Why all physicians must comply

There is an enormous amount of confusion surrounding the Health Insurance Porta­bility and Accountability Act (HIPAA). While this government mandate is complex, it really has two primary goals pertaining to patient care. The first is to create standards to which all billing and collection will adhere. These standards ultimately correct an outdated and wasteful system, and will provide substantial cost savings to physicians. HIPAA’s second goal is to create patient privacy and security standards for the electronic transmission of patient data and communication.

Most physicians who currently accept Medicare, or some other third-party reimbursement, realize that they fall under these new guidelines and therefore must comply with HIPAA regulations. However, many physicians who do not accept third-party reimbursement feel that HIPAA does not affect them. This assumption is true with regard to HIPAA’s reimbursement standards, but for its patient privacy and security standards, nothing could be further from the truth.

“Every physician has a duty to protect the privacy and security of their patients,” warns Christopher L. Nuland, Esq, a Jacksonville-based health law attorney. “Moreover, implementing the HIPAA standards need not be overly expensive or burdensome, but does require some documentation and an understanding of the law’s nuances.”

Thus far, HIPAA enforcement has primarily targeted institutional abuses and egregious cases. But the technical language itself allows for a much broader enforcement. Therefore, it is imperative that even the smallest of physician offices use email programs that abide by HIPAA privacy and security requirements. The federal government has indicated that it will be more lenient with those offices that have at least shown a goodfaith attempt at compliance, as opposed to those that ignore the law’s mandates. Furthermore, since physicians are only required to take “reasonable” steps toward compliance, individual physician offices are not expected to expend the same resources toward compliance as a giant hospital chain would. It’s worth it to abide by the regulations.

Case in Point

The first indictment associated with HIPAA was handed down in mid-August, after Seattle phlebotomist Richard W. Gibson admitted to obtaining personal, protected health information about a cancer patient and then made some $9,000 in charges with four different credit cards. Gibson, a former employee at the Seattle Cancer Care Alliance, initiated an identity theft on the unsuspecting patient to buy video games, jewelry, and other items, according to the US Attorney’s Office. If it had been any other case of identity theft, it wouldn’t have made the papers. What made this unusual was not the fact that the offender was indicted, but rather that the government decided to charge him with violating HIPAA regulations! Clearly, the US Attorney’s Office was keen to make a statement to all would-be violators of HIPAA’s patient privacy and security guidelines.

This should put medical providers, hospitals, and third-party payors on notice that the government is serious about the patient privacy and security portion of the HIPAA mandate. It is still unclear the danger posed to hospitals and health care providers if their employees are caught breaking HIPAA-related laws.

“In most cases, the government will allow an offending practice 30 days to come into compliance if the violation is unintentional and minimal,” notes Nuland. “But federal officials have a zero tolerance with intentional violations and reserve the right to levy enormous penalties for conduct that they feel is egregious.” A statement from a government agency following the indictment of Mr. Gibson estimates that between 30–40 cases brought forward by the Office of Civil Rights have been turned over to the Justice Department for prosecution under the HIPAA laws.

The Consequences of Noncompliance

Failure to comply with HIPAA may result in civil and criminal penalties. Violation of the Administration Regulations can result in civil monetary penalties of $100 per violation, up to $25,000 per year. However, any individual who discloses identifiable health information in violation of these regulations can also face criminal penalties of up to $50,000 and possible imprisonment. The penalties for individuals who use identifiable health information for commercial advantage, malicious harm, or personal gain, may result in imprisonment and a fine of up to $250,000. Another danger comes in the form of trial lawyers, who could sue doctors for noncompliance. Doctors may end up being hit with charges ranging from negligence to breach of privacy.

Considering the penalties, abiding by the standards for electronic communication with patients is worth the investment. To ensure compliance for the electronic communication that takes place through your Web site, email, and the Web, follow these important steps:

1. Inform patients of privacy issues by making the Practice Privacy Policy and Patient Privacy Policy clearly visible on your Web site.

2. Inform patients with a written disclaimer when a nonsecure form is being submitted on your Web site.

3. Provide patients with and direct them to a secure form on your Web site.

4. Implement a secure archive and retrieval system for email communication as well as patient data storage and backup.

5. Provide patients with access to a secure communication network.

A growing number of patients are requesting online communication with their physicians. The good news is that the marketplace has made it easy and affordable to outsource the majority of the time and work involved in making this possible. In most cases, implementing the steps outlined above should take only 2 to 3 weeks. With the final regulations going into effect on April l, 2005, now is the time to get started! n

Robert C. Silkey is the founder, president, and CEO of Einstein Medical, which provides Internet development to physicians, dentists, and lawyers. www>.einsteinmedical.com.

Christopher L. Nuland, JD, is a Jacksonville-based health law attorney.