County News Home Page
October 27, 2003
NACo Home Page
NACO Home Current Issue Back Issues Editorial & Advertising
County News

The H.R. Doctor Is In
Fun With HIPAA

The same federal government that brought us the Fair Labor Standards Act (FLSA), the Family Medical Leave Act (FMLA), and so much more, has done it again.

This time it’s another giant set of regulations called the Health Insurance Portability and Accountability Act (HIPAA). The first phase, privacy regulations, took effect in April. If you liked the Fair Labor Standards Act, you are going to love these HIPAA rules!

HIPAA, like its other federal predecessors, is very well meaning. The law actually took effect in 1997 with regard to health insurance "portability." The privacy compliance regulations are only now taking over our bodies. The regulators who spend much of their lives in cubicles in federal offices in Washington, D.C. had a noble purpose in mind when they met at several hundred staff meetings to create rules which would respect and protect privacy. Who would be against that? Who could be against prevention of my personal medical information being disseminated to individuals and organizations without my permission?

Unfortunately, between the moment of conception of a law to secure "Protected Health Information" (PHI), and the birth of the thousands and thousands of pages of regulations, which we will all come to know and love as HIPAA, strange things seem to have happened. The result of the law’s vagueness will be that interpretations will come less from the Department of Health and Human Services and more from hundreds of court decisions.

The expenditure of millions of dollars in legal fees will follow, not to mention literally lifetimes worth of staff time spent in trying to figure out what the law really means and how we can live with it. At least we could take some solace in the fact that the cumulative stress disorder, the eye strain, and the clinical depression, which will afflict practitioners as a result of HIPAA, will involve information that may not be released without the patient’s approval!

In this article, the HR Doctor offers colleagues in public administration some practical advice about implementing the spirit of HIPAA, while keeping off the radar screens of regulators and plaintiffs’ attorneys. Of course, in offering these views, there are never any guarantees. As proof of this, the HR Doctor recalls the complaint filed by wage and hour regulators at the Department of Labor alleging that DOL itself has failed to properly implement the Fair Labor Standards Act when it came to the regulators’ overtime.

This advice comes only after giving considerable thought to HIPAA, reading as much of the regulations as could be tolerated without taking pain relievers, and consulting with good friends, especially the very knowledgeable Montana Fly Fisherman Terry Humo, Esq., who is the author of the Thompson Publishing Group’s HIPAA Guide and reviewing editor of the Thompson Privacy Guides.

The treatment for acute exposure to HIPAA regulations includes the following:

1. Designate one management employee as the organization’s "privacy official." Of course, do this in writing since the HIPAA monster will require reams of paperwork in order to be properly fed. Most organizations can easily manage with one person designated to be responsible for these duties as an adjunct to other work assignments.

Some cities and counties, such as those that operate county hospitals, or public or mental health clinics, may be better served by having an overall privacy official and another person with delegated privacy responsibilities in specific clinical areas.

2. Create an organizational privacy statement not unlike the agency’s policy statement on non-discrimination or opposition to workplace violence or sexual harassment. The policy should reference the organization’s commitment to safeguard protected health information in accordance with HIPAA regulations. There are other required elements and formats to be followed.

3. The statement should be provided to every employee of the organization and to new employees during their orientation. There should be records kept to ensure that the organization can demonstrate that employees were provided with the privacy policy and had the chance to ask questions about it.

4. If your agency buys insurance coverage from health insurance providers, as most do, ensure that the contract, as well as the plan documents and other educational materials, includes a provision in which the insurance company or managed-care provider acknowledges its responsibilities under HIPAA and commits to manage its business in accordance with the regulations.

For organizations that have self-insurance programs, the subcontractors, such as third-party administrators, physician-network providers and information-systems organizations, including those that handle open enrollment for the agency, also should have provisions in their contracts committing to honor their responsibilities under HIPAA. These business associates are also covered by HIPAA privacy rules and must comply; however, it won’t hurt the county or city to seek the comfort of calling for compliance again in agency contracts.

