by John Otrompke
The years of wrangling are not quite over. On March 21, 2002, the Bush administration proposed repeal of the consent requirement portion of the HIPAA rules scheduled for compliance by April 14, 2003. That part of the rules, requiring a doctor or hospital to get consent from a patient before using or disclosing medical information for treatment or reimbursement, is now the topic of political debate. It is not, however, the aspect of HIPAA that will have the greatest impact on the clinical laboratory.
Nor should standardization of electronic data transmissions be especially onerous to the clinical lab. Although labs are responsible for over two-thirds of billable information in a patient’s medical file, most use an outside source to process financial transactions such as insurance reimbursement.
Over the coming year, however, labs do have their work cut out for them to assure compliance with the privacy and security standards for individually indentifiable health information.
Brenda Carvon, Product Manager at Siemens Medical Solutions Health Services
According to Brenda Carvon, Product Manager at Siemens Medical Solutions Health Services in Malvern, Pa., ”Recommended preparation for the laboratory includes a HIPAA readiness assessment so appropriate policies and procedures can be put in place. Look at all points where patient identifiable data is available – from courier services, to specimen labels, testing and results reporting. IT support services are another important consideration. With the amount of information to be audited, customers are faced with the dilemma of meeting HIPAA requirements while maintaining cost-effective information technology solutions.”
The basics of HIPAA
The HIPAA law was enacted with the understanding that more uniform and comprehensive data should mean more efficient reimbursement and better patient management, but the increased ease of data sharing and the necessity to monitor access to private patient information brings with it increased security concerns as well. If it is possible to link healthcare information to an identifiable individual, she or he has the right to consent to (or know the policies regarding) the release of information, and also the right to know who has had access to that information.
Backing up these mandates is the threat of economic sanctions for noncompliance. Civil penalties may amount to $100 per violation, not to exceed $25,000 per calendar year. For knowing or willful violations, however, the law brings criminal penalties into play: these range from $50,000 and/or one year in prison all the way up to $250,000 and/or 10 years in prison.
Nonetheless, onlookers are not concerned that the penalties themselves will be harshly applied. “The Department of Health and Human Services (DHHS) is going to work with providers, and we’re not going to see big penalties right off the bat,” said Peter Kazon, a partner in the biotechnology law practice of Mintz Levin Cohn Ferris Glovsky and Popeo.
Meeting standards is easier for labs
Clinical labs in some ways will have an easier time than most providers adjusting to new standards of the law, whether the final rules include the original consent provision, or a more lenient “notification” of patient rights now proposed. The “indirect treatment provider” provision of the HIPAA law eases the burden of compliance for the lab. According to Kazon, an indirect treatment provider is usually “carrying out the orders of another health care provider, like a physician.” The physician who orders the test, rather than the lab that performs it, would be responsible for the consent or notice for the exchange of data resulting from the lab’s analysis.
HIPAA also assures patients the right to inspect and copy their medical records, and to request modifications. That requirement is superceded in most states, however, by an existing Clinical Laboratory Improvement Act (CLIA) provision which permits labs to provide results only to an authorized person, as determined by state law.
The roadmap to compliance
Some labs have a head start on compliance with the more challenging aspects of HIPAA because their information technology systems include internal standards set to meet the new requirements. Those that do not will need to upgrade, particularly in the area of audit capability. Siemens, for example, has a standard logging mechanism that has been incorporated not only into its lab systems, but throughout the provider’s network (e.g., pharmacy, radiology, etc.). In the spring of 2000, Siemens donated this system to enable an industry-wide solution for standards development. The goal was to give the industry a starting point for a standardized audit record that would transact out of any system so there could be a common storage and archive record, allowing the kind of accounting of access to data that parallels the security regulations involved in credit reporting.
Siemens has also been active in the Workgroup on Electronic Data Interchange (WEDI) that has sponsored a cross-industry effort to develop a national HIPAA rollout roadmap. This initiative, with a cross-section of participants, provides ongoing updates as organizations move through implementation and into compliance. Updates are available on the Web at www.wedi.org.
Siemens’ Carvon equates the process to the Y2K initiative. “We recommend that you evaluate your lab information system for its ability to support your HIPAA readiness plan. Unlike the single event of Y2K, however, HIPAA is an ongoing process, involving a continuous evaluation and re-tooling to enable oversight and monitoring of changes, even changes as simple as doing business with a new courier. Efforts may revolve around limiting the number of people who can look at patient data, and maintaining agreements with business associates that build in similar safeguards.” Model provisions for contracts with business associates have just been issued in the proposed rules modification.
Once again, labs are well positioned to comply. Notes Carvon, “As a laboratorian myself, I can tell you that the technologists in the lab are very professional, and even without HIPAA, they really understand the confidentiality of the information they are dealing with, so they already follow procedures that are very privacy sensitive.” Of greater concern is how to protect information once it leaves the lab, particularly if it’s sent to a fax machine, a pager, a wireless device, or an internet website. The same modern data sharing tools that can contribute so much to improving patient care also present the most important frontier for privacy protection.
The wireless connection
Health data security is a growing concern for clinical labs, with analysts predicting that the use of wireless devices by physicians to order and download lab tests will increase dramatically.
“In the second generation of wireless devices, we’re expecting applications to be more complex, and less dependent on servers. They’ll be more capable of storing data on the device itself,” said Brad Holmes, a senior analyst at Forrester, a business technology consulting firm. This trend will focus on labs to a significant extent. For example, Siemens manufactures a system called Siemens Health Enterprise Dashboard, which gives doctors access to health information over the internet. Siemens also produces a handheld device called Clinical Summary, which can access lab results. The nagging problem with all of this, at least as far as patient privacy is concerned, is the significance of device loss. According to Brad Holmes, 30% of people lose their handheld devices each year. Nonetheless, the trend continues. “The big lab companies are giving doctors the ability to access the system for test ordering and retrieval,” Holmes said.
Many of these handhelds have built-in compliance features, such as use of password logons and data encryption to protect information in the case of device loss. “We recommend automatic purging of health data after a certain amount of time; for example, the user can set it up to purge after 8 hours,” said Kevin O’Rourke of Siemens.
The protections built in to a device or wireless system do not change a basic fact – it is the user who is responsible for ensuring compliance with HIPAA. “We speak of devices which are HIPAA-ready, not HIPAA-compliant,” said Forrester’s Brad Holmes. “Organizations and people bear that burden.”
John Otrompke is a recent law graduate in Chicago, and is currently awaiting admission to the bar.
