Printer-friendly format

Cheryn Netz Baker, Wise Carter Child & Caraway

Rural hospitals and clinics paid little notice to the April 21 deadline for the latest security compliance part of the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA, the sweeping healthcare administrative reform bill passed in 1996, mandated that by the spring deadline, small health plans under $5 million in revenue must meet the United States Department of Health & Human Services standard for the administrative, technical and physician security of electronic health records (EHRs).

Hindered by a lack of manpower and funds, a growing number of small healthcare-related companies nationwide are taking the reactive rather than proactive approach to this particular compliance issue. The trend is prominent in Mississippi, a largely rural state.

"Our firm has not been involved lately in assisting hospitals to become HIPAA-compliant on the front end," said Cheryn Netz Baker, an attorney specializing in HIPAA compliance issues with the Jackson-based Wise Carter Child & Caraway law firm. "The shift has been towards them calling us to assist them when there has been a complaint filed by a patient either with the hospital or with CMS (Centers for Medicaid and Medicare Services, the reporting agency). We help them respond to the complaint and advise them of what corrective actions should be taken. Or there has been a violation and they want us to let them know what to do in anticipation of a possible complaint. We also review contracts with third parties to determine if there are any HIPAA issues that need to be addressed in the contracts."

As many as one in five healthcare-related companies nationwide do not have the technology and processes in place to provide the level of patient-privacy protection required by HIPAA. That percentage hasn't changed since last summer, leaving one-fifth of America's healthcare providers "unable or unwilling to implement federal privacy requirements," according to the Healthcare Information and Management Systems Society (HIMSS). The society's summer 2005 study reported: "HIPAA implementation can often resemble a moving target." The two most frequently voiced roadblocks to HIPAA compliance were "no public relations or brand problems associated with non-compliance" and "no anticipated legal consequences for non-compliance."

"Generally, when there's a complaint, it's a gray area where it wasn't clear whether the rule was complied with or not," said Baker. "Usually the providers aren't purposefully knowingly violating the rule. Instead, they are just unaware or uninformed of the specific requirements of the rule, such as possibly information was disclosed to a third party on the belief that it was permitted by the Privacy Rule, but in the particular circumstance at hand, the disclosure didn't comply with specifics of the rule."

HIMSS also pointed out that only 55 percent of large healthcare providers and 72 percent of insurers and other payers have met the requirement for the security part of the law, which went into effect last April for companies with annual revenues of $5 million or more.

"The many small hospitals and clinics still not in compliance don't have the time or money to do it," said Gerry Printz of Amsador, Ltd., a knowledge management consulting firm based in Brandon. "Some are doing their best with limited resources, chipping away at it a little at a time. They show concern by putting policy into place, trying to get systems to conform where they don't, and are documenting that action. They're trying to get vendors to conform. The big problem with rural healthcare is that you can't throw out systems you've had for a long time and put patient health at risk."

Because technology is developing so quickly, it's often difficult for healthcare providers to determine whether flash drives, hot site disaster recovery and other specific file management and storage technologies are covered or meet the requirements.

"When HIPAA says electronic information, what about an X-ray machine? When that shot comes out of a machine, is it electronic? When you're not securing X-rays, what does that mean? Does electronic security mean something coming off a fax machine?" noted Printz.

In small town Mississippi, neighbors are privy to a patient's condition through the active local grapevine. "It's going to be hard to prove that a leak came from the hospital and not gossip on the street," Printz pointed out.

If a patient files a complaint about a security compliance issue with CMS, the healthcare company is open to investigation. But CMS has already made known that "enforcement will be complaint-driven."

"In my experience, our clients take CMS complaints very seriously," said Baker. "They're very concerned when they get a complaint, especially from CMS, and they don't take it lightly. But it would make sense that providers who are not concerned about complaints wouldn't contact their attorneys for assistance in responding to them. If a company takes appropriate action when apprised of a violation by CMS, then usually nothing will happen."

Tags:

None