There was a time, not so many years ago, when the Compliance department of a hospital was an adjunct of the Office of the Medical Director, or, perhaps, the General Counsel.
Perhaps the Risk Manager had a Compliance hat she wore when the occasion demanded. While there were compliance responsibilities with regard to medical records, they were mostly to do with ensuring that the all forms were completed (such as Operative Reports, or Discharge Summaries).In the late 1990's, the trend toward digitization of electronic health records raised new health care compliance concerns: privacy and security. HIPAA, an act instituted in '96, was not originally meant to deal with healthcare compliance directly. The focus was portability. The intent was to enable employees to move between jobs without losing their health insurance due to denials of enrollment by the new employer's insurer due to preexisting conditions (in fact the legislation in essence, forbade denial of enrollment on the ground of preexisting condition, when an employee was hired by a subscribing company within a certain period of time). Yet, HIPAA lawyers (yes, the term was coined during this time) realized that health insurance companies had to perform certain actuarial calculations in order to assess risk and set premiums, and, to that end, they had to review the claims experience. The only practical way to do that was to review the codes used for those claims.The problem is that these codes are not standardized. Every state has their own set of codes. This incited aides to the Congress and Dept. of social services to create a single, unified set of claims codes. Yet, as with most things legislative, this begat another concern: with all this very sensitive information being transmitted on a regular basis, there was the potential for abuse if the patient data were to end up in the hands of those unauthorized to view it, and who would perhaps use it for non-benign purposes. As a result, DHHS allowed for comments about medical privacy issues. They received nearly 40,000 comments about health information that had been mishandled with regard to its privacy. As a result of this massive inquiry, HIPAA privacy rules were established dealing with criteria and disclosure of medical information. Soon after, there were a number of rules instituted that dealt with the manufacturing of, the storage of, and the ultimate disclosure of protected health information. These six-hundred pages were the beginning of what has come to be known as HIPAA law.Since then those who know HIPAA law has become almost a cottage industry within the area of healthcare law. As Healthcare law has become more robust, and areas like healthcare compliance have been added, lawyers have had to learn more and more about the industry especially with regard to how changes affect security and privacy. Yet, as more and more health information was created, stored and transferred electronically, the hospitals and medical practices established many offices like the office for a position of Chief Information Security.This trend was given a significant boost in 2004, when President George W. Bush issued an Executive Order setting in motion a national transition to an interoperable electronic health record system by 2004. After Bush's executive order was issued, Congress established funding to help with the transition. Hillary Clinton sponsored one of the first bills allotting funding. As a result of thin margins and slow reimbursement, a number regional hospitals were slow to adopt the new measures. This hurt national coordination efforts. Medicare stopped taking paper claims submissions, but there was still significant resistance among care givers to give up the pen and paper.In February, 2009 legislation was passed which would almost require every Risk Manager and Compliance Officer to have at least a rudimentary knowledge of HIPAA law, as it pertained to electronic health records. As part of the "Stimulus Package" Congress passed another law known by its acronym HITECH. In a reprise of the concerns which led to the implementation of the HIPAA Privacy and Security standards, HITECH did three things that will change the daily activities of Risk Managers, hospital counsel, Privacy Officers and IT and Security Officers. It provided for Thirty Billion Dollars in incentive payments to be used to accelerate the transition to an interoperative health record system. The law, enacted on Jan. 13,2010, establishes criteria for access to those funds, allowing only those who can exchange data in an accurate and secure manner. In addition to all that, the third way in which it affects the healthcare industry is that it requires that all information is accessible in a way that is consistent and buttressing old HIPAA privacy and security standards. Such a mandate is made even harder, however, by the fact that HIPAA rules were expanded and strengthened as a result of the act.As hospital staff are made aware of these new regulations, despite being in the middle of a recession, there is no doubt that lawyers will we be called upon by hospitals. Healthcare compliance will truly become HIPAA compliance.