| There was a time, not so many years ago, when | | | | regard to how changes affect security and |
| the Compliance department of a hospital was an | | | | privacy. Yet, as more and more health |
| adjunct of the Office of the Medical Director, or, | | | | information was created, stored and transferred |
| perhaps, the General Counsel. Perhaps the Risk | | | | electronically, the hospitals and medical practices |
| Manager had a Compliance hat she wore when | | | | established many offices like the office for a |
| the occasion demanded. Sure, Medical Records | | | | position of Chief Information Security. |
| had compliance responsibilities, but they mostly | | | | This trend was given a significant boost in 2004, |
| comprised making sure the appropriate forms | | | | when President George W. Bush issued an |
| were completed (such as Operative Reports, or | | | | Executive Order setting in motion a national |
| Discharge Summaries). | | | | transition to an interoperable electronic health |
| In the late 1990's, the trend toward digitization of | | | | record system by 2004. Funding for this initiative |
| electronic health records raised new health care | | | | was established on a regional basis with grants in |
| compliance concerns: privacy and security. HIPAA, | | | | legislation established by Congress (Hillary Rodham |
| which is an acronym for the Health Insurance | | | | Clinton was a sponsor of one of the first bills). |
| Portability and Accountability Act of 1996, did not | | | | The Office of National Coordinator of Health |
| originate in health care compliance, at least not | | | | Information Technology was established in 2004, |
| directly. The focus was portability. The goal of | | | | but there was little coordination because regions |
| HIPAA was to allow a company's employees to | | | | of the country were slow to adopt the new |
| move from job to job without their health | | | | technology, in light of the challenges of hospital |
| insurance being affected as a result of denials of | | | | economics (thin margins, slow reimbursements, |
| enrollment because of preexisting conditions. Yet, | | | | etc.). Medicare stopped taking paper claims |
| HIPAA lawyers (yes, the term was coined during | | | | submissions, but there was still significant |
| this time) realized that health insurance companies | | | | resistance among care givers to give up the pen |
| had to perform certain actuarial calculations in | | | | and paper. |
| order to assess risk and set premiums, and, to | | | | In February, 2009 legislation was passed which |
| that end, they had to review the claims | | | | would almost require every Risk Manager and |
| experience. The only practical way to do that was | | | | Compliance Officer to have at least a rudimentary |
| to review the codes used for those claims. | | | | knowledge of HIPAA law, as it pertained to |
| The problem is that these codes are not | | | | electronic health records. As part of the American |
| standardized. Every state has their own set of | | | | Recovery and Reinvestment Act Congress |
| codes. This incited aides to the Congress and | | | | passed Health Information Technology for |
| Dept. of social services to create a single, unified | | | | Economic and Clinical Health (HITECH). In a reprise |
| set of claims codes. Yet, as with most things | | | | of the concerns which led to the implementation |
| legislative, this begat another concern: this | | | | of the HIPAA Privacy and Security standards, |
| constant transfer of data meant that there was | | | | HITECH did three things that will change the daily |
| the possibility of huge security holes wherein | | | | activities of Risk Managers, hospital counsel, |
| unscrupulous individuals or businesses could grab | | | | Privacy Officers and IT and Security Officers. The |
| data and use it for nefarious purposes. As a | | | | first thing it does, is provide $30 billion to |
| result, DHHS allowed for comments about medical | | | | incentivize the transition of health record systems |
| privacy issues. They received nearly 40,000 | | | | that are interoperative. The law, enacted on Jan. |
| comments about health information that had been | | | | 13,2010, establishes criteria for access to those |
| mishandled with regard to its privacy. These | | | | funds, allowing only those who can exchange data |
| stories led to the HIPAA Privacy Rule, in which | | | | in an accurate and secure manner. In addition to all |
| criteria for use and disclosures of medical | | | | that, the third way in which it affects the |
| information were established. Soon after, there | | | | healthcare industry is that it requires that all |
| were a number of rules instituted that dealt with | | | | information is accessible in a way that is |
| the manufacturing of, the storage of, and the | | | | consistent and buttressing old HIPAA privacy and |
| ultimate disclosure of protected health information. | | | | security standards. Such a mandate is made even |
| The combined Rules exceeded 600 pages, and | | | | harder, however, by the fact that HIPAA rules |
| thus a category of healthcare counsel known as | | | | were expanded and strengthened as a result of |
| "HIPAA Law" was born. | | | | the act. |
| Since then those who know HIPAA law has | | | | As hospital staff are made aware of these new |
| become almost a cottage industry within the area | | | | regulations, despite being in the middle of a |
| of healthcare law. As Healthcare law has become | | | | recession, there is no doubt that lawyers will we |
| more robust, and areas like healthcare compliance | | | | be called upon by hospitals. Healthcare compliance |
| have been added, lawyers have had to learn | | | | will truly become HIPAA compliance. |
| more and more about the industry especially with | | | | |