The H.R. Doctor Is In
Fun With HIPAA
same federal government that brought us the Fair Labor
Standards Act (FLSA), the Family Medical Leave Act (FMLA), and
so much more, has done it again.
This time its another giant set
of regulations called the Health Insurance Portability and
Accountability Act (HIPAA). The first phase, privacy
regulations, took effect in April. If you liked the Fair Labor
Standards Act, you are going to love these HIPAA
HIPAA, like its other federal
predecessors, is very well meaning. The law actually took
effect in 1997 with regard to health insurance "portability."
The privacy compliance regulations are only now taking over
our bodies. The regulators who spend much of their lives in
cubicles in federal offices in Washington, D.C. had a noble
purpose in mind when they met at several hundred staff
meetings to create rules which would respect and protect
privacy. Who would be against that? Who could be against
prevention of my personal medical information being
disseminated to individuals and organizations without my
Unfortunately, between the moment
of conception of a law to secure "Protected Health
Information" (PHI), and the birth of the thousands and
thousands of pages of regulations, which we will all come to
know and love as HIPAA, strange things seem to have happened.
The result of the laws vagueness will be that interpretations
will come less from the Department of Health and Human
Services and more from hundreds of court decisions.
expenditure of millions of dollars in legal fees will follow,
not to mention literally lifetimes worth of staff time spent
in trying to figure out what the law really means and how we
can live with it. At least we could take some solace in the
fact that the cumulative stress disorder, the eye strain, and
the clinical depression, which will afflict practitioners as a
result of HIPAA, will involve information that may not be
released without the patients approval!
this article, the HR Doctor offers colleagues in public
administration some practical advice about implementing the
spirit of HIPAA, while keeping off the radar screens of
regulators and plaintiffs attorneys. Of course, in offering
these views, there are never any guarantees. As proof of this,
the HR Doctor recalls the complaint filed by wage and hour
regulators at the Department of Labor alleging that DOL itself
has failed to properly implement the Fair Labor Standards Act
when it came to the regulators overtime.
This advice comes only after
giving considerable thought to HIPAA, reading as much of the
regulations as could be tolerated without taking pain
relievers, and consulting with good friends, especially the
very knowledgeable Montana Fly Fisherman Terry Humo, Esq., who
is the author of the Thompson Publishing Groups HIPAA Guide
and reviewing editor of the Thompson Privacy
treatment for acute exposure to HIPAA regulations includes the
Designate one management employee as the organizations
"privacy official." Of course, do this in writing since the
HIPAA monster will require reams of paperwork in order to be
properly fed. Most organizations can easily manage with one
person designated to be responsible for these duties as an
adjunct to other work assignments.
Some cities and counties, such as
those that operate county hospitals, or public or mental
health clinics, may be better served by having an overall
privacy official and another person with delegated privacy
responsibilities in specific clinical areas.
Create an organizational privacy statement not unlike the
agencys policy statement on non-discrimination or opposition
to workplace violence or sexual harassment. The policy should
reference the organizations commitment to safeguard protected
health information in accordance with HIPAA regulations. There
are other required elements and formats to be
3. The statement should be provided to every employee
of the organization and to new employees during their
orientation. There should be records kept to ensure that the
organization can demonstrate that employees were provided with
If your agency buys insurance coverage from health insurance
providers, as most do, ensure that the contract, as well as
the plan documents and other educational materials, includes a
provision in which the insurance company or managed-care
provider acknowledges its responsibilities under HIPAA and
commits to manage its business in accordance with the
organizations that have self-insurance programs, the
subcontractors, such as third-party administrators,
physician-network providers and information-systems
organizations, including those that handle open enrollment for
the agency, also should have provisions in their contracts
committing to honor their responsibilities under HIPAA. These
business associates are also covered by HIPAA privacy rules
and must comply; however, it wont hurt the county or city to
seek the comfort of calling for compliance again in agency
In addition to providing a policy statement to employees, a
special dose of additional training is required for employees
involved in providing health care or in handling health
information. These include all employees who work in hospitals
and clinics run by the agency, or paramedics who provide
health care as first responders, firefighters who may perform
similar roles, or the HR staff which might be involved in the
administration of health insurance, workers compensation,
employee assistance, or similar programs.
These employees will have access
to protected health information and should receive documented
training, which makes them aware of their basic
responsibilities for non-disclosure of information. The
training should be repeated periodically so that, once again,
"life with HIPAA" can be thoroughly documented as one of the
many exhibits in any subsequent litigation.
A key focus for HIPAA will involve safeguards in the
electronic transmission of protected health information. No
director of information technology should be allowed to park
his or her SUV in the parking lot without proving that they
know an awful lot about HIPAA electronic-information
protection and are capable of guiding the agency.
Reviewing and amending automation
information systems to limit access and to document instances
of use of protected health information is needed. It is more
than simply arguing that "our system already has firewalls"
since the issue goes well beyond protecting information from
protected health information must be safeguarded within the
system against unnecessary and unwarranted disclosure. The
information system must also create a record of transmission
for future review and corrective action.
In the training that employees should receive, include a
reminder to be extremely sensitive to even unintended
disclosures of health information. The idea of protected
health information is so sufficiently vague, that over-zealous
plaintiffs attorneys could argue that the get-well cards we
circulate when a colleague is seriously ill may violate that
Collecting money or sending a
card or flowers around to a person in the hope that their gall
bladder surgery went well and that they will be back at work
soon could, arguably, be interpreted as a violation of HIPAA
and lead to multiple Crown Victoria 4-door sedans with
blackwall tires pulling up in front of your office and
unloading enforcement agents!
Hopefully this scenario is a
great exaggeration; however, stranger things have happened in
our history of sumo wrestling with the Fair Labor Standards
Act. Remember the cases of canine officers and horse-mounted
officers claiming that counties and cities owed them time and
one-half payments retroactively for the time they spent
playing fetch with "Officer Fido"? As amazing as that notion
seemed, just a few years ago, it resulted in literally
hundreds of claims, lawsuits, grievances and expensive
HIPAA privacy regulations took effect in April for "large"
plans. Organizations which administer smaller plans, involving
premiums or claims valued at $5 million or less, generally
have another year before HIPAA will seep into their
your plan is self-funded, the measure is the value of claims.
If the plan involves purchased insurance, the measure is the
value of premiums. However, dont be complacent. Take
proactive steps that are documented and that can be pulled out
in a shiny notebook marked "Fun with HIPAA."
order to best implement the very important spirit behind the
HIPAA regulations, by taking a proactive posture now rather
than later when the complaint, grievance, or lawsuit papers
are signed, we will position public agencies well in the years
of skirmishing ahead.
Unfortunately, at the worst time
of budget reductions and unfunded, mandated, case loads, cost
increases in areas such as indigent health care and jail
medicine, HIPAA will cause a lot of additional expenditures
for already over-burdened systems. Dont even ask! Of course,
HIPAA does not come with any federal financial assistance to
ease the pain of its implementation!
HR Doctor wishes you success in managing HIPAA and reminds you
not to misspell the acronym! Its not HIPPO, HIPPY or HIPPA.
Despite the good intentions here, you may come upon other ways
to spell it later!
HR Doctor hopes that all your vital signs remain