Apocalypse Not:
Prepared by: Ron Collins and Edward Fensholt
Palmer & Cay Consulting Group
Atlanta, GA
The battle for HIPAA privacy compliance is in full swing on two principal fronts: health care providers (hospitals, physician groups, etc.) on one, health care plans on the other. And while HIPAA is posing its unique kind of hell on providers, savvy health plan sponsors are finding that HIPAA compliance is not the apocalypse that doomsayers projected.
HIPAA privacy compliance for most plans is not complicated, nor need it be expensive. In fact, while installing a HIPAA compliance scheme might seem tedious, the routine administration of the policy should be relatively pain free. Here are some of the key lessons learned to date:
Keep it Simple.
Military planners live by the mantra “KISS,” an acronym for “keep it simple, stupid.” The acronym reflects a fundamental principal: the more complicated the plan, the more likely it is to unravel. “KISS” is the order of the day. Not only are there very practical, cost-efficient approaches to HIPAA compliance; the federal regulators have expressly endorsed these practical approaches. Here are several situations in which simplicity rules:
The “Gap Analysis.” All employers with whom we’ve worked share common traits: they all receive substantial private health information about employees and they all attempt, with varying degrees of diligence, to keep the information confidential. As such they’re already nine-tenths of the way to HIPAA privacy compliance. Further, there’s rarely a need to spend $10,000 or more (we’ve seen some proposals for $25,000 and up) on an extensive “gap analysis,” the consulting industry’s term for the comparison - the “gap” - between a plan sponsor’s existing procedures, and what HIPAA requires. Most plan sponsors, with modest guidance, can readily perform this “gap analysis” themselves, at their own pace, and for a fraction of the cost they would otherwise pay a consultant.
Practical, Reasonable Firewalls. The thrust of the HIPAA scheme is a concept of “firewalls,” that is, separating protected health information from individuals who have no need to see it. Federal guidance regarding these “firewalls” has one fundamental theme: reasonableness. The government expects plan sponsors to make reasonable efforts to install these barriers. The guidance further suggests that reasonableness is a sliding scale. In other words, a plan sponsor - when considering how to install a particular firewall - is permitted to balance the risks and dangers of inappropriate disclosure of private information against the burden of installing the firewall, including the cost.
Consequently, the doomsayers’ admonitions that health plan personnel must be moved to a separate floor, or to their own building, or into a bunker somewhere, are malarkey. Similarly, the admonition that it’s illegal per se to hold a conversation about private health information in a cubicle is bogus. The key is reasonableness.
Practical Training Scenarios. Early HIPAA seminars often left their audiences more confused than when they arrived, because the seminars simply reiterated what the regulations say, and did not attempt to explain what the regulations really mean to the day-to-day duties of health plan personnel. HIPAA requires training of plan personnel regarding their HIPAA obligations. But if the employees leave the training session more confused then when they arrived, you’ve failed the “KISS” test.
There are probably fewer than a dozen routine situations in which benefits personnel are asked to deal with or disclose health information protected by HIPAA. Consequently, when a plan sponsor conducts its mandatory HIPAA training of these employees, it should focus not on a description of the regulatory scheme, but rather on these routine situations. Tell the employees: “Here’s a common situation you may encounter. And here’s what you do…”
A Detailed, Yet Simple Privacy Policy and Procedure. Health plans subject to HIPAA are required to have a HIPAA privacy policy. What does that policy look like? What does it do?
A plan’s privacy policy should accomplish two objectives. It should be very detailed regarding what the privacy rules require. But it should be vague regarding how to do what the rules require.
The policy should be detailed enough to tell the benefits personnel - in plain English - what the rules require of them in given situations. Accordingly, a four-page, or ten-page, or even forty-page policy is likely inadequate. When the plan receives a subpoena for release of private health information, or a request from an employee for private health information about his daughter’s medical care, the policy should be sufficiently detailed to describe what the rules require of plan personnel. Anything less is not meaningful.
But the policy should be vague in describing how to do what the rules require. For example, the policy might require the plan to contact an individual about a privacy matter. If the regulations don’t specify how that contact must occur, it’s often best if the policy is similarly vague. Give the plan personnel some discretion. The moment a policy becomes specific regarding how something is to be done you’ve established a standard, and begun to build a needlessly cumbersome and complicated scheme. And that’s the “KISS” of death.
“Kill them all; let God sort it out.”
This line from a Hollywood war movie, while outrageous, illustrates an important and very pragmatic aspect of the HIPAA privacy scheme.
The federal regulators attached HIPAA’s protections to health information only as it moved in and out of various entities, such as providers and health plans. That’s a rather straightforward concept for providers because they have locations, they have buildings. But health plans are amorphous. They exist on some level at the employer (where employees conduct enrollments, provide information, lend assistance with claim problems, pay premiums, etc.). They also exist at the TPA or insurance company. The regulators at the Department of Health and Human Services (HHS) simply didn’t make clear where (particularly at the employer’s end) “the plan” starts and stops.
Our clients considered these vagaries and reached a very practical conclusion: “Protect it all; let HHS sort it out.” In other words, they will not attempt to train their employees to make educated guesses about whether HIPAA applies to particular health information in the employer’s possession. Rather, they’ll treat it all as protected. They find this approach more practical and prudent than giving employees a cumbersome analytical scheme for determining whether HIPAA applies in a given situation. So while the employers provide some information with more protection than is required, they avoid confusing their plan personnel. This is classic adherence to the “KISS” concept.
Attack on a Broad Front
The HIPAA privacy rules allow a plan sponsor to designate all its plans subject to HIPAA as a single plan, for HIPAA privacy compliance purposes. In almost all cases this makes great sense. Aggregate all the sponsor’s plans for compliance purposes, even if some plans have a later compliance date. The plans will then have a single, comprehensive privacy policy and procedure, a single privacy official designation, and often even a comprehensive privacy notice.
Don’t Sweat the A-Bomb From the Government or Employees
Most early HIPAA seminars opened with an explanation of HIPAA’s penalty scheme (the scheme authorizes sizeable monetary penalties, and even jail time for deliberate, egregious violations). The tactic likely was designed to grab the attention of those in attendance, but in most cases served merely to frighten.
The reality is that employees cannot sue a plan or plan sponsor under HIPAA. HIPAA confers no individual “cause of action” under the law. Enforcement of the HIPAA privacy scheme is vested solely in HHS’s Office of Civil Rights. While some lawyers have argued that state courts might begin to borrow the HIPAA scheme as the state law “standard of care” in lawsuits that employees might bring, we think this scenario - if it occurs at all - will evolve only over many years.
HHS, for its part, has said publicly that at least early on its focus on audit will be to identify compliance problems and to help covered entities (providers and plans) come into compliance.
And for several reasons we think HHS’s audit initiatives are more likely to focus on providers than employer-sponsored plans, particularly self-insured plans.
Don’t Worry. Be Happy.
Perhaps we should not be quite so glib. But we think most health plan sponsors, if they do just a little homework, and assess their true needs, will find that HIPAA privacy compliance for their plans can be had practically, efficiently, and cost-effectively, and without the bloodshed they may have been led to believe is inevitable.