5. In addition to providing a policy statement to employees, a special dose of additional training is required for employees involved in providing health care or in handling health information. These include all employees who work in hospitals and clinics run by the agency, or paramedics who provide health care as first responders, firefighters who may perform similar roles, or the HR staff which might be involved in the administration of health insurance, workers compensation, employee assistance, or similar programs.

These employees will have access to protected health information and should receive documented training, which makes them aware of their basic responsibilities for non-disclosure of information. The training should be repeated periodically so that, once again, "life with HIPAA" can be thoroughly documented as one of the many exhibits in any subsequent litigation.

6. A key focus for HIPAA will involve safeguards in the electronic transmission of protected health information. No director of information technology should be allowed to park his or her SUV in the parking lot without proving that they know an awful lot about HIPAA electronic-information protection and are capable of guiding the agency.

Reviewing and amending automation information systems to limit access and to document instances of use of protected health information is needed. It is more than simply arguing that "our system already has firewalls" since the issue goes well beyond protecting information from outside hackers.

The protected health information must be safeguarded within the system against unnecessary and unwarranted disclosure. The information system must also create a record of transmission for future review and corrective action.

7. In the training that employees should receive, include a reminder to be extremely sensitive to even unintended disclosures of health information. The idea of protected health information is so sufficiently vague, that over-zealous plaintiffs’ attorneys could argue that the get-well cards we circulate when a colleague is seriously ill may violate that person’s privacy!

Collecting money or sending a card or flowers around to a person in the hope that their gall bladder surgery went well and that they will be back at work soon could, arguably, be interpreted as a violation of HIPAA and lead to multiple Crown Victoria 4-door sedans with blackwall tires pulling up in front of your office and unloading enforcement agents!

Hopefully this scenario is a great exaggeration; however, stranger things have happened in our history of sumo wrestling with the Fair Labor Standards Act. Remember the cases of canine officers and horse-mounted officers claiming that counties and cities owed them time and one-half payments retroactively for the time they spent playing fetch with "Officer Fido"? As amazing as that notion seemed, just a few years ago, it resulted in literally hundreds of claims, lawsuits, grievances and expensive settlements.

8. HIPAA privacy regulations took effect in April for "large" plans. Organizations which administer smaller plans, involving premiums or claims valued at $5 million or less, generally have another year before HIPAA will seep into their lives.

If your plan is self-funded, the measure is the value of claims. If the plan involves purchased insurance, the measure is the value of premiums. However, don’t be complacent. Take proactive steps that are documented and that can be pulled out in a shiny notebook marked "Fun with HIPAA."

In order to best implement the very important spirit behind the HIPAA regulations, by taking a proactive posture now rather than later when the complaint, grievance, or lawsuit papers are signed, we will position public agencies well in the years of skirmishing ahead.

Unfortunately, at the worst time of budget reductions and unfunded, mandated, case loads, cost increases in areas such as indigent health care and jail medicine, HIPAA will cause a lot of additional expenditures for already over-burdened systems. Don’t even ask! Of course, HIPAA does not come with any federal financial assistance to ease the pain of its implementation!

The HR Doctor wishes you success in managing HIPAA and reminds you not to misspell the acronym! It’s not HIPPO, HIPPY or HIPPA. Despite the good intentions here, you may come upon other ways to spell it later!

The HR Doctor hopes that all your vital signs remain private!

Phil Rosenberg
The HR Doctor
http://www.hrdr.net/


Sections

Profiles In Service

Research News

NACo On the Move

News from the Nation's Counties

The H.R. Doctor Is In

What's In a Seal?

Financial Services News

Job Market / Classifieds
Write to Your Editor
Print This Page

Bookmark and Share
NACo Home  |  Current Issue  |  Back Issues  |  Editorial & Advertising
© Copyright 1996-2002 County News