HIPAA Compliance is Attainable Goal

QUESTION: What do the following events all have in common?

• Your personnel bookkeeper posts medical records in an e-mail to your health plan and accidentally sends it to a residential cottage where the house parents read all about an employee’s alcohol and drug problem.
   
• Last year’s health insurance claims forms blow out of a truck as they are being sent to your records storage facility.
   
• The person unpacking a used computer that was sent to a sister facility discovers that the hard drive still contains records of prescription drug payments you made on behalf of state wards for the past five years.

ANSWER: These incidents all involve private information concerning a person’s health. They are all regulated by the U.S. Department of Health and Human Services’ Office of Civil Rights, and each incident exposes your agency to a $100 civil money penalty under the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

---

If you are like most agency executives, you have been hit for the past couple of years with hundreds of questions about HIPAA.

This piece of federal legislation, like many of its ilk, expresses a noble interest, is much more complex than we want it to be, and affects many more areas than its original sponsors ever intended. This article will pare it down to size and show you that HIPAA compliance is not nearly as difficult as we once suspected it would be.

First, let’s agree on what HIPAA is. HIPAA is an acronym for the Health Insurance Portability and Accountability Act of 1996.¹ It was drafted with the goal of protecting the flow of health information generated by health benefit plans, particularly electronically exchanged information. Second, let’s agree on what it is intended to do. HIPAA is intended to prevent protected health information (PHI) from being accessed by non-authorized persons. It is essentially a statement of the interest in protecting an individual’s right of privacy. Third, let’s agree on what your responsibility is as the administrator of a child welfare agency (assuming that you have more than 50 employees).²

There are two main areas of concern. First, as an employer you are required to appropriately manage the PHI of those employees who have a health benefit plan with your organization. Second, as the provider of care to juveniles and their families, you are required to appropriately manage their PHI as they move through your agency and the child welfare system as a whole.

HIPAA and Health Benefit Plans

If you are a health plan sponsor, there is a wealth of PHI that is involved in analyzing benefit packages, confirming or authorizing an employee’s health care, or assessing an employee’s appeal of a coverage denial. Anytime your personnel management office rubs shoulders with PHI, it must jump through the hoops established by HIPAA to keep it private.

Get Educated about HIPAA The Alliance's Severson Center has compiled a detailed fact sheet about HIPAA, which includes articles about the legislation and a list of online links to various sources of information, including: frequently asked questions, compliance, consent forms, electronic submission, and awareness and preparedness. In addition, the Severson Center has sample HIPAA compliant policies from Alliance members and other sources for review. Contact the Severson Center at 414-359-1040, ext. 3615.

  Most benefit plans and TPAs now have HIPAA compliance mechanisms in place, and as part of their service to you they will direct your HR staff about how to set them up and make them work. The confusion that reigned just after HIPAA’s enactment has now settled down as the health benefits industry tackled HIPAA’s regulations³ and created industry-accepted policies, procedures, and forms. Your major responsibility is to ensure that your HR department is obtaining board approval of HIPAA required changes to health benefit plans; obtaining employee authorizations for managing their PHI; and training all employees who have access to PHI.

If you are self-funded and self-administered, then the entire HIPAA compliance burden falls on your shoulders. I will not attempt to describe your task to obtain compliance in your plan, as it is too complicated to describe in the context of this article.

HIPAA and Client Case Management

The impact of HIPAA on your day-to-day case management of young people and their families is one of those great unintended consequences of the legislation. Because just about everything that is included in a client’s case history is tied to a clinical diagnosis, your case management system automatically becomes a vast repository of PHI. For this reason, you must establish a HIPAA-compliant structure and attend to it accordingly.

You should start by identifying someone in your agency to be a privacy officer—a person who is responsible for developing and implementing HIPAA policies and procedures. Your privacy officer defines agency-wide privacy goals, drafts policies and procedures to implement them, and sets a timetable for achieving full HIPAA compliance. This person must not only understand your agency’s duties under the Act, but he/she must be aware of the interplay of related federal and state rules that affect HIPAA’s implementation at your agency.⁴

Anyone sharing agency information that is HIPAA protected is a business associate under HIPAA. Business associates must understand the general privacy concepts involved, comprehend the importance of HIPAA compliance, and be trained to correctly work with your HIPAA policies and procedures.

