Perspectives on Managing Regulations: HIPAA

Nancy Davis, MS, RHIA and Chrisann Lemery, MS, RHIA

Introduction

On April 14, 2003, health care providers and health plans, as covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), were required to be in compliance with the Privacy Rule. Effective April 14, 2005, these same covered entities will need to ensure compliance with the Security Rule. Managing HIPAA has created opportunities and challenges for both providers and plans. As privacy/security officers for both a health care provider network and a health care plan, we will present our experiences with HIPAA implementation and ongoing management. While representing two different types of covered entities, we will share the many similarities in the implementation processes. As we work to leverage the Privacy Rule experience, we will discuss our upcoming plans for Security Rule compliance.

Background of Covered Entities

WEA Trust (the Trust) was created by the Wisconsin Education Association Council in 1970 as a not for profit corporation responsible for providing insurance and benefit plans for public school employees and their families. The Trust offers group health, dental, life, long-term disability, short-term disability, and long-term care insurance plans. These group plans are available to members through bargaining between their local union and their employer. We also offer insurance products that individuals can purchase directly. These include auto, homeowners, renters, personal property, personal liability, and individual long-term care insurance policies. The Trust is Wisconsin's second largest health insurer with 500 employees and serves over 200,000 Wisconsin public school employees and their families.¹

The Trust began discussions regarding HIPAA in 2000. The Assistant to Office of General Counsel was assigned to lead the project. Initially, the transactions and code sets regulation was the driving force for the organization's HIPAA compliance efforts. A HIPAA Steering Committee was formed with the Assistant to Office of General Counsel as chairperson. Representatives from human resources, information systems, provider relations, eligibility, claims administration, and senior management comprise the committee. By 2001, it was obvious to the Office of General Counsel that more resources were needed to devote to HIPAA implementation. A half-time position was hired as HIPAA project leader reporting to the Assistant to Office of General Counsel. In 2002, a new HIPAA Compliance Specialist position was assign HIPAA privacy duties in the newly created Compliance and Regulatory Department directed by the Assistant to Office of General Counsel. The required HIPAA Privacy Officer is the Director of Compliance and Regulatory Department. The HIPAA Compliance Specialist co-chairs the HIPAA Steering Committee. Two years into Privacy Rule implementation, this committee has completed over 40 company-wide policies and procedures, numerous forms, and numerous other privacy deliverables. In addition, the Steering Committee implemented numerous information system software changes.

The HIPAA Security Rule implementation has presented new challenges. In 2004, a building services representative became a member of the HIPAA Steering Committee since this area is responsible for the organization's business continuity plan and physical security.   The absence of documented policies and procedures addressing our electronic health information security is noted. The Trust hopes to develop from the success of the Privacy Rule implementation the necessary Security Rule documentation.

Ministry Health Care (Ministry) is a Catholic health care system sponsored by the Sisters of the Sorrowful Mother. Ministry is a network of hospitals, clinics and other health related organizations operating across the central, northern and northeastern regions of Wisconsin and eastern Minnesota.  To meet the needs of the communities served, Ministry offers a complete continuum of care through acute and tertiary care hospitals, physician clinics, long-term care and assisted living facilities, home health agencies, hospices and numerous other programs and services.

In the summer of 2001, Ministry leaders brought together representatives from affiliate organizations to discuss an approach to HIPAA Privacy Rule compliance. Representatives attending the meeting had concerns regarding the complexity of the Rule and the subsequent implementation challenges for small healthcare organizations. At that meeting it was determined that corporate level resources were desired, and it was felt that the resources could best be provided through the already established corporate integrity program. In January of 2002, Ministry established the "Director of Privacy" position at the corporate level to direct Privacy Rule compliance. A corporate Privacy/HIPAA Oversight Team was also established with representation from each organization by a local privacy officer. Two years into Privacy Rule implementation, this team has completed over 25 policies and procedures, 21 position statements, numerous support forms and documentation, several educational presentations, and numerous other privacy deliverables. The team continues to work on privacy issues as well as related health information issues. Many of these team members will transition to work on HIPAA Security Rule implementation.

