HIPAA: Impacts and Actions by States
Medical record privacy, security and electronic transactions.
Updated: April 16, 2009; Reposted August 19, 2009
The Health Insurance Portability and Accountability Act of 1996, known as HIPAA, continues to have a broad impact on state health policy, as well as on virtually all health providers, insurers and health consumers. Listed below are brief updates and resources of potential interest to state legislatures.
Electronic Transactions Requirements:
Federal regulations required compliance with new HIPAA national standards for electronic health care transactions, code sets and national identifiers for providers, health plans, and employers, as of an October 2003 deadline. The federal Administrative Simplification Compliance Act (ASCA) required all claims sent to the Medicare Program be submitted electronically starting October 2003. (This is separate from medical privacy requirements, below.)
|
Health Insurance Portability and Accountability Act of 1996 (HIPAA)
|
HIPAA-covered entities such as providers completing electronic transactions, healthcare clearinghouses and large health plans must use only the National Provider Identifier (NPI) to identify covered healthcare providers in standard transactions by May 23, 2007. All such organizations need to ensure they are prepared for the (NPI) May 2007 deadline. Details and strategies: NPI: Strategies for an Implementation Process To Meet the May 2007 Deadline. (12/06).
| NOTE: NCSL provides links to other Web sites from time to time for information purposes only. Providing these links does not necessarily indicate NCSL's support or endorsement of the site. |
Health Information Technology
NCSL’s Project HITCh—for Health Information Technology Champions—supports state legislative decision-making about HIT. For details about what states are doing, go to www.ncsl.org/programs/health/forum/hitch/.
A 2008 NCSL report describes and provides links to specific state legislation on HIT and public reporting: www.ncsl.org/programs/health/Transparency.htm.
- "50 Little Labs: States are functioning as proving grounds for healthcare information technology initiatives" - Healthcare Infomatics, 10/08.
-
FTC Sets Rule Requiring Public Notification of PHR Breaches. In mid-August 2009, the Federal Trade Commission issued a final rule requiring personal health record providers to alert consumers about data security breaches. The rule also requires organizations to notify the media if the security breach involves more than 500 people. FTC's regulations will apply to Google Health, Microsoft HealthVault and others. Government Health IT, Health Data Management. 8/20/09. 
- "Accelerating Progress -- Using Health Information Technology and Electronic Health Information Exchange To Improve Care", a report by State Alliance for e-Health is available online , 9/23/08 [PDF]
- "Profiles in Progress: State Health IT Initiatives," by the National Association of State CIOs, a compendium highlighting health IT initiatives in all 50 states and D.C. Released 11/15/06 [54 pages
 PDF]
- HEALTH INFORMATION TECHNOLOGY: Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy- Report by the Government Accountability Office identifies challenges that the Department of Health and Human Services faces in trying to protect electronic patient data. However, HHS says that it already has adopted a privacy approach. 6/19/07. [ PDF, 23 pages]
- CMS Gears Up for South Carolina Test of Personal Health Records - The Centers for Medicare and Medicaid Services project will offer personal health records to 100,000 participants in South Carolina's Medicare fee-for-service program and will include a campaign to encourage use of the PHRs. The results of the South Carolina project will be compared with the results of earlier PHR initiatives. Government Health IT, 1/21/08.
- E-Scripts (June 12, 2006)
- Incorporating Technology report, 2/20/06.
- 2006 Minnesota e-Health Initiative Progress Report to the Minnesota Legislature [ PDF, 23 pages]
- Minnesota e-Health Reports and Recommendations
- HIPAA Focus Changes from Compliance to Improving Efficiency, Reducing Costs -Phoenix Health Systems and HIMSS, 2/17/06.
- Steps Toward HIPAA Compliance - HHS summary re: electronic transactions, 10/16/03
- View the Electronic Transactions HIPAA rule online.
- eHealth Initiative - an association with information on commercial and governmental projects. Updated regularly, 2007.
- Report: Three-quarters of states are developing HIEs Published on April 22, 2008 (c) Govt. Health IT
Three-quarters of states have begun developing some kind of health information exchange, according to a report released today by the State-Level HIE Consensus Project. The project’s director, Lynn Dierker of the American Health Information Management Association, told a Health and Human Services Department advisory panel that the need for health care reform generally falls behind the creation of state-level HIE organizations, along with the need to keep patients' data private and secure. Some HIEs have advanced to the point where they are nearly ready to begin exchanging data, Dierker told the American Health Information Community. "We feel like we are labs" for the exchange of patients' health data, she said.
The HIEs are public/private partnerships and seldom part of state governments, she said. They usually include stakeholders from many interest groups, and they serve the public interest, operate cost-effectively and protect the privacy of patients whose records move through the network. Although governance responsibilities are the most common role of state-level HIEs, Dierker said, the organizations are often responsible for the technical operations, too. A new national organization called the State-Level HIE Leadership Forum is emerging to share insights and lessons learned, she said. It will hold its first meeting in May in Dallas.
