Originally Published MX January/February
2003
Business Planning & Technology Development
A Risk Management Approach to HIPAA Remediation
With a series of orderly steps, medical technology organizations can accomplish the tasks needed to bring them into HIPAA compliance on time.
by
Patrick Quirk
Like other components of the healthcare sector, many medical technology companies recognize that their operations are being affected by implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). However, acknowledgement of the importance of HIPAA has emerged among companies only gradually, and few medtech executives are comfortable that they fully understand what changes will be required for their organizations to comply with this
regulation.1
If they have not already done so, now is the time for medtech executives to get a handle on the ways that HIPAA and its regulations affect their organizations, and on what measures they must undertake to bring their organizations into compliance.
This article focuses on how the privacy components of HIPAA affect medical technology manufacturers, with special attention to the ways that noncompliance can be avoided in certain key company operations. It proposes an orderly method for identifying the risks of noncompliance associated with the HIPAA privacy regulations, and a structured risk management approach for prioritizing the actions that companies should take to manage those risks.
A HIPAA Primer
HIPAA has to be accounted one of the more Byzantine pieces of legislation ever drafted. Together with its preambles, comments, and responses, the act as a whole occupies more than a thousand pages. And although the initial legislation was enacted in 1996, many of the act’s implementing regulations are either not yet in effect or are still in preparation.
The HIPAA legislation incorporates a variety of components, each affecting healthcare entities differently. Because medical technology organizations may be affected both directly and indirectly by this legislation, it is important for the leaders of such companies to understand the different provisions of the law and the deadlines associated with each provision. There are four main provisions to HIPAA, as follows.
• Insurance Reform. Title I of HIPAA was written to protect health insurance coverage for workers and their families when they change or lose their jobs. Implemented in July 1997, this is the only provision of HIPAA that is fully in
force.2
• Administrative Simplification. This provision calls for the U.S. Department of Health and Human Services (DHHS) to establish national standards for electronic healthcare transactions and to create a system of identifiers for providers, health plans, and
employers.3 The provision is intended to improve the efficiency and effectiveness of the nation’s healthcare system by encouraging electronic data interchange in the healthcare sector.
• Privacy Standards. Together with the increased use of computerized medical administration comes the potential for patients’ protected health information (PHI) to be widely distributed—whether accidentally or maliciously—with a simple click of the mouse. The HIPAA privacy regulations are designed to ensure that such PHI is accessible only to those who need to see it and have the patient’s permission to do
so.4
• Security Standards. The HIPAA security standards are intended to ensure that computer systems and related procedures are in place to minimize the risk that a patient’s PHI might be accessed via dubious means (e.g., by hackers) or lost as a result of inadequate data-protection
methodologies.5
 |
|
Figure 1. Summary of |
Implementation of these key provisions is being carried out according to a schedule established in the legislation. As a result, the deadlines for compliance vary according to the provision in question, and sometimes also according to the entity in question
(see Figure 1).
With regard to the privacy provision, for instance, most covered entities must be in compliance with the HIPAA privacy regulations by April 14, 2003. However, entities that qualify under the act’s definition of a small health plan have until April 14, 2004, to come into compliance. The latter date also applies to contracts between covered entities and their business partners that fall within HIPAA’s definition of a business associate. By April 14, 2004, covered entities are required to have HIPAA-compliant agreements with all business associates that have access to patient PHI. In many instances, medical technology companies will be considered business associates.
With regard to the administrative simplification provision, all covered entities must be compliant with the transaction and code set standards no later than October 2003. As this is an extended deadline, however, entities should have already submitted a form indicating their desire for such an extension.
At the time of this writing, publication of the final HIPAA security regulations is well overdue. After the regulations are released—the planned publication at the end of December 2002 did not take place—there will be a scheduled period of 26 months for comment and implementation.
 |
|
Table I. The small- and |
The Status of HIPAA Entities
Depending on the status of the organization pursuing compliance, the requirements outlined in the HIPAA privacy regulations may be applied very differently. The reality is that a single organization can have multiple statuses, as determined by the functions it performs.
Unfortunately for the medical technology industry, companies that perform clinical research and sell medical products to healthcare organizations tend to have the most complicated combination of statuses.
Table I summarizes HIPAA’s definition of each entity status and maps the typical functions of a medical technology company to each such status.