Already it seems that implementation of the Security Rule will present completely different challenges and opportunities. At this stage, the absence of policies and procedures has been noted. That is not to say that the security processes are not carried out in a manner that safeguards protected patient health information - it's just that there is very little documentation to support the processes. Fortunately, the organization feels it can leverage and build upon the successful HIPAA Privacy Rule implementation.

Issues of Managing HIPAA Privacy

Authorizations

Both payers and providers struggled equally with the developing the consents and/or authorizations for disclosure/release of protected health information. The greatest challenge of all in Wisconsin for both payers and providers was developing a uniform understanding of preemption analysis issues between previously existing state regulations and HIPAA's Privacy Rule.  

The HIPAA Collaborative of Wisconsin (HIPAA COW) provided great assistance in developing a preemption analysis tool for authorization requirements.² HIPAA COW a non-profit organization open to entities considered to be Covered Entities (providers, payers, clearinghouses, etc.), Business Associates, and/or Trading Partners under HIPAA, as well as any other organization impacted by HIPAA regulation. HIPAA COW is also Regional Strategic National Implementation Process Affiliate of the Workgroup for Electronic Data Interchange Strategic National Implementation Process.   HIPAA COW was established in 2001. Board representation from the Wisconsin Health Information Management Association (WHIMA) has been provided by Chrisann Lemery. Nancy Davis has represented the "provider" perspective at the board level. Additionally, representation is provided by several legal firms, which has proven to be tremendously helpful.

The HIPAA COW authorization grid, once completed, provided the most comprehensive and definitive resource for payers and providers. Refer to Exhibit A. Based on the grid information, payers and providers were able to develop HIPAA compliant authorizations, which also ensured compliance to state regulations governing confidentiality of insurance records and healthcare records for general health care, mental health, AODA, and/or HIV services. All in all, a compliant authorization in the State of Wisconsin may contain up to eighteen data elements, depending on what the authorization is used for.   Compliant authorizations forms have greatly improved the flow of information between payers and providers.

As stated above, the Trust offers a variety of benefit plans, which are non-HIPAA lines of business.   Disability, life, and property and casualty are not governed by HIPAA. However, for these plans to be administered access to information from the HIPAA covered health, dental and long-term care lines of business may be necessary. Prior to HIPAA, the lines of business had the capability to share information freely. The HIPAA preamble of the regulations states the sharing of information across lines of business is allowed if it meets the permissive or required disclosures under the rule.³ This posed a major change for the communication of Trust employees and customers since the majority of the information sharing across the lines of business was provided as a service to the Trust participants and did not meet the permissive or required disclosures under the rule. Therefore, authorization forms and procedures to disclose between benefit plans were developed.  

Minimum Necessary

From the provider perspective, addressing the "minimum necessary" requirements was not an entirely new endeavor. The minimum necessary standard⁴ provided much needed clarification as to what information should be used or disclosed when exchanging information between covered entities as well as the need to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.

Addressing the "minimum necessary" standard for access to protected health information (PHI) by workforce members was not necessarily a new concept. Healthcare organizations and providers have always emphasized access by "need-to-know," but the Privacy Rule required that this be addressed more formally. A policy was developed to address uses and disclosures by workforce members and uses and disclosures to other covered entities. The policy defined "role-based" access and provided sample grids as well as a sample "Request For Access to Organizational & Protected Health Information" form.   Of note, prior to the development of this policy, the control of access to PHI by workforce members ranged greatly. Not all organizations had previously addressed access based on position or job responsibilities.

From the health plan perspective, the minimum necessary standard required evaluation. The Trust protected health information is maintained electronically in a claims system and a records management system. The various plans administered by the Trust shared information so employees of non-covered HIPAA plans had access to HIPAA governed information. Information of HIPAA covered plans was accessible to all employees working for all benefit plans. The unwritten rule was an employee would access only information on insured information necessary to perform their job duties. Each department completed an extensive review of the claims system and records management system to determine what information was necessary for each plan and each job position in the organization. A policy was developed to address access based on job position or responsibility.   Since auditing of access did not exist to determine if employees were only accessing their plan information, programming of the records management system addressing segregation of records by plan occurred.   A form for access and a written procedure were developed addressing the completion of the form and departmental responsibilities for access requests.

