"HIPAA compliance" is a phrase that is just now beginning to become a part of our health-care lexicon. It is likely new enough that some may not have yet heard it, or those who have heard it may not know what it means. Most health-care professionals who have heard a definition are not yet aware of its implications for them. So let's start with the basics.
What HIPAA is
The Health Insurance Portability and Accountability Act of 1996, or HIPAA, was a law sponsored by Sens. Ted Kennedy (DMass.) and Nancy Kassebaum (RKan.) that primarily extended the portability of employer-paid health insurance, restricted the use of pre-existing conditions and created a relatively small demonstration project to test the effectiveness of medical savings accounts. In addition, a lesser-known part of the law--a subtitle of the law termed Administrative Simplification--directed the secretary of Health and Human Services (HHS) to begin the process of adopting standards for electronically transmitting health information, securing that information and protecting the privacy of individuals to whom that information refers. The HIPAA rules are intended, when complete, to create a uniform set of standards for electronic data transmission that enable any entity to electronically communicate with any other entity in the health-care system regarding patient information. More to the point, it is hoped that when, for example, any third-party payer is able to receive and process a single uniform electronic claim submission, increasing administrative efficiency in the health-care system will begin to pay dividends in decreasing health-care costs.
Yet, the rules to implement the Administrative Simplification provisions of HIPAA are anything but simple, and the process of "simplifying" health-care transactions is far from settled. Little has yet been completed by way of rulemaking to accomplish HHS's goals. The only rules completed so far are those establishing the standards for the administrative transactions themselves, such as third-party claims processes. Neither the privacy nor security rules have yet been completed. But the first set of rules that have been promulgated foreshadow the intensive response that will be required by the entire health-care industry to come into compliance when all of the rules are completed, that is, for parties in the health-care system to become HIPAA-compliant.
Health plans, insurance companies and other payers will need to modify their systems in order to receive the standardized electronic transactions. The provider community, including psychologists, will be required to use the standardized transactions only when electronic claims are submitted--right now a voluntary process for the most part. It is anticipated, however, that over time, more and more payers will move to an electronic claims process. Eventually, providers will have little choice but to use electronic claims and the standardized transactions if they wish to participate in the third-party payment process.
The ability to successfully use such electronic data transmission will, of course, depend on the ability to have adequate security and privacy protections. Security rules have not yet been issued, even in proposed form. Privacy rules are much farther along. In December, the Clinton administration published final regulations on medical records privacy as required by HIPAA. The rule effectively distinguishes psychotherapy notes from other types of medical records and requires separate, specific and additional patient authorization for their release to insurers and managed-care companies. Importantly, the privacy rule prohibits an insurer or managed-care company from conditioning its coverage on a patient's authorization for disclosure of the separately protected psychotherapy notes. As a practical matter, then, only basic information, such as diagnosis, prognosis and treatment plan, is likely to be able to be shared with payers.
Although the privacy rule was issued as a final rule by the Clinton administration, current HHS Secretary Tommy Thompson has since re-opened the rule for another round of comments from the health-care community. APA's Practice Directorate is again providing comments to HHS in an effort to see that protections that have been included are retained, and to push for additional protections. One consequence of reopening the rule is that it is presently even more difficult to know just what it will take for the practice community to be HIPAA-compliant when all is said and done. We will continue monitoring the development of these HIPAA rules and as they begin to take shape in the coming months, we will be working to increase awareness and educate the practice community about what HIPAA requires.