HIPAA Regulations Make Extra Steps
A husband and wife aren’t allowed to look at each other’s medical and insurance records unless they sign a consent form. That’s just one of the regulations put into place by the Health Insurance Portability and Accountability Act of 1996.
Designed to make health insurance more affordable and accessible, the U.S. Department of Health and Human Services estimated in 2000 that HIPAA would save the health care industry $29.9 billion over 10 years.
The regulations have already cost Collier Drug Stores’ main pharmacy in Fayetteville an additional $10,000 to print informational pamphlets to distribute to customers, said Mel Collier, operations manager.
Pharmacists at the Collier’s at 100 W. Dickson St. fill an average of 350 prescriptions per day, Collier said. Each customer has had to sign a privacy agreement since the regulations went into effect for Collier Drug Stores in April 2003.
HIPAA privacy regulations for most health insurers — such as pharmacies, doctor and other health care providers — went into effect on April 14, 2003. For small group health providers with less than $5 million in annual receipts, the regulations went into effect April 14, 2004.
Collier said the company’s pamphlets might go into more detail than others, but Collier’s wants customers to understand why they are having them sign a form.
The regulations require a new set of standards for health plans, health care clearinghouses, and health care providers that conduct certain financial and administrative transactions electronically.
“Primarily, it means if you are a large employer that has a self-funded insurance plan, meaning they are paying the claims themselves, that means the employer has to take additional steps to ensure the privacy of employees,” said Leah Dalton, vice president of The Hatcher Agency in Little Rock.
Hatcher has about 450 group clients that are affected by the 2004 compliance deadline, Dalton said.
“It has created an extra step for us,” Dalton said. “When an employer or employee calls and asks us to check on a claim for customer service, any time they do, then we have to get authorization from them.”
That’s why a husband has to have consent to find out about his wife’s health plan.
Small group health providers have to assign a privacy officer within the company who will handle the private employee information. In addition, they are required to send out privacy notices, to any business associates they work with on the business plan, Dalton said. A drug card vendor, for instance, might be contacted because the employer has to work directly to contract with them, she said.
“You have to have an agreement called a ‘business associate agreement,’ that you as the employer sign and the business associate signs, as to who handles the protected health information,” Dalton said.
The protected health information includes any medical conditions an employee might have, Dalton said. Under the provisions, a provider cannot release the employee’s personal health information without written consent.
Greg Murry, assistant superintendent for business affairs for the Springdale School District, said just one person handles the medical benefits information for the 1,000-plus employees of the district.
“We had to determine who in our office could and could not speak,” Murry said.
Although they had to send out notices to each employee about the new privacy requirements, the regulations did not create a tangible additional expense, Murry said.
For the larger corporations, Dalton said, the regulations probably do create an expense, because human resources employees have to be trained and the information has to be sent.
Federal Criminal HIPAA Penalties
• Knowingly and improperly disclosing information — up to $50,000 fine and one year in prison.
• Obtaining information under false pretenses — up to $100,000 fine and five years in prison.
• Obtaining information with intent to sell, transfer or use for commercial advantage — up to $250,000 fine and 10 years in prison.
Source: U.S. Department of Health and Human Services