Applying the minimum necessary standard to disclosures and requests resulted in departments categorizing the entities the Trust requests and discloses information, categorizing the purpose of request and disclosure, and identify the document content to disclose and request in detailed policies and procedures. Policy and procedure were created for department and companywide.

Research and Data Requests

Research proved to be a greater challenge to Ministry than initially thought. In part, this was due to a wide range of research activities across the Ministry organizations. Those organizations that actively pursued research had active Institutional Review Boards (IRB's) that provided great assistance in developing a HIPAA-compliant research policy. Fortunately, the Department of Health & Human Services provided additional guidance⁵, which helped providers understand the impact of this standard. The organizations with the establish IRB's were able to quickly integrate the policy. For those organizations not involved in research, the greatest challenge seems to be related to responding to external research requests.

For a health plan, three methods to respond to data requests are available according to HIPAA: De-identification, Summary, and Limited Data Set. De-identification provides the greatest privacy since eighteen identifiers are removed and the information can be disclosed to anyone for any purpose. The de-identification provision of the covered entity does not have knowledge that the information could be used alone or in combination with other information to identify an individual who is the subject of the information raised challenges since small school districts with 30 employees are insured. The disclosure of de-identified information for these districts could identify individuals in cases such as high dollar claims and disease population requests.

Summary information is limited to disclosures to the employer who sponsors the health plan. Summary information summarizes the claims history, claims expenses, or type of claims experienced by individuals for whom an employer plan sponsor has provided benefits under a group health plan and meets the requirements of de-identified information except the zip code is identified and the covered entity does not have to apply the knowledge provision. Summary information is intended for limited disclosure of information to employer plan sponsors for only two specific purposes:

• When the plan sponsor needs the information to obtain premium bids from health plans for health insurance coverage under group health plan.
• When the plan sponsor needs the information to modify, amend, or terminate the group health plan.

The limited data set is intended for recipients who perform research independently. The data set includes all dates and all geographic subdivisions other than street address. It is challenging to apply the limited data set procedures to non-clinical research since the Privacy rule discussion addresses clinical research. Procedures and a data use agreement were created for data requests.

The Steering Committee with input from the Actuarial and Eligibility Departments concluded that most of the requests from individuals other than employer plan sponsors would be addressed using de-identification. Most data set disclosures are to the Trust business associates at our request for a payment or health care operations activity.

Complaints

From the provider perspective, it was deemed important to build on existing customer satisfaction processes to address privacy complaints. However, with the Privacy Rule's standard that would allow patients an avenue for external investigation by the Office of Civil Rights, it was highly desirable to enhance the existing processes to take privacy concerns into consideration. At Ministry, a policy was developed on "Responding to Privacy Related Complaints." The policy supplements organizational patient satisfaction/complaint policies and processes. The policy addresses those specific Privacy Rule requirements and offers a sample privacy complaint log and an investigation record for organizations to utilize if so desired.

Workforce education and training is provided to ensure that all staff members respond appropriately to patient privacy concerns. Additionally, the training also focuses on resources for assisting with responding complaints. In the first six months of HIPAA implementation, most of the complaints received were in regard to confusion about the "Notice of Privacy Practices." In the last six months, the complaints are more specific in nature and related to events. Of note, one of the more troublesome areas with regard to privacy complaints relates to caring for colleagues. Ministry has noted that employees as patients tend to raise troublesome issues which include: 1) maintaining the separation of employment information for patient protected health information; 2) responding to inquiries when the employee/patient has openly shared their health status; 3) visitors; 4) supervisory need-to-know issues when attempting to determine staffing needs. Ministry has identified this as a key priority for the next year and has included "caring for colleagues" as a component of leadership orientation.

