Introduction to HIPAA
In 1996, the federal Health Insurance Portability and Accountability Act (HIPAA) was adopted as a step toward reshaping government health care. Referred to as the HIPAA, it enables portability of health care insurance coverage for workers and their families when they change or lose their jobs (Title I), sets a standard or benchmark for safeguarding electronic and paper exchange of health information, and requires national identifiers for providers, health plans, and employers (Title II). The final policy implementation rule outlines the entities affected by the legislation as health care providers, health plans, health care clearinghouses, and vendors offering computer software applications to providers and those billing for health services (Health Privacy Project, 2002; Public Law 104-191 1996; Rules and Regulations, 2003; U.S. Department of Labor, 2005). Aside from the federal law, some entities and even states have set standards more stringent than those promulgated by the federal mandate (U.S. Department of Health and Human Services 2004; 2005a).
The federal mandate affects nurses because they are considered health care providers and provide health care services across the numerous facilities covered by the law—inpatient and outpatient hospitals, community facilities such as home health agencies, rehabilitation facilities, nursing homes, and hospice care facilities, among the others (U.S. Department of Labor, 2005). Across the spectrum of health facilities, nurses interface with the Inter and Intranet maintaining patient records with electronic transfer of information. This form of telehealth promotes ease and rapid access to pertinent information stored in large computer databases. The trade off, however, is difficulty safeguarding the privacy and security of personal health information and correspondence as it is transferred electronically from one person to another. HIPAA is the benchmark to safeguarding this information (Muldoon & Sardinas, 1996; Poe, 2001; Singh, O’Donoghue, & Soon, 2002) for nurses.
A Conceptual Framework for HIPAA
HIPAA conceptualized in a broader framework, can help nurses anticipate what path future health care legislation may take. Looking beyond the micro reasons for HIPAA-- a law to protect and secure personal health information--HIPAA can be conceptually defined as legislation in pursuit of reshaping the U.S. government, public, and private health care. It is important to reshape government, public health care agencies in particular. Bureaucracy has become inefficient, too often ineffective, paternalistic in decisions of health care, rowing instead of steering, and slow responding to the growing demands of the external environment, such as health care costs (Gore 1995b; Mitchell & Simmons, 1994; Osbourne & Gaebler, 1992). Consumers of public and private health care are becoming more sophisticated searching to become more involved as a decision maker in their personal care (Gore, 1994). Change is needed.
One medium to reshape government is that of advanced communication technology for better administration of government services, known as electronic government. E-government means the delivery of information and public services online via the Internet or through other digital means (West, 2001), such as the Intranet. The goals include reducing government cost, increasing efficiency, and facilitating communication between government and citizens (West, 2000). While HIPAA is not necessarily aimed at improving communication with government, it does empower consumers as decision-makers regarding their personal information, both electronic and paper. HIPAA is aligned with Osbourne and Gaebler’s (1992) ideas for reshaping government into a leaner and meaner institution; and Al Gore’s (1994, 1995a, 1995b) ideas on improving customer service by bringing health care online, and making government work better and cost less. HIPAA borrows from private-sector business ideas, perceiving citizens as customers, and placing them first before government and industry. It promotes quality health care by perceiving patients as autonomous consumers making informed choices about the release of personal health information. The citizen customer is seen as foremost in importance across the public, private, and non-profit health industry, enhancing customer control over personal information. It is a big Congressional step to transform government into a leaner and meaner institution that responds to citizen demand(s) through the medium of advanced information technology.
A goal for electronic government is efficiency. It is proposed that use of electronic medical records can help streamline government health programs and public health departments. As a branch of e-government, telehealth can streamline the Medicaid and Medicare entitlement programs by bringing efficiency, improving responsiveness to consumer demands, and strengthening the quality of transactions. This argument of increased health care delivery efficiency is based on information technology increasing the speed of information tasks and reducing the associated costs (Heeks, 1999). Congressional testimony claims telehealth can also give beneficiaries better access to program information and service providers (Senate Hearing 103-515, 1993). Studies show improved administrative efficiency and cost savings with electronic health record use, yielding an estimated annual savings between 7.5% and 30% of annual health care spending. "By eliminating unnecessary and duplicative procedures, improving quality by eliminating errors, and bringing less efficient hospitals and physicians up to the performance of the most efficient ones, some researchers have suggested that up to 30% of annual Medicare health care spending could be saved" (Lewin Group, 2005). With HIPAA, health programs can improve while consumer information is protected.