Insofar as HIPAA compliance is concerned, covered entities are directly regulated by DHHS. Such entities are responsible for securing agreements with their business associates if such associates have access to PHI in the course of supporting the operations of the covered entity.
Hybrid entities are those in which a portion of the organization operates as a covered entity, while certain other departments or divisions perform business-associate activities for the same organization. In such cases, the portion of the business that is acting as a covered entity is directly regulated by DHHS and is subject to the same HIPAA requirements as a covered entity. However, the departments or divisions that are acting as business associates are not regulated as though they were separate businesses. When a company’s information technology or finance departments support the operations of its employee health service, for instance, the covered entity component of the operation is not required to enter into business associate agreements with the supporting departments. However, hybrid entities are required to enter into business associate agreements with external organizations supporting their operation if those organizations have access to PHI.
Business associates are not directly regulated by DHHS. However, the agreements that covered entities are expected to use with their business associates include terms that are essentially the same as if the business associate were a covered entity. This makes sense, since a covered entity that contracts with a business associate is liable for the actions of that associate relative to the use and disclosure of PHI.
Researchers are also not directly regulated by DHHS. The relationship between researchers and covered entities is similar to that between business associates and covered entities. It is the responsibility of the covered entity to secure appropriate authorizations so that it can release patients’ PHI to researchers. Each such authorization constitutes a direct agreement between the individual patient and the research organization, and each agreement specifically limits what the research organization is permitted to do—or restricted from doing—with its data.
Patient authorizations may stipulate limitations on the use of the data to specific research studies or types of research. Unless the researcher and covered entity are careful about the form of their authorizations, the resulting agreements could in theory vary widely from patient to patient. The easiest way to ensure that this does not occur is to mandate the use of a standardized authorization form that calls for all information to be available for all research conducted by the entity. The potential downside to this approach is that some research subjects who are uncomfortable with such a blanket authorization might decline to participate.
Even if a research organization were able to enforce such uniformity in its authorizations—often across many research subjects and studies—research subjects always have the right to revoke their authorizations. In such cases, the research organization is obligated to prevent the PHI collected up to that point from being used for any purposes beyond those needed to maintain the integrity of the original research study.
 |
|
Table I. The small- and |
HIPAA’s Impact on Medical Technology Companies
The activities associated with bringing a medical technology entity into compliance with the requirements of the HIPAA privacy regulations can be divided into four operational functions and two information technology functions. Although these functions overlap with one another and are to some extent interdependent, each requires different skills and can be managed as a discrete initiative. One requirement is constant across all of the functions: the need to educate employees about the HIPAA privacy regulation so that they can make appropriate judgments about how it will affect their ongoing decisions
(see Figure 2). The specific actions that should be addressed for each of the four operational functions are discussed in more detail below.
Employee Retirement Income Security Act (ERISA) Health Plan Operations. The first priority for a company’s health plan administrators is to map the current flow of PHI across all parties that have access to such information. This critical step should enable plan administrators to understand the relationships between the plan and its vendors, the flow of data among plan-related organizations, and the needs of the people who currently access the data.
Once the map of current PHI flow is complete, administrators of the plan should consider whether it is necessary or desirable to change the flow of data. When a final data flow model has been agreed upon, plan administrators will be in a position to define the appropriate access rights of individuals, based on their roles. The flow map will also help administrators to determine which vendors the plan will need to negotiate business associate agreements with.
Additionally, health plans often maintain documents that allow the administrator to release data to the sponsor. Such documents may need to be updated in order to ensure HIPAA compliance.
Employer Health Services. Medtech manufacturers sometimes offer an on-site health service to their employees. Under the terms of HIPAA, that function is considered a covered entity. As such, the health service operation may need to enter into business associate agreements with any external organizations supporting that component of its operation.
A greater challenge is the need to determine what information maintained by the health service is subject to HIPAA privacy requirements and what can be excluded. Once such information has been classified, the health service operation will need to have policies and procedures in place to ensure that employees’ PHI remains separate from employment-related health information.
Business Associate Agreements. There are basically two approaches that medtech manufacturers can adopt in order to develop business associate contracts with healthcare providers. One approach is for medtech executives to wait until their customers approach them with a contract, and then simply respond to their proposals. A second is for the leaders of the medical technology firm to identify those customers for which business associate agreements are likely to be required, and then to approach them with a standard contract.