Since insurance companies in the state of Wisconsin are required to have in place complaint and grievance procedures, the Trust had an existing process for addressing complaints and grievances within the Office of General Counsel.⁶ It was necessary to update the existing written complaint and grievance policy and procedure to include the process of complaints made directly to the Privacy Office and include a process for such complaints to be handled through the Trust's Wisconsin required procedures.

Security Rule Implementation Issues

The HIPAA Security rule requires that all electronic information must be reasonably and appropriately protected to maintain its confidentiality, integrity and availability. The rule has implementation specifications identified as "required" and "addressable" safeguards. All "required" specifications must be implemented. Twenty-two specifications are "addressable" and a covered entity must evaluate the reasonableness and appropriateness of the specification for the environment to implement the safeguard.

As previously noted, Security Rule implementation presents entirely different challenges and opportunities for providers. While every attempt will be made to build on the success of the privacy implementation, clearly providers will need to be open-minded as to different implementation processes.   Of concern, there seems to be less resources, policies, and guidance available for security implementation. Also a challenge is working with information technology professionals who have rarely before been subject to standards or regulations impacting their work. With Privacy, providers had a long legacy of working with the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) standards, state and federal regulations.

Another challenge with security implementation is the wide diversity of different IT teams approaching different security issues. With privacy, one team was responsible for implementation. With security, there are multiple teams assigned to different implementation tasks. Ministry must also consider the balance of dealing with ePHI and general business information. It seems reasonable to develop policies and practices that cover both.   Ministry has developed a HIPAA Security Rule Strategy Document as well as a Security Rule Implementation Work Plan.

The Trust's Security Rule implementation began with a HIPAA Security Rule gap analysis. Ernst and Young performed the gap analysis and identified the standards of the Security Rule which were met by the Trust at that time, as well as those standards still unmet. The Information Systems (IS) Department then outsourced with a Managed Security Service Provider (MSSP) to provide a programmatic approach to security for the Trust. The MSSP employs staff with significant experience in securing regulated environments. The MSSP staff also has documentation available for use in implementing reasonable and appropriate security practices. Prior to IS entering into a contract with a MSSP, the HIPAA Steering Committee appointed the HIPAA Compliance Specialist to the HIPAA Security Officer role.   This occurred in November, 2003. The relationships between the HIPAA Security Officer and the MSSP firm were outlined in the contract with Isthmus Group, Inc., the selected MSSP.

The HIPAA Steering Committee had previously concluded that a risk analysis was required; the HIPAA Security Officer concurred. A contract for the required HIPAA risk analysis was entered into with the MSSP. The MSSP obtained information about the Trust's people, processes, data, technology and facilities through documentation review, exhibits, data flows, interviews and system demonstrations. A risk analysis, or risk assessment, includes a threat assessment, vulnerability pairing, and residual risk determination.⁷ To assist in identifying the Trust's vulnerabilities, numerous interviews with management, business units and information systems staff members occurred during the months of March and April of 2004. The Centers of Medicare and Medicaid Services, the National Institute for Standards and Technology and the National Security Agency's threat identifications were used as a baseline to correlate with the vulnerabilities identified.

In order to determine reasonable and appropriate remediation of security risks identified in the Trust environment, the impact of those risks if a security breach were to occur were categorized as high, medium, or low impact as defined by the Trust executive staff in May 2004.

The HIPAA Steering Committee will apply the impact scale, as defined above, to each risk identified, in order to assign a risk rating. The HIPAA Steering Committee will then prioritize the risks and determine how best to transfer, limit or correct, or accept the risks identified. The MSSP will provide the HIPAA Steering Committee with recommendations for addressing risks that are reasonable and appropriate for an organization of the Trust's size and business.

Recommendations may address: assessment activities; policies and procedures; information system and network architectures; business processes; technology and products solutions; logging, monitoring or auditing; training and awareness; and compliance. When the HIPAA Steering Committee decides on the recommendations to implement, the HIPAA Security Officer will manage the work plan outlining the deadlines and department responsibilities for the implementation of the HIPAA Steering Committee recommendations.

