There was a time, not so many years ago, when the Compliance department of a hospital was an adjunct of the Office of the Medical Director, or, perhaps, the General Counsel. Perhaps the Risk Manager had a Compliance hat she wore when the occasion demanded. Sure, Medical Records had compliance responsibilities, but they mostly comprised making sure the appropriate forms were completed (such as Operative Reports, or Discharge Summaries).
In the late 1990’s, the trend toward digitization of electronic health records raised new health care compliance concerns: privacy and security. HIPAA, which is an acronym for the Health Insurance Portability and Accountability Act of 1996, did not originate in health care compliance, at least not directly. The focus was portability. The goal of HIPAA was to allow a company’s employees to move from job to job without their health insurance being affected as a result of denials of enrollment because of preexisting conditions. Yet, HIPAA lawyers (yes, the term was coined during this time) realized that health insurance companies had to perform certain actuarial calculations in order to assess risk and set premiums, and, to that end, they had to review the claims experience. The only practical way to do that was to review the codes used for those claims.
The problem is that these codes are not standardized. Every state has their own set of codes. This incited aides to the Congress and Dept. of social services to create a single, unified set of claims codes. Yet, as with most things legislative, this begat another concern: this constant transfer of data meant that there was the possibility of huge security holes wherein unscrupulous individuals or businesses could grab data and use it for nefarious purposes. As a result, DHHS allowed for comments about medical privacy issues. They received nearly 40,000 comments about health information that had been mishandled with regard to its privacy. These stories led to the HIPAA Privacy Rule, in which criteria for use and disclosures of medical information were established. Soon after, there were a number of rules instituted that dealt with the manufacturing of, the storage of, and the ultimate disclosure of protected health information. The combined Rules exceeded 600 pages, and thus a category of healthcare counsel known as “HIPAA Law” was born.HIPAA Solution
Since then those who know HIPAA law has become almost a cottage industry within the area of healthcare law. As Healthcare law has become more robust, and areas like healthcare compliance have been added, lawyers have had to learn more and more about the industry especially with regard to how changes affect security and privacy. Yet, as more and more health information was created, stored and transferred electronically, the hospitals and medical practices established many offices like the office for a position of Chief Information Security.
This trend was given a significant boost in 2004, when President George W. Bush issued an Executive Order setting in motion a national transition to an interoperable electronic health record system by 2004. Funding for this initiative was established on a regional basis with grants in legislation established by Congress (Hillary Rodham Clinton was a sponsor of one of the first bills). The Office of National Coordinator of Health Information Technology was established in 2004, but there was little coordination because regions of the country were slow to adopt the new technology, in light of the challenges of hospital economics (thin margins, slow reimbursements, etc.). Medicare stopped taking paper claims submissions, but there was still significant resistance among care givers to give up the pen and paper.
In February, 2009 legislation was passed which would almost require every Risk Manager and Compliance Officer to have at least a rudimentary knowledge of HIPAA law, as it pertained to electronic health records. As part of the American Recovery and Reinvestment Act Congress passed Health Information Technology for Economic and Clinical Health (HITECH). In a reprise of the concerns which led to the implementation of the HIPAA Privacy and Security standards, HITECH did three things that will change the daily activities of Risk Managers, hospital counsel, Privacy Officers and IT and Security Officers. The first thing it does, is provide $30 billion to incentivize the transition of health record systems that are interoperative. The law, enacted on Jan. 13,2010, establishes criteria for access to those funds, allowing only those who can exchange data in an accurate and secure manner. In addition to all that, the third way in which it affects the healthcare industry is that it requires that all information is accessible in a way that is consistent and buttressing old HIPAA privacy and security standards. Such a mandate is made even harder, however, by the fact that HIPAA rules were expanded and strengthened as a result of the act.
As hospital staff are made aware of these new regulations, despite being in the middle of a recession, there is no doubt that lawyers will we be called upon by hospitals. Healthcare compliance will truly become HIPAA compliance.