Permitted Uses and Disclosures

One of the ways that HIPAA rules have eased compliance is by delineating six specifically permitted disclosures that do not require patient authorization.⁵

DISCLAIMER This article has been prepared to convey general information on a topic of interest to the boards and executive staff of nonprofit human service organizations. Although prepared by an attorney, it should not be used as a substitute for legal counseling in specific situations. Readers should not act upon the information contained in this article without professional guidance.

The most significant of these for child welfare agencies are contained in the second specific use—for Treatment, Payment and Health Care Operations (see subarticle about these activities, which don't require client authorization). Under this provision, you may continue your operations with minimal HIPAA impact, so long as you abide by HIPAA in all other respects.

Similarly, under the rules you may use your own agency-generated psychotherapy notes for treatment without getting client authorization (see sidebar). Psychotherapy notes under the Act are notes documenting a private counseling session, or a group, joint, or family counseling session, and that are separated from the rest of the individual’s medical record.⁶

Turn the Tables to Appreciate HIPAA

I asked the designated privacy officer of a Chicago-based child welfare agency about how HIPAA implementation has gone at his organization. He said, “In child welfare, confidentiality is not a new concept. We’ve done it all before. What HIPAA does is force us to think about how we use our paper and electronic files.” His organization is updating the platform underlying its case management system so that it is HIPAA compliant.

His best training technique is to turn the tables on his trainees. Recognizing that eyes glaze over when they hear the word HIPAA, he tells them, “Look, we’re not just providers here. We’re also consumers of privacy rules.

You should be happy that someone else is looking after your personal health information just like you’re doing here. The intent is good. The rule is good.”

ENDNOTES

1. Public Law 104-191.

2. HIPAA applies only to “covered employers,” that is, employers that have more than 50 participants in ERISA health benefit plans. However, employers with self-funded plans are equally liable for compliance. 

3. HIPAA is implemented by the U.S. Department of Health and Human Services’ Office of Civil Rights Privacy Rule. A summary of the HIPAA Privacy Rule can be found on the OCR Web site at www.hhs.gov/ocr/hipaa.

4. There are numerous federal and state laws that also deal with privacy. At the federal level are the following: Privacy of Substance Abuse Records (42 CFR Part 2), Confidentiality of Records (42 U.S.C. 290dd-2),Medicare, Medicaid, and CLIA (Clinical Laboratory Improvements Amendments of 1988). At the state level are such state laws governing public health data, vital statistics, health plans, criminal investigations, and health care for minors. When analyzing state privacy laws, you should choose that law that offers the greatest protection. Usually, if your state grants more protection for PHI or gives an individual greater access, HIPAA will not pre-empt the state provision. Always obtain legal review before relying on your own analysis. 

5. A covered entity is permitted to use and disclose PHI without an individual’s authorization for the following purposes or situations: (1) to the individual; (2) for treatment, payment or operations; (3) with the person’s informal consent or failure to object; (4) for incidental use and disclosure; (5) for the public interest and benefit; (6) for data gathering purposes where identifiers have been removed. 

6. Specifically “psychotherapy notes” means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session, or a group, joint, or family counseling session, and that are separated from the rest of the individual’s medical record. Psychotherapy notes exclude medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. 

Kathryn Vanden Berk practiced law for nine years before serving as the president of two residential treatment centers for children. Now practicing in Chicago, she focuses on nonprofit start-ups, corporate and tax law, and employment issues. She serves as adjunct faculty at several Chicago universities, and is a member of the Advisory Board of the Axelson Center for Nonprofit Management at North Park University. She authored a handbook on starting nonprofits that is available from the Nonprofit Financial Center, Chicago, and a chapter in the Illinois attorney’s handbook Not-for-Profit Corporations, 2004 Ed., Illinois Institute of Continuing Legal Education. In 2004 she authored Retooling Employment Standards for the Future, a publication of the First Nonprofit Educational Foundation, Chicago. She can be reached by e-mail or at 312-558-1690.

View the archive of Nonprofit Law columns or the archive for all columnists.