Ongoing Compliance Program

Audits & Incident Reporting

As a network of multiple health care providers, Ministry felt very strongly that it was important to develop a comprehensive HIPAA Privacy Rule Compliance Plan. This plan was developed in the 3 rd Quarter of 2003 and approved in the 4 th Quarter. The Office of Inspector General's recommended "elements of a corporate compliance program⁸" provided a framework for the plan. Along with the development of this plan, a "HIPAA Privacy Compliance Audit" tool was developed. In addition to the audit tool, a "Compliance Checklist for HIPAA Privacy-Walk Through" tool was developed for quarterly privacy "rounds." The objectives of the compliance plan are:

• To ensure that all Ministry organizations, workforce members, and business partners understand and fulfill their obligations to comply with regulations governing patient privacy, transaction and code sets, and security.
• To identify and resolve factors within Ministry organizations that may lead to risk of noncompliance with HIPAA regulations.
• To ensure that HIPAA compliance is continuously maintained and monitored throughout Ministry organizations.

The development of the compliance plan took into consideration the limited resources of the privacy officers at the local level and attempted to focus on indicators that were already in place or easy to address. The monitoring indicators included:

• Provision of Notice of Privacy Practices
• Workforce Education and Training
• Walk-Through HIPAA Assessment
• Review of Patient Concerns
• Privacy Breaches
• Corporate Level Privacy Audit

In the last quarter of 2003, approximately twenty Ministry organizations were audited. The audit tool was utilized and results were reported to each local organization as well as the corporate board of directors.

The Trust's HIPAA Compliance Plan is in place to ensure that all employees and business associates understand and fulfill their obligations to comply with the regulations, to identify and resolve aspects that may lead to risk of noncompliance, and to ensure that compliance is continuously maintained and monitored.

No formal risk management process existed, therefore an incident reporting policy and procedure was a new concept for the Trust. In March 2003, an occurrence reporting process was implemented to document any violations of the Privacy rule's policies and procedures. Any time an employee believes that an insured's health information privacy was compromised, an occurrence report is submitted to the HIPAA Compliance Specialist. Since the reporting process was a new concept for the organization, staff were informed that the completion of the report is a means for improving our processes and not intended as a punitive process.

Staff embraced the process and identified situations that were compromising participant's privacy. As an example, a provider may be paid for services rendered to a participant that the provider did not provide services requiring a refund to be received. Initially, each time the refund department identified this situation an occurrence report was completed since a participant's information was disclosed to a provider that had no relationship with the participant. Since these violations were repeatedly occurring and to save staff time in completing the occurrence report, a quarterly report from the Refund Department to the HIPAA Compliance Specialist was implemented. The Claims Administration Department receives the report and communicates to employees the number of occurrences at the department meeting with review of the procedure for choosing the participant when paying a claim. The Trust handles over a half million claims in a quarter and the number of misdirected disclosures is under one hundred. However, the accounting of such disclosure is recorded through the use of this report.

The HIPAA Compliance Specialist investigates the alleged violation and recommends corrective action. If the corrective action is procedural, the involved department's privacy specialist is contacted to assist in the implementation of the recommendation. If employee sanctions are determined necessary, the Privacy Officer contacts the involved employee's manager and human resources to carry out the sanction.   The Steering Committee receives a quarterly report of the occurrences reported. The majority of the 45 occurrences as of April 2004 involved procedural corrective action with communication to employees.

In addition to occurrence reporting to assist in identifying and resolving aspects that may lead to risk of noncompliance, a "HIPAA Privacy Walk-through Checklist" was developed for yearly privacy "rounds" unless findings warrant more frequent completion. In April 2004, all departments were audited using the checklist and the results were communicated to all Privacy Specialists to share with all department employees. The Internal Audit Department in the course of other audits will assist in keeping the Compliance Department informed of any potential privacy issues. Other monitoring indicators include access control of systems, employee education and training, and business associate agreements.

Assistance of Managing HIPAA

State-wide Collaboration

As noted earlier in the paper, the HIPAA Collaborative of Wisconsin was the most valuable example of statewide collaboration. With time, representation on the board of directors grew allowing for a more comprehensive and diverse approach. HIPAA COW has developed several "deliverables" which cover policies, forms, preemption analyses, etc. These "deliverables" have encouraged uniformity of practice among payers, providers and clearinghouses.

