HIPAA and Physician Accountability

Kathleen Unger, MD

This article begins an occasional series on the impact of the Health Insurance Portability and Accountability Act (HIPAA). Originally conceived as one article, the topic proved to be too big and too important to our members for superficial coverage.

The "Portability" in the title harkens to one of its origins-addressing the problem of workers who lose their health insurance coverage when they change jobs. The act has now vastly increased in scope. HIPPA is intended to improve the efficiency of our health care system in this electronic age, as well as improve the confidentiality of electronically written individually identifiable health care information (italics mine).

Though far from complete at this writing, some implications are clearly apparent:

1. The new regulations will almost certainly apply to you, even if your own medical practice is not computerized. Medical information either already is, or will become, "electronic" when it leaves your office. As attempts to sort out if hard copy information ever was in electronic form will prove too burdensome, regarding all such information as electronic is the logical approach.
2. HIPAA is going to change how we render medical care in the U.S. in major, expensive, unfathomable ways (not all the software, let alone the regulations have been written yet).
3. It is huge. There are already 1,500 pages of incomplete regulations in the Federal Register. (Your current PDR has 3,506 pages).
4. It is unavoidable-a virtual juggernaut.
5. It does not take effect until the final-not draft-regulations go through the public comment phase. The current target date of October 2002, is almost certainly much too soon an estimate. F. Implementing the "rules" is going to cost our health care system-as well as practicing physicians-considerable time and money.
6. It is going to spawn at least one entire new industry (medical information "clearinghouses" which convert medical information into the HIPAA format.
7. It is not too soon to begin the task of learning what you need to know.

The Origins

HIPAA is the child of the electronic age. As large mainframe computers gave way to the PC in the early 1980s, computer terminals became common in medical offices. Software developers were quick to write programs customized for medical uses and we became somewhat adept at using them. Hospitals began using terminals to make lab test results instantly available. Then, the writing of inpatient admission and treatment plan orders via computer was something we all had to learn.

Outpatient medical care remained a quagmire; different health insurance forms, different information requirements, endless phone calls to ascertain patient eligibility, co-payment responsibility, etc, etc.

By 1990, health care industry leaders were asking Congress to pass legislation to require the streamlining and standardizing of the healthcare payment process and to make these standards mandatory. Six long years later, the result was the Kennedy-Kasselbaum Bill, or HIPAA, which President Clinton signed into law on August 21, 1996.

While Congress retained the right to pass laws regulating how healthcare information is handled, the very slowness of the bicameral process has triggered a shifting of the responsibility. Rather than Congress, the Department of Health and Human Services has taken over the process of writing the regulations that detail how to implement the provisions of the Kennedy-Kasselbaum Bill.

Four Sections

The HIPAA of 1996 can be divided into four parts:

I. Electronic Data Interchange (EDI) One uniform system of recording health-related information, used nationwide, with specific rules as to the use, storage and transmission of what is very broadly defined as electronic health care information-and it almost all originates as or becomes electronic. It will affect physicians, hospitals, insurance companies, health plans, billing services, computer software, pharmacies, etc.

II. A System of Unique Identifiers In order to facilitate information exchange among various health facilities nationwide, this includes
A. A unique, ten unit, National Provider Identifier (NPI) alpha-numeric code-something like # SQ37H42DA9-for each and every physician in the country. This will be maintained by a National Provider File containing detailed information on each physician.
B. A similar unique identifier will be given to every local pharmacy, durable medical equipment sales and rental business, hospital, health maintenance plan, preferred provider organization, health insurance company, outpatient physical or occupational therapy program, etc.
C. A Unique Health Care Identifier (UHID) will be assigned to every single person in the nation-either at birth, or retroactively. This provision is so controversial that it has been put on indefinite hold and will probably delay yet again the October 2002 implementation date.

All of the abuses and misuses of our nation's other system of unique identifiers for individuals-Social Security Numbers-are of concern. This electronic era has the potential to multiply them exponentially. The concept that works so well for animals-yes, the grain-of-rice-sized unique identifiers that are injected into the dorsal neck fold of newborn kittens, puppies and livestock, takes on 1984-like aspects when applied to you and me. The technology for humans has been around for some time. I note that the Norplant Intradermal Contraceptive System has been in use worldwide for a couple of decades.

III. Electronic Signatures: The far-from-finalized standards must accomplish the following:
A. Identify the signatory individual,
B. Assure the integrity of the transmitted document's content and provide evidence that will make it difficult (but not impossible) for the signer to claim that the electronic document is not valid. This will require a cryptographically-based digital signature, as well as authentication/identification procedures. We have obviously come a long, long way from Medicare's soon to be outdated policy statement to the effect that the Internet was not secure enough to be used to transmit sensitive data.

IV. Protection of Individually Identifiable Health Care Information. This provision of HIPAA will forever change the way that sensitive healthcare information is handled. It turns traditional ideas of confidentiality upside down. At present, it contains incompatibilities with state laws, massive loopholes in the arenas of law enforcement, marketing of health care products, nonprofit fundraising, public health concerns and persons who fill out online questionnaires in order to obtain information relevant to themselves in health-promoting websites.

It places massive new duties for monitoring other business entities on physicians. This includes obtaining information from your Internet service provider (AOL, Yahoo, etc) that is kept secret by them due to security and business concerns. As this last section of the HIPAA legislation is probably the furthest from its final form, it will be dealt with last.

Watch for upcoming issues for HIPAA Part II: Electronic Data Interchange.