or provide an alternative. The regulations are also divided into "administrative", "physical", and "technical" areas. Within each area, there are "standards" and "implementation specifications." There is a lot to learn, and the time to begin preparing for this deadline is now. No organization can meet the HIPAA security requirements with a couple months effort.
(For more details about the security rules, and how they affect Domino/Notes systems, see my companion article Conducting a HIPAA Security Audit . The article includes a downloadable Notes tool to help with these audits.)
The first provision of HIPAA (insurance reform) is Title I of the act. The last four provisions are collectively known as Title II or Administrative Simplification. The term "simplification" is quite humorous however, since everyone involved in health care has been pulling their hair out trying to figure out how to meet the requirements. They are anything but simple!
All of the provisions -- particularly Transactions and Code Sets, Identifiers, and Security -- will have a large impact on any computer system within the health care world. What many people do not appreciate about HIPAA however, is how far the "health care world" extends. Some examples:
- A bill processing service has a medical office as a client. The billing service is now a "business associate" of a medical entity that is covered by HIPAA. So the billing service is covered by the rules also.
- A consultant gets called by an HMO to fix a Domino server. The consultant may see patient information during the project (bumping into the privacy rules) and must make sure the server handles data correctly going forward (security rules).
Spending on health care in the United States is now greater than $1.3 trillion per year, and it accounts for more than 13% of our gross domestic product. This is a very big industry, which uses lots of computers. Most of these computers will be affected by the HIPAA regulations in some way. All data processing professionals should spend some time gaining a general understanding of HIPAA, since we are all likely to run into this law in some way in the near future.
This was first published in May 2003