HIPAA-Enabled Reform Legislation
HIPAA enables other bills that have the potential to reshape government to become law. In examining succeeding federal legislation, HIPAA is often incorporated into succeeding laws important to government reform. For example, the "Medicare Prescription Drug, Improvement and Modernization Act of 2003" has provisions for an electronic prescription drug program with objectives for efficiencies and cost savings in the delivery of prescription drugs for Medicare beneficiaries (Public Law 108-173, 2003). In setting final uniform standards for this provision, the Centers for Medicare and Medicaid Services used HIPAA standards as a benchmark on the disclosures of protected health information in connection with an e-prescribing transaction. It used the standards for setting minimum necessary privacy requirements on e-prescribing entities specified by HIPAA as covered entities (Centers for Medicare and Medicaid Services, 2005; Office of the National Coordinator for Health Information Technology, 2005; U.S. Department of Health and Human Services, 2005b). Senate Bill S.1262 (2005) "The Health Technology to Enhance Quality Act of 2005" recognizes the regulations promulgated by HIPAA in its advancing health information technology infrastructure development. In H.R. 2762, which was developed for the establishment of a pilot project on Internet-based submission of particular Medicare claims, HIPAA is used as the standard for protecting the confidentiality of identifiable health information for third-party contractors participating in the pilot project (H.R. 2762, 2005). "The Better Healthcare Through Information Technology Act of 2005," introduced to improve health care efficiency, quality, and safety by protecting privacy and security of health information and promoting widespread use of information technology, rests on HIPAA minimum standards (S. 1355, 2005). Recommendations for a National Health Information Network have recently been given to the Bush Administration by 13 health and information technology organizations (Telemedicine Information Exchange, 2005). HIPAA lays the foundation for the privacy and security of health information for other technology laws important to the National Health Information Network, where none had previously existed.
What about the states? Although the federal government is a key actor in advancing information technology legislation in health service delivery (Senate Hearing 103-515 1993), the states have also passed a patchwork of laws. Privacy statutes vary significantly regarding electronic means for disclosing private health information and storing the information. Most states originally had not intended for their statutes to be comprehensive; thus they are not only lagging behind the needs of innovative medicine but delaying reform of government. To date, these telehealth laws are not uniform across the states, resulting in a patchwork of statutes (Health Privacy Project, 2002; Pritts, Goldman, Hudson, Berenson, & Hadley, 1999; U.S. Department of Health and Human Services, 2001). However, some states have assumed a leadership role. For example, under the Nebraska Telehealth Act, Medicaid providers are required to ensure that their patients sign a written document regarding privacy rights prior to their initial tele-consultation experience. Also, Rhode Island prohibits medical information from being disclosed regardless of the institution holding the medical record (National Conference for State Legislatures, 2003). Governors support uniform standards for electronic data interchange and privacy protection; however, there are associated administrative burdens and state implementation costs. No federal monies have been allocated to states for HIPAA implementation, another concern for states experiencing fiscal stress (National Governors’ Association, 2004). Although federal initiatives toward reforming government, such as HIPAA regulations, have their merits, states with no slack resources may be opposed to federal mandates that can have high initial start-up costs.
In summary, as nurses attend HIPAA workshops to learn the micro-details of policy implementation in their workplace, nurses can also conceptualize HIPAA in the macro framework of government reform. That is, HIPAA policy is actually an incremental movement toward reshaping government to be better. It transforms health care business transactions in the handling of health information related to treatment, payment, and operations. As one of many telecommunication laws important to reshaping government, HIPAA provides a standard for the health care industry — public, private, and non-profit sectors. This makes it easier for other technology laws, health and non health care-related, to reach policy decision-making agendas. As the National Information Infrastructure important to reshaping government is built, nurses can expect more federal government initiatives related to telehealth privacy and security to be passed. As these initiatives progress, it is important to remember that because some states have enacted stricter standards than the minimum federal HIPAA policy, nurses are exposed to varying degrees of privacy and security standards across the states.
Mary Schmeida, PhD, RN
Email Address: email@example.com
Dr. Schmeida is a Senior Nurse Researcher in the Department of Nursing Research & Innovation at the Cleveland Clinic Foundation, Cleveland, Ohio. As a psychiatric clinical nurse specialist, she is researching the many mental-health issues occurring across different medical areas, and the factors influencing the adoption of substance abuse/addiction parity legislation across the states. With a doctorate in political science and public policy, her current projects explore health information privacy issues, nurse and physician telehealth licensure laws, telehealth practitioner reimbursement, and Internet pharmacy regulations. In addition to research, Mary is an entrepreneur writing educational courses for registered nurses and allied health care professionals for state licensure renewal. She has served as nursing faculty at the University of Akron, and at Akron City Hospital, and has held memberships in numerous professional nursing and health care policy organizations and societies.
Centers for Medicare and Medicaid Services. (2004). Health Insurance Portability and Accountability Act (HIPAA)---Administrative Simplification. Retrieved September 15, 2005 from www.cms.hhs.gov/hipaa/hipaa2/default.asp
Health Privacy Project. (2002). State health privacy laws. Retrieved 2005, from www.healthprivacy.org/info-url_nocat2304/info-url_nocat.htm
House of Representatives Bill 2762. (2005). To direct the secretary of health and human services to establish a demonstration project for the use of an internet-based form for submission of certain claims under the medicare program. 109th Congress. 1st Session.
Lewin Group, Inc. (2005). Health information technology leadership panel final report. Prepared for the U.S. Department of Health and Human Services. Retrieved May 2005, from www.lewin.com/Spotlights/Features/SpotlightFeatureHITLeadershipPanel.htm
National Conference of State Legislatures. (2003). Summary and analysis of state initiatives to promote telemedicine volume 1 and II. Retrieved 2004, from www.ncsl.org. No longer available online.
National Governors’ Association. (2004). Policy position. HHS-26. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Policy. Retrieved July 2005, from www.nga.org/portal/site/nga/menuitem
Office of the National Coordinator for Health Information Technology. (2005). HHS proposes new medicare E-prescribing rules process will improve quality, accuracy. Retrieved July 2005, from www.hhs.gov/news/press/2005pres/20050127.html
Poe, K. (2001). Telemedicine liability: Texas and other states delve into the uncertainties of health care delivery via advanced communications technology. Office for the Advancement of Telehealth. Washington, DC: Department of Health and Human Services, Health Resources and Services Administration.
Public Law 104-191 (1996). Health Insurance Portability and Accountability Act of 1996. 104th Congress. 1st Session. Available: www.lexis-nexis.com
Public Law 108-173. (2003) Medicare Prescription Drug, Improvement, and Modernization Act of 2003. 108th Congress. 1st Session. Available: www.lexis-nexis.com
Telemedicine Information Exchange. (2005). What’s new in telemedicine and telehealth. Retrieved 2005, from http://tie.telemed.org/news/
U.S. Department of Health and Human Services. (2001). Protecting the privacy of patients’ health information. U.S. Department of Health and Human Services Fact Sheet. Retrieved September 30, 2005, from www.hhs.gov/news/facts/privacy.html
U.S. Department of Health and Human Services. Office of the Secretary. (2004). Health insurance reform: security standards. Retrieved July 2005, from www.hhs.gov
U.S. Department of Health and Human Services. Office for Civil Rights. (2005a). How to file a health information privacy complaint with the office for civil rights. Retrieved June 2005, from www.hhs.gov
U.S. Department of Health and Human Services. Centers for Medicare & Medicaid Services. (2005b). Federal register. Medicare program; e-prescribing and the prescription drug program. Retrieved July 2005, from www.cms.hhs.gov/providerupdate/regs/cms0011p.pdf
U.S. Department of Labor. (2005). Portability of health coverage (HIPAA). Retrieved July 2005, from www.dol.gov
West, D.M. (2000). Assessing e-government: The internet, democracy, and service delivery by state and federal governments. World Bank. Retrieved 2003, from www1.worldbank.org
West, D. M. (2001). E-government and the transformation of public sector service delivery, Paper presented at the 2001 Annual American Political Science Association Conference. San Francisco, California.