Also, state-level HIEs want to participate in AHIC’s successor organization, which is being created as a public/private partnership outside HHS, Dierker said. Synergy is needed between national and state-level health information technology programs and other health reform initiatives such as quality-of-care measurement and pay-for-performance incentives. Among other activities in the coming year, the project will decide whether it is desirable to accredit HIEs that meet certain criteria and how to sustain organizations after a start-up period. In addition, the relationship of state-level HIEs to the planned Nationwide Health Information Network remains undefined, the report states. Those who pay for health care should be more involved in HIE development, the report states. “At a national level, the roles for Medicaid and Medicare in helping to build and sustain HIE capacity must be clarified and strengthened,” it states. “The active engagement of health plans in strategies to support state-level HIE remains an important priority.” The Office of the National Coordinator for Health IT supports the State-Level HIE Consensus Project.
-
Serious patient errors at California hospitals disclosed in state filings. About 100 Californians a month are being harmed in adverse events considered preventable. A lawmaker proposes banning reimbursements to hospitals for some types of injuries. Maine, Massachusetts, Pennsylvania and New York have restricted payments for avoidable medical errors. Hospital associations in Minnesota, Washington and Vermont have pledged never to bill patients for the costs of botched care, according to the National Conference of State Legislatures. (LA Times, 6/30/08)
-
Physician Use of Electronic Prescribing and Barriers to Adoption
- Despite the benefits of electronic prescribing, adoption is still modest. Current surveys estimate that between 5% and 18% of physicians and other clinicians are using electronic prescribing.
- Key barriers to clinician adoption include startup cost, lack of specific reimbursement, and fear of reduced efficiency in the practice.
- The implementation of the prescribing system must fit into the business flow and enhance knowledge, rather than be viewed as “extra work.” Electronic prescriptions need to be seen, in many ways, as an extension of a written prescription, for adoption to occur. The benefits to all parties – pharmacist, clinician and patient – should be the ultimate goal in the adoption of electronic prescribing.
Source: Electronic Prescribing: Toward Maximum Value and Rapid Adoption Recommendations for Optimal Design and Implementation to Improve Care, Increase Efficiency and Reduce Costs in Ambulatory Care, a Report of the Electronic Prescribing Initiative eHealth Initiative.
Medical Record Privacy:
As of April 14, 2003 "health plans, hospitals, doctors and other health care providers around the country must comply with new federal privacy regulations," according to Secretary Tommy Thompson of the Department of Health and Human Services (HHS). Billions of dollars are being spent to bring public and private sector records into compliance. The following is the department's description, stated in April, 2003:
"These new federal health privacy regulations set a national floor of privacy protections that will reassure patients that their medical records are kept confidential. The rules will help to ensure appropriate privacy safeguards are in place as we harness information technologies to improve the quality of care provided to patients. Consumers will benefit from these new limits on the way their personal medical records may be used or disclosed by those entrusted with this sensitive information.
The new protections give patients greater access to their own medical records and more control over how their personal information is used by their health plans and health care providers. Consumers will get a notice explaining how their health plans, doctors, pharmacies and other health care providers use, disclose and protect their personal information. In addition, consumers will have the ability to see and copy their health records and to request corrections of any errors included in their records. Consumers may file complaints about privacy issues with their health plans or providers or with our Office for Civil Rights."
PRIVACY ON-LINE RESOURCES:
-
Federal Trade Commission Issues Proposed PHR Breach Rule - In compliance with the American Recovery and Reinvestment Act, the Federal Trade Commission has issued a proposed rule that would require personal health record vendors and related groups to notify customers if their identifiable health information is breached, Health Data Management reports. FTC is seeking public comment on the proposed rule through June 1. ARRA requires HHS and FTC to publish a study on potential privacy, security and breach notification requirements for PHR vendors and related entities by February 2010. In the meantime, the law requires FTC to issue an interim final rule by August.-Health Data Management, Modern Healthcare. 4/17/09.
-
"Privacy Issue Complicates Push to Link Medical Data" - article by New York Times, 1/17/09.
-
"New health-care privacy laws heighten need for HIPAA compliance in California." Gov. Schwarzenegger signs two data privacy bills that use the federal HIPAA law as a baseline. ComputerWorld, 10/7/08.
- "PERSONAL HEALTH DATA ON THE NET: STATES ADDRESS PRIVACY CONCERNS" - NCSL's State Health Notes, June 9, 2008.
- "Surveys show public distrusts HIPAA; researchers detest it" - Nearly three of five Americans agree that the privacy of their health information is not well protected by federal and state laws and organizational practices. Report in GovHealthIT.com 10/2/07.
- Warnings Over Privacy of U.S. Health Network - New York Times, 2/18/2007.
- "Personal Health Records: The People's Choice?" National Health Policy Forum, 11/30/06.
