SAN FRANCISCO - The roomful of healthcare lawyers seemed hesitant at first. They hadn't come to be converted, but to learn about Health Insurance Portability and Accountability Act (HIPAA) privacy rules that could be finalized any day now.
Yet HIPAA guru Alan Goldberg seemed to have something bigger in mind -- something more like religion. He smiled proudly as his new flock recited the "HIPAA Pledge" in unison, their voices growing stronger with every breath.
"I pledge to preserve, protect, and defend the security, privacy, and confidentiality of protected, individually identifiable health information to the best of my ability -- and in furtherance of the best interests of 280 million patients!" the lawyers shouted.
"Praise HIPAA!" Goldberg exclaimed. "You are now officially designated HIPAA heroes. You're members of the ministry of the spirit of HIPAA. In times of rapid change, learners inherit the earth."
Goldberg, an attorney with the Boston law firm of Goulston and Storrs, spoke Thursday about the requirements for corporate HIPAA compliance plans at a San Francisco conference entitled E-Health and the Information Age, sponsored by the American Health Lawyers Association.
Experts like Goldberg are in high demand these days. The Health Insurance Portability and Accountability Act of 1996 will require plenty of learning -- and tongue-in-cheek enthusiasm like Goldberg's, for that matter. The sweeping U.S. law applies to health plans, clearinghouses, and providers who submit healthcare transactions electronically using industry-standard protocols.
Eight standard transactions for various administrative and financial healthcare transactions comprise the administrative simplification portion of the act, finalized on August 17, 2000. Other provisions cover identifier codes (proposed), security and electronic signature standards (proposed), and standards for the privacy of individually identifiable health information (proposed).
The last bit, also known as the final security rules, have stirred the passions and fears of the medical community due to the heavy security burdens they will impose for safeguarding "protected health information," or PHI, beginning in 2003. The U.S. government's wide-ranging estimate pegs compliance costs for the privacy rules alone at between $3.8 billion and $38.3 billion for the first 10 years (mostly up-front), potentially more than eliminating projected savings of $29.9 billion over the same period.
The security rules were supposed to be finalized by now, and while it's rumored that the U.S. presidential battle has delayed their release, it's a minor point to legal experts, who say they'll be very similar to the proposed rules already in hand.
Healthcare providers have good reason to be enthusiastic about compliance -- first and foremost to avoid civil and criminal penalties. Investigations and prosecutions for reimbursement fraud are widespread, and the pressure to maximize reimbursements demands that providers take great pains to stay on the right side of the law.
The HIPAA penalty for each wrongful PHI disclosure is $100, for example, with fines topping out at $25,000 for each type of wrongful disclosure. Penalties can add up pretty fast for providers who disclose information wrongfully, then repeat the mistake for multiple patients, Goldberg said. Another presenter called the proposed fines "death by a thousand cuts."
But HIPAA has its good side. In general, penalties won't be assessed on those who wrongly but innocently supply information in the course of medical treatment, billing, or operations.
"That's good HIPAA," Goldberg said. And then there's bad HIPAA. "Really bad HIPAA is $50,000 [in penalties] and prison for a year if you disclose information under false pretenses. And the worst possible HIPAA you can have is the sale, transfer, or use of individually identifiable health information for commercial advantage, personal gain, or malicious intent," he said.
Under certain circumstances, HIPAA requires the disclosure of PHI for law enforcement agencies and the U.S. Department of Health and Human Services (DHHS) for monitoring purposes. Under other circumstances involving treatment, payment and healthcare operations, and other government purposes, disclosure is allowed but not required. The rules are complex, and they don’t stop there, Goldberg said.
"Even if you can use and disclose, you still have to make a reasonable effort to use only that part of the information that's necessary for your purpose.... Any time the regulations don't require the use or disclosure of information, you need individual [patient] authorization," he said, adding that he hopes that provision will be relaxed a bit in the final rules.
At the same time, it's illegal to obtain patient authorization when it would otherwise be authorized under HIPAA, rendering most blanket authorizations illegal.
Patients can inspect and copy their medical records under HIPAA, and they have the right to obtain an accounting of disclosures outside the normal range of treatment, payment, and internal operations uses, Goldberg said. They can also restrict the use or disclosure of information, and they have the right to correct incorrect information in their patient records.
"It's very important to get the risk-management team, including legal counsel, involved in all requests to change information," he said. For example, a patient might want to amend his medical record to note that he's had headaches for 10 years. The "correction" could be a headache for the provider when the patient files a malpractice suit alleging that his complaint was ignored, Goldberg said.
"We're also dealing with state and federal confidentiality, privacy, and security laws that are different from HIPAA," he said, citing the False Claims Act, anti-kickback laws, wire and mail fraud, healthcare fraud and consumer protection laws that can wield far greater penalties than HIPAA.
"There's lots of law in the jurisprudence...and it's developing every day. So we have to develop our corporate compliance programs, not necessarily only to deal with HIPAA, but to deal with other areas as well, [such as] patients and their families who are the prospective plaintiffs, as well as class-action folks."
