National Hotline Services, Inc.
http://www.hotlines.com HIPAA AND HOTLINES
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains specific provisions intended to ensure the privacy and security of electronic patient information. As more and more health care information is transferred and stored electronically, these provisions will have a direct impact on existing corporate compliance programs, including hotline operations. This brief overview of HIPAA provisions includes suggestions for meeting the HIPAA challenges associated with hotline operations.
Background on HIPAA
HIPAA requirements apply to health care providers, plans, and clearinghouses that store and/or transmit individually identifiable information on electronic media. These requirements affect virtually all organizations in the health care industry, from physicians and insurance companies to health care support organizations. A crucial section of HIPAA, the Administrative Simplification standards, is intended to reduce costs and administrative burden by standardizing the electronic transmission of many administrative and financial transactions, which are currently carried out on paper. Administrative Simplification includes sub-sections on the privacy and security of patient data. The provisions mandate standards for physical and technical storage & maintenance, transmission, and access to individual health information. Compliance with these provisions will be required within the next three to four years, and those entities not in compliance will face stiff civil and criminal penalties.
When regulations implementing HIPAA are finalized, health care providers will be able to submit to any health plan a standard transaction for eligibility, authorization, referral, and claims. The receiving health plan must accept and process the standardized transaction. This will "simplify" many clinical, billing, and other financial and administrative applications. Health plans will be able to send standardized transactions to a health care provider for benefit coverage, authorization/certification, and remittance advice.
The basic intent of the privacy and security standards is to protect the confidentiality of individually identifiable health information. Security measures are to be maintained at a minimal and acceptable level when exchanging individual health information. The proposed rule addresses the specific operational and administrative policies and procedures that must be implemented. For example, organizations must employ a process (e.g. a hotline) by which both employees and patients may file complaints regarding potential violations of privacy and security, similar to the expectations of a compliance program.
HIPAA Complaint Reporting and Resolution Processes
The proposed HIPAA regulations address security violations and improper disclosures of individual health information by employees, patients, or others in whistleblower cases as a matter of public policy. To ensure that information regarding noncompliance comes to light for investigation and remedy, HIPAA contains reporting provisions providing for individuals filing complaints directly to the federal government. HIPAA violations are to be enforced administratively. Private lawsuits may be employed, and non-compliance with the HIPAA requirements may be deemed to be evidence of negligence. Under HIPAA, individuals are afforded a number of basic rights with respect to their protected information including the right to make complaints.
Organizations will be required to provide an internal process whereby individuals may make complaints concerning noncompliance. Since patients are among those with a right to file complaints directly to the federal government, it is highly advisable for an organization to develop an internal reporting process to provide the opportunity to first address the issues in-house. Organizations are also encouraged under HIPAA to use internal means, such as a compliance hotline, to head off outside reporting by employees and others of security or privacy violations. The hotline related activities called for by HIPAA include:
1. Developing a mechanism for reporting and responding to system emergencies.
2. Developing processes/mechanisms for investigation of privacy and security violations.
3. Integrating employee reporting of HIPAA violations through existing compliance channels.
4. Developing a reporting mechanism to channel patient complaints internally.
It would make sense to expand current hotline functions, policies, and procedures to incorporate these new HIPAA requirements, rather than creating a new and separate method for receiving complaints and allegations of HIPAA violations. However, it is one thing to have employees who desire to report a HIPAA violation use the existing compliance hotline, but quite another to give patients access to the existing employee compliance hotline. It is unusual for a health care entity to have both employees and patients using the same hotline. For those who entertain patient calls, it is usually on a separate hotline. Additionally, it is not feasible to limit patients to calling only about HIPAA violations once they know of a hotline they can use for reporting potential compliance violations. It should be expected that they would use the same hotline for any complaint they may have. For most organizations that invite patient feedback through a hotline, it would be preferable to have a separate line for patient use and not use the employee compliance hotline.
Both employees and patients should be notified that the hotline, or other designated channel, is available in the event that a request is made to file a complaint about possible violations of privacy and security. Just as employees are trained regarding the proper use of the hotline as part of the corporate compliance program, they should also be trained concerning the use of the hotline for reporting violations of the organization’s policies or procedures on privacy and security.
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
