Health Information Compliance Alert

The great disparity among many providers proposals to generate a budget compliant with the Health Insurance Portability and Accountability Act yields at least one definitive truth: Size does matter.

Coming up with a HIPAA budget plan has left many providers, health plans, and other covered entities bereft of hope. Many CEs are frustrated over the lack of a governmental framework for producing a HIPAA budget, but theres a good and sensible reason for the lack of a mould: No two covered entities are alike.

While that answer may seem simplistic, it is undeniably valid. Physicians practices, for example, can range in size from one doctor to 100. And gauging the progress of physicians practices in generating a budget for compliance is further complicated by the only recently modified revisions to the privacy rule.

One attorney tells Eli hes heard vastly different budget proposals from different covered entities. Bill Sarraille with Arent Fox Kintner Plotkin & Kahn in Washington says consultants charge different rates for specific circumstances. Sarraille notes that a fairly large ophthalmology practice of about 20 to 30 full-time employees was quoted an "extreme end" of about $100,000, but that figure only related to the privacy rule and did not include technical components to ensure that their data systems ran standard transactions and code sets.

On the flip side of the coin, Sarraille explains, are even larger practices who may choose to create a budget without external counsel. Some practices, he notes, create budgets based on "their own internal time and energy plus their own 500-dollar compliance program." On technical issues, Sarraille explains many practices choose billing companies to enter all of their standard electronic transactions for them.

One of the most crucial aspects of any budget and an element that the Department of Health and Human Services did provide at least some guidance on concerns the physical restructuring of ones workplace. Brian Gradle of the DC office of Epstein Becker & Green explains that HHS July 2001 guidance on the issue of physical modifications was "relatively reassuring." And even more importantly, some modifications might not cost a dime.

"If youre a doctors office, hospital, or other provider, youre not going to have to create separate rooms for patient counseling," Gradle tells Eli. Physical restructuring is not required, he says, as long as "reasonable steps are taken to prevent inadvertent disclosures" of protected health information.

Gradle cites pharmacy areas as an example. He says facilities containing areas where drugs are dispersed also counsel patients at their counter. A simple remedy that may be applied to prevent the inadvertent disclosure of PHI may involve simply moving the cash register away from the area in which patients are counseled. "And taking [the register] away from where theres going to be patient counseling or where people might come up to look at over-the-counter medications" means a CE is taking "reasonable precautions" to obviate potential eavesdropping.

But no matter what the extent of ones practice, privacy officers represent the essential players in creating and implementing the specific requirements of a budget proposal. Many CEs are putting together teams in order to come up with a plan that ties together all the multi-faceted aspects of compliance with HIPAA.

Gradle says the privacy officer, as well as another member from the Human Resources department and yet another representative from the Internet Technology group, commonly spearhead a compliance teams budgetary proposals. That group must "come together and take a look at how protected health information comes into the organization, who looks at it, for what reason, how it flows" and where it ends up.

Ultimately, though, privacy officers must start with a gap analysis and proceed from there. Determining a budget depends on a CEs specific size and circumstances. And as Sarraille notes, "any [dollar figure] would be useless" without first assessing the gap analysis of ones organization.