Health Information Compliance Alert

Published on Wed May 11, 2005 PDF

Your state's health information policies may have changed already

The last thing you need is to be hit with a new slew of health information regs that require your time and compliance budget.

Legislators at the state and federal levels are working overtime to pass bills that go above and beyond your current privacy and security rule compliance mandates in an effort to crack down on identity theft and further President Bush's goal of electronic medical records (EMRs) for every U.S. citizen.

Good news: The proposed federal regulations build on what HIPAA laid out for compliance, notes Sue Miller, a HIPAA and health care consultant in Concord, MA. And many pending and approved state statutes will strengthen HIPAA's reporting requirements.

Bad news: If passed, these bills could radically change your entire compliance structure. For example, the 21st Century Health Information Act, introduced May 11 by Reps. Tim Murphy (R-PA) and Patrick Kennedy (D-RI), carves out Stark rule exceptions to help hospitals fund private payers' improved technology efforts. It would also require the compliance of health care providers not currently covered by the HIPAA regulation, asserts Barry Herrin, an attorney with Smith Moore in Atlanta.

And new state statutes such as Arizona's identity theft bill require health care entities to report any breaches of patients' personal information to the patient - whether or not the providers' mitigation process eliminated any risk of personal damage.

Interesting: "Each of these efforts define 'personal information' differently," points out Frank Ruelas, compliance officer for Sacaton, AZ's Gila River Health Care Corporation. Four identifiers appear in each bill: Social Security and driver's license numbers, date of birth and mother's maiden name.

"None of these bills add medical information to the list," Ruelas says. That could lead to major problems down the road when patients are informed that their Social Security numbers were compromised, but then are not informed of any further inappropriate disclosures, such as their names and addresses.

"Compliance officers are going to need a new process to respond to public demands for more information about possible ID theft," Ruelas predicts. And that will include in-depth discussions with patients about the differences between ID theft and medical information theft.

These bills all have the underlying purpose of paving the way to electronic data sharing, experts note. HIPAA mandated that each individual provider or entity comply with the privacy and security rules. Legislation like the Murphy-Kennedy bill expands upon that individual approach to create a collective effort.

Think of it this way: HIPAA was a one-on-one compliance plan that pushed each entity to get its house in order. Now, these bills are coming in to make it possible for each house to work together. Ideally, a house in Small Town USA should be able to communicate and share information securely with another house in Small Town USA or one across the country.

THE BOTTOM LINE

"We're seeing all the different health care regulations come together in these bills" for the purpose of refining our industry's practices and meeting the goal of interoperable health networks, Miller says.

Editor's note: You can find more information about current and pending state statutes on the National Conference of State Legislature's Web site (www.ncsl.org/programs/lis/CIP/ priv/breach.htm). You can access information on the Murphy-Kennedy bill, including a summary of the bill, at www.patrickkennedy.house.gov.

Stay tuned to future issues of Health Information Compliance Alert for further information on these bills - and their potential affect on your organization - as they develop.