Although the first approach may require less management, it also limits the degree of control over the process that the medical technology organization can exercise. Both approaches will require a full understanding of the typical terms of business associate agreements, some level of negotiation, and a process for the ongoing management of the agreements.
Medtech executives should be aware that the compliance deadline for new business associate relationships is April 2003. However, covered entities have until April 2004 to renegotiate contracts with their existing vendors to ensure that they are in compliance with the HIPAA privacy standards.
Patient Authorizations. Patients who enroll in clinical trials are typically required to sign a variety of informed-consent and other release forms. To meet the new requirements of the HIPAA privacy regulations, sponsors of clinical trials will need to update all such forms in order to ensure that they are in compliance. Patients and other study subjects who signed their releases prior to implementation of the HIPAA privacy regulations will need to sign specific authorizations to permit the release of their PHI.
Before finalizing its new forms or sending them to patients, the medical technology firm should decide whether it is willing to negotiate the terms of an authorization in order to enroll patients in its trial. As noted above, this is an important issue for sponsors of clinical studies, since blanket authorizations may discourage enrollment, while individually negotiated authorizations can create an unmanageable patchwork of restrictions on the use of study data. To resolve this dilemma, medtech manufacturers should closely coordinate their efforts with those of their contract research organizations (CROs) and principal investigators.
Bringing each of these four operational functions into compliance with the HIPAA privacy regulations will most likely require changes in the policies and practices related to a company’s information technology functions. Depending on the needs of the organization, information technology changes may
be required for one, two, or even all of the operational functions. Generally speaking, changes in information technology will fall into one of the following two functions.
Limiting Data Use. Medical technology companies will need to understand in detail which of their computer systems contain any form of PHI, and exactly what PHI is contained in each. Once identified, such systems should be assessed to determine whether they truly require PHI in order to perform the operations allowed under HIPAA. If not, the system should not be permitted to collect PHI.
Often, it is not the manufacturer’s principal system that is at issue, but secondary systems such as data warehouses that receive data from the principal system. If such secondary systems should not have access to PHI, the manufacturer should eliminate data feeds from the principal system. If the secondary system requires access to PHI, it will likely need to be enabled for tiered levels of security access.
Limiting Data Access. In addition to limiting which systems store or access PHI, the manufacturer’s information technology infrastructure must be able to ensure that only certain specified individuals within the organization can access the system. For most organizations, compliance with this aspect of the HIPAA privacy regulations will require a combination of firewalls, security upgrades, user definitions, and audit trail capabilities.
Before this activity can be finalized, the organization will likely need to define which individuals should be assigned the different levels of security access. Accomplishing this part of the process may require the manufacturer to undertake a certain degree of process redefinition.
A Risk Management Approach to Privacy Compliance
Most medical technology companies will have a lot to do if they are to comply with the HIPAA privacy regulations within the required timeframe. Ignoring the HIPAA requirements is not an option—but tackling all of the gaps at once may be overwhelming.
For medical technology executives, the most important question that needs to be answered is “What needs to be done first?” The interplay of the following three factors will drive the prioritization of a HIPAA compliance initiative.
• The likelihood of a problem occurring if action is not taken.
• The degree of impact on the medtech organization if it fails to act and a problem arises.
• The cost of closing the gaps.
 |
|
Table I. The small- and |
Applying this model, each medical technology organization will have a different profile based on its organizational complexity, its involvement in the six functions described above, and the extent of the gaps associated with each of those functions.
For example, a medtech company that needs to address compliance requirements for all four operational functions would almost certainly need to consider the compliance requirements for both information technology functions across multiple computer systems. To prioritize this company’s activities, its leaders would need to supply values for all three of the factors noted above, and do so for each of the six functions
(see Figure 3).
Another medical technology company that only needed to address patient authorizations would probably still need to restrict the use of certain data and update access rights to such data. Compared with the likely costs for the first company, however, the costs for this company’s changes in information technology functions would be much lower, since the number of affected systems would be more limited.
The factors that drive the risk profile for each of the six functions in a medical technology organization are summarized below.
Business Associate Contracts. Covered entities in the health services sector have been acutely aware of HIPAA for several years. Most large organizations have initiated projects that include identifying and negotiating contracts with their business associates.
If a medical technology organization is unable to reach an agreement with its business partners, there is a significant chance that it will lose revenue for its service contracts, or become a least-favored vendor for that healthcare provider. The good news is that DHHS has published a model business associate agreement that should make most agreements essentially the same across institutions, thereby streamlining the work involved in addressing this gap.
ERISA Health Plan Operations. ERISA health plans are directly regulated by DHHS, placing them at high risk of being found noncompliant if no remediation activities have been undertaken. However, the vast majority of self-funded health plans outsource most of their operations to external third-party administrators or other vendors, making it likely that most of the operation is managed by organizations familiar with the HIPAA regulations.
Given these realities, the cost of inaction for most health plans is limited to the cost of gathering all information associated with the company’s medical expenditures, plus the cost of fines by DHHS. The more active the medical technology organization is in the management of its health plan, the more work it can anticipate in order to become HIPAA compliant.
Patient Authorizations. Without patients, clinical trials will come to a halt. In most cases, the risk is not that patients will refuse to participate in a trial, but that the investigator will not allow the data to be transferred to the medical technology organization sponsoring the trial. The investigator is accountable for securing appropriate releases, but the medical technology organization needs the data.
The key challenges for medtech companies are to ensure that there is as much consistency as possible across authorizations, and that there is a procedure for tracking patients that have revoked their authorizations. These are manageable tasks, but their complexity increases significantly if they are not managed consistently.
Corporate Health Services. The majority of employee health services support employment-based healthcare activities such as employee physicals and care for workplace injuries. Such services are not subject to the HIPAA privacy requirements.
Unfortunately, many corporate health services do not exclusively manage employment-related issues. Even if it is the primary objective of the service to handle only employment-related issues, these often intermingle with other medical conditions. The challenge for medtech companies is to discern which information is covered under HIPAA and which is excluded from the privacy regulations.
Relatively speaking, the potential cost of inaction in this area is modest. Companies certainly run the risk of fines from DHHS, but these are small costs when compared with the potential costs of lost revenue or delayed clinical trials.
Data Use Restrictions. Ultimately, the HIPAA privacy regulations are focused on information technology. It is one thing to sign business associate agreements, but another to comply with the terms of such agreements. Researchers may agree to limit the disclosure of clinical data after a patient revokes authorization, but actually accomplishing such a task requires properly designed information systems.
To be fully compliant with HIPAA privacy rules, manufacturers will require system upgrades to ensure that data only go to the systems that require the data, and only when they are supposed to be using the data. Changing software and databases can be a fairly expensive proposition, particularly if multiple areas of the organization need changes to multiple computer systems.
Role-Based Data Access. Having the appropriate data in the appropriate systems is only part of the information technology challenge. The other component is ensuring that only the people who need to have access to the data do have access. Accomplishing this task will probably require a combination of software upgrades and process redesign.
Conclusion
The HIPAA privacy rules are here to stay, and medical technology organizations need to take steps to move toward compliance. Prior to investing in remediation efforts, however, organizations would be well advised to take the following steps.
• Map out how the HIPAA privacy regulations affect the company’s operations.
• Perform a gap analysis to determine the anticipated costs of addressing the areas affected by the regulation.
• Conduct a risk analysis to help prioritize remediation activities.
Although each organization will have a different profile, it is common for medical technology companies to find that research authorizations and business associate agreements are the first priorities. Most organizations will also find that they cannot be truly compliant without upgrading their information technology environment.
References
1. “U.S. Healthcare Industry Quarterly HIPAA Survey Results: Fall 2002,” in HIPAAdvisory Home Page [on-line] (Montgomery Village, MD: Phoenix Health Systems, 2002 [cited 18 December 2002]); available from Internet: http://www.hipaadvisory.com/action/
surveynew/fall2002.htm.
2. Health Insurance Portability and Accountability Act of 1996, P. L. 104–191.
3. “45 CFR Parts 160 and 162: Health Insurance Reform: Standards for Electronic Transactions, Final Rule,” Federal Register 65 FR: 50311–50372 (August 17, 2000).
4. “45 CFR Parts 160 and 162: Standards for Privacy of Individually Identifiable Health Information, Final Rule,” Federal Register 65 FR:53181–53273 (August 14, 2002).
5. “45 CFR Part 142: Security and Electronic Signature Standards, Proposed Rule,” Federal Register 63 FR:43241–43280 (August 12, 1998).
Patrick Quirk is a strategic consultant in the life sciences practice of Court Square Data Group (Springfield, MA), an information technology consulting firm.
Copyright ©2003 MX