The HIPAA COW has also taken a strong role in providing HIPAA training and education in Wisconsin. HIPAA COW sponsors three general sessions each year focusing on key HIPAA implementation issues. In 2004 the sessions are transitioning from privacy and EDI to security. Additionally, HIPAA COW encourages further interactions by sponsoring roundtable sessions to bring stakeholders together. Finally, HIPAA COW is not working closely on a new project - establishing uniform guidelines for disclosures with law enforcement agencies in cooperation with the State Attorney General's Office.

Community of Practice

AHIMA's Communities of Practice (COP) have provided privacy officers with valuable and immediate HIPAA Privacy Rule information. While there are several COP's, the most valuable in assisting with HIPAA implementation efforts are:

• HIPAA
• HIPAA Privacy Officers
• Patient Security
• HIPAA for Community Hospitals
• HIM Professionals in IT Roles
• Compliance

Networking

From the provider and plan perspective, there is a wealth of networking opportunities through national and state resources. Additionally, the American Hospital Association (AHA), Healthcare Information and Management Systems Society (HIMSS), Workgroup for Electronic Data Interchange (WEDI) and others have been valuable resources. Ministry Health as a member of the Catholic Health Association also had the opportunity to share resources and benchmark with other Catholic healthcare providers. WEA Trust through HIPAA COW has the opportunity to share information with other plans in the Wisconsin.  

References:

American Health Information Management Association, Communities of Practice (Multiple). Available at: http://www.ahimanet.org/COP [site no longer available]

"Elements of a Corporate Compliance Program," Office of the Inspector General. Available at: http://www.oig.hhs.gov/fraud/complianceguidance.html

Health Insurance Portability and Accountability Act of 1996, Final Privacy Rule, Published: August, 2002; Effective: April 2003. Available at: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/privacy/default.asp

Health Insurance Portability and Accountability Act of 1996, Final Security Rule, Published: February, 2003; Effective: April, 2005. Available at: http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/default.asp

HIPAA Collaborative of Wisconsin (HIPAA COW).   Available at http://www.hipaacow.org

Hughes, Gwen, and Beth Hjort. "Practice Brief: Understanding the Minimum Necessary Standard (Updated)," Journal of the American Health Information Management Association, March, 2003.

United States Department of Health & Human Services, "How can Covered Entities Use and Disclose Protected Health Information for Research and Comply With the Privacy Rule," May, 2003. Available at: http://privacyruleandresearch.nih.gov/pr_08.asp

End Notes:

1. About WEA Trust, "Facts & Figures". Available at www.weatrust.com .
2. "Authorization/Informed Consent for Use and Disclosure of Health Care Information Grid - Wisconsin Statutes and the Federal Privacy Law," HIPAA Collaborative of Wisconsin, January, 2004. Available at http://www.hipaacow.org .
3. "Health Insurance Portability and Accountability Act of 1996." Public Law 104-191. December 28, 2000 Preamble, Page 82639. Available at https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/administrative/privacyrule/prdecember2000all8parts.pdf?language=es.
4. §164.502(b) Uses and Disclosures of Protected Health Information: General Rules - Minimum Necessary. Health Insurance Portability and Accountability Act of 1996. Available at http://www.os.dhhs.gov/ocr/regtext.html.
5. "How can Covered Entities Use and Disclose Protected Health Information for Research and Comply With the Privacy Rule." May, 2003. Available at http://privacyruleandresearch.nih.gov/pr_08.asp .
6. Commissioner of Insurance Administrative Code Chapter Ins 6.   Available at www.legis.state.wi.us/rsb/code/ .
7. "The HIPAA Final Security Rule in Plain English.", Sostrom, Kristin and Collmann, Jeff PhD, p.4. HIMSS CPRI Toolkit.
8. "Elements of a Corporate Compliance Program." Office of the Inspector General. Available at: http://www.oig.hhs.gov/fraud/complianceguidance.html .