- HEALTH INFORMATION TECHNOLOGY: Efforts Continue but Comprehensive Privacy Approach Needed for National Strategy- Report by the Government Accountability Office identifies challenges that the Department of Health and Human Services faces in trying to protect electronic patient data. However, HHS says that it already has adopted a privacy approach. 6/19/07. [ PDF, 23 pages]
-
Balancing Patient Privacy with the Need to Know Obtaining a patient's health history is vital to ensuring proper treatment, yet disclosing information about mental health or substance abuse can result in social stigma, job loss, or even criminal prosecution. A new issue brief considers how best to balance privacy and disclosure in an age when sharing information has never been easier. CA Healthcare Foundation brief, 3/08/
-
"Many U.S. Adults are Satisfied with Use of Their Personal Health Information; Some Withhold Information Due to Medical Data Security Worries" - While many U.S. adults indicate that they are generally satisfied with how their personal health information is used, a substantial number has serious reservations about the confidentiality and security of their health data, with some withholding information due to these concerns, according to a survey conducted by Harris Interactive. 3/26/07.
- Less Than 25% of Medical Privacy Complaints Investigated Less than a quarter of the total medical privacy complaints lodged with the US Department of Health and Human Services (HHS) were deemed eligible for further investigation, reports Melamedia's 3rd Annual Review of Medical Privacy and Security Enforcement. 12/14/06
- Medical Privacy - National Standards to Protect the Privacy of Personal Health Information - detailed explanations by the HHS Office for Civil Rights, update July 2004.
- Survey Finds HIPAA Compliance Low - AHIMA 4/18/06 Compliance with federal privacy rules regarding patients' medical records that went into effect three years ago has declined, according to an annual American Health Information Management Association survey, Government Health IT reports. The survey of 1,117 hospitals and health systems found that 85% of respondents said they are mostly compliant with HIPAA privacy rules, compared with 91% in 2005. "A slight drop in the number of facilities reporting themselves to be fully or mostly compliant with HIPAA should serve as a warning to the industry that compliance should not be taken for granted," said AHIMA President Jill Callahan Dennis (Ferris, Government Health IT, 4/19). Fifty-five percent of respondents said lack of resources was the chief barrier to complete compliance, Health Data Management reports. They also cited as barriers a loss of senior management support and less focus on the privacy rule by some staff.
The survey, which was conducted in January 2006, also asked about compliance with HIPAA security rules. It found that one year after the compliance date, 25% of respondents said their organizations are fully compliant, and half of respondents said their organizations are between 85% and 95% compliant, Health Data Management reports. A survey a year earlier found that 17% of organizations believed they were fully compliant and 43% believed they were substantially compliant (Health Data Management, 4/19). The complete report is available online.
- Bill Would Limit Obtaining, Selling Medical Records The Missouri Senate on April 13, 2006 unanimously passed legislation (SB 1041) that would make it a crime to sell or obtain patients' health records without their consent. The bill now goes the House. AP/Kansas City Star.
- NASCIO's Federal Privacy Law Compendium Description Page NASCIO's Federal Privacy Law Compendium summarizes 10 federal privacy laws, including HIPAA, and provides states with a starting point to determine how the summarized laws might apply to them. (2005)
- New Web Tool Helps Emergency Planners Comply with Health Privacy - NGA summary of HHS guidelines, 07/13/06
- DOJ Limits Prosecution of HIPAA Violations - article by iHealthBeat.org describing exemptions from prosection for most non-health entities and individuals, 6/7/05.
- HIPAA Privacy Rule and Public Health - updated summary from CDC, emphasizing state and local government agency actions, 4/11/03.
- HHS Statement for Implementation , News release, 4/11/03.
- Health Information Privacy (HIPAA) Notices Have Improved Public's Confidence That Their Medical information Is Being Handled Properly - Yahoo News, 2/24/05.
- HIPAAComply.com - a commercial online resource.
HIPAA State Actions: Overviews and Examples:
HIPAA Wellness and Nondiscrimination
DOL ISSUES CHECKLIST FOR WELLNESS PROGRAMS. Wellness programs must be carefully reviewed to assure that they fit within a variety of legal boundaries. Most important for 2008 and beyond are the nondiscrimination rules under HIPAA. The Department of Labor (DOL) has issued helpful guidance in Field Assistance Bulletin 2008-02 (FAB 2008-02), including a useful checklist. This guidance can be reviewed by any policymaker or plan sponsor implementing a wellness program or considering one. ["CheckUp" by Sibson, 3/10/08)
HIPAA Security Rules for 2005
In a separate process, HHS also has issued a Final Security Rule requiring health plans, certain health care providers and health information clearinghouses to establish "adequate administrative, physical, and technical safeguards to prevent unauthorized access to electronic patient health information." Most covered entities will have until April 21, 2005 to comply with the new security standards.
--------------
NOTE: NCSL provides links to other Web sites from time to time for information purposes only. Providing these links does not necessarily indicate NCSL's support or endorsement of the site.
Return to Health Finance || Health Insurance and Managed Care Overviw
|