What is the main purpose of the Health Insurance Portability and Accountability Act HIPAA apex?

1From the Office of HIPAA Compliance, Baylor University Medical Center, Dallas, Texas.

Find articles by Donna Bowers

Author information Copyright and License information Disclaimer

The Health Insurance Portability and Accountability Act (HIPAA) was developed in 1996 and became part of the Social Security Act. The primary purpose of the HIPAA rules is to protect health care coverage for individuals who lose or change their jobs. However, HIPAA also includes Title II, better known as the Administrative Simplification Act. Title II requires the health care industry to become more efficient by encouraging the use of electronic media for transmission of certain patient administrative data. To make the public feel more secure with electronic transmission of data, the government developed privacy and security rules to complement the transaction rules.

HIPAA rules on electronic transactions, code sets, and privacy have been finalized; dates of finalization vary depending on the individual rules. While details of the rules may be modified, their essence and breadth will live indefinitely. It took Congress numerous attempts over a decade to get these regulations in place. Congress is not going to back down now. The country is still waiting on the final HIPAA rules related to national identifiers and security.

To respond to HIPAA, physicians and hospitals need to review operational processes related to location of medical records, access to medical records, access to databases that house protected health information, and disclosures. They need to revise authorizations for release of information and create new documents, such as a notice to the patients regarding the use of their protected health information.

In addition, the more automated the hospital or practice is, the greater its need to evaluate the security of the network infrastructure. Code sets and electronic transfer of data for transactions also need to be evaluated. Billing applications will be affected the most. If physicians or hospitals outsource billing, they must ensure that the billing company is compliant. Legal obligations cannot be outsourced under the HIPAA rules.

When all the commotion and fear related to HIPAA begin to subside, patients, health plans, health care providers, and health care organizations will recognize that HIPAA regulations benefit them. Who can argue against the benefits of reducing paper in health care? Who can argue against the benefits of standardizing data, especially for the coordination of insurance benefits and payments? Who can argue against doing away with health plan–specific reporting and filing requirements for hospitals and health care providers? Who can argue against the need to maintain patients' personal health information in a secure and confidential manner? No one! These are all positive developments for the health care industry.

Had the parties involved in the health care industry collaborated years ago to standardize data, HIPAA as we know it would not exist. There would have been no need for it. The federal government came to the rescue only because the health care industry failed to work toward this goal. The government believes that by encouraging electronic transactions as the primary means to conduct business, the cost of health care will decrease significantly and efficiencies will be gained.

The health care industry initially rebelled against the HIPAA rules. Health care providers, health care organizations, and, to some extent, health plans thought of the proposed HIPAA rules as just another federal mandate that would cost the industry billions of dollars to implement and monitor. Major funding went into lobbying efforts to kill such legislation. The attempts failed. Just think, where did all the lobbying money come from? Could that money have been used in a better way? Could the money have been used for compliance with the HIPAA rules?

The real thorn in the side of the health care industry is not the regulations themselves but the timing of the regulations. They are coming at a time when health care providers and organizations are experiencing deep reductions in reimbursement due to the Balanced Budget Act. To add insult to injury, the health care industry was hit with yet another federal mandate—the Outpatient Payment System—causing even more reductions in revenue and reimbursement. Survival was top priority.

Just as health care providers and organizations began to breathe easier and realize that they would be able to survive financially if they looked for ways to reduce expenses, the HIPAA rules were introduced. All anyone could see were the costs associated with developing, implementing, and monitoring compliance associated with these new rules. More money would be needed, and it wouldn't be going to direct patient care. The health care industry has started wondering when patient care can become the primary focus rather than all the bureaucracy that goes with providing health care.

One component of the HIPAA regulations in particular promotes contention in the health care industry: the rule addressing privacy. There aren't too many negative feelings about standardization of data or security. People may feel more comfortable with the latter 2 components because they are related to technology, and the “technical” professionals will handle compliance. In some simple way, this may be correct. However, in the long run, these 2 rules will have an impact on several groups of people and applications within organizations.

The privacy component, on the other hand, impacts everyone in the health care industry at all levels. Health care providers believe that the privacy rules will impede their ability to treat patients. Health care organizations are worried about their ability to comply since the rules are quite complicated.

Most organizations will experience some change in operations when they comply with the HIPAA privacy regulations. However, if protected health information is needed for treatment, a physician's ability to obtain the data shouldn't be hampered too much. What does go away with the HIPAA rules is open access to protected health information. This is a good change. Over the years, the health care industry has become very willing to share protected health information. In addition, state laws were either silent regarding this area or were overly broad and gave too many people the right to access protected health information. HIPAA reins in the boundaries and finally gives our patients assurance that their private health information will be provided only when there is a legitimate clinical or business need to know. Our patients will also have a better understanding of the various uses of their health data.

So, are the worries legitimate? It depends on the organization and its previous stance on patient confidentiality. If an organization allowed open access, it will feel the impact of the rules more.

The Baylor Health Care System is well on its way to complying with the HIPAA rules. The Office of HIPAA Compliance was established in early 2001. A director was hired to direct and coordinate compliance efforts. The administration has been very supportive and has allocated the necessary resources. The compliance program will cover all the entities that make up the Baylor Health Care System, including the HealthTexas Provider Network.

A system-wide HIPAA task force has been formed to work with the Office of HIPAA Compliance. The task force will assess various areas of the system and determine if any gaps exist between current practices and the HIPAA requirements. Action plans will be developed to ensure compliance based on the assessments and gap analyses.

Education is a critical element of compliance. The boards of trustees of all the Baylor entities, as well as most of the executive leadership teams, have been educated regarding HIPAA. Even the medical staffs within several Baylor organizations have been apprised of the HIPAA rules. By the end of 2001, education will begin at the department levels. But this will just be a start. Education will be ongoing. To help physicians comply with HIPAA, the Office of HIPAA Compliance will offer educational programs, as well as resources such as forms and language for contracts. Everyone is in this together. Everyone will work together toward compliance.

There is a great deal of work to be done by February 26, 2003—the date compliance is required. Policies and procedures will be developed and revised; new technology will be implemented and tested. Baylor is probably ahead of most organizations with regard to HIPAA compliance. Many other organizations are still trying to figure out where to start. Because HIPAA affects every person within the health care organization or physician practice, it can be overwhelming. The best way to begin is to read and understand the rules and break them down into smaller projects. That is what Baylor's Office of HIPAA Compliance has done thus far, and it is working well.

The HIPAA rules are here to stay. The health care industry should be working towards compliance. Rather than focusing on the negative issues related to the HIPAA rules, everyone is encouraged to consider the benefits. Furthermore, our patients can receive care and know that their protected health information will be used for the purpose for which it was intended.

The need for compliance is forthcoming. In <16 months, organizations must be compliant. Keep it simple and always remember the patient.