Este informe no está disponible en español.


Health, Technology

The Hipaa Revolution

Hipaa will be the federal law that will have the single biggest impact on Puerto Rico’s businesses in 2003


March 6, 2003
Copyright © 2003 CARIBBEAN BUSINESS. All Rights Reserved.

The clock’s ticking: Hipaa‘s privacy rules apply to most businesses, with employers sharing liability with insurers for health information protection. The deadlines are just weeks away. Are Puerto Rico’s hospitals, insurance companies, doctors, labs, and other businesses ready?

If you thought getting ready for Y2K was a nightmare, wait till you find out what every business in Puerto Rico will have to do to comply with Hipaa.

The federal Health Insurance Portability & Accountability Act (Hipaa) of 1996 is a complex legislation that applies to every single entity in the health industry that transmits patients’ health information. This also applies to every employer who has a health plan and although the deadline for compliance with Hipaa’s privacy provision is only about a month away, there is still a lot most local entities must do to comply.

The Y2K problem was a big deal for local businesses, but Hipaa will certainly make it look like child’s play. While the Y2K issue ended Jan. 1, 2000, the Hipaa regime, so to speak, is only beginning and it will become more complex as time goes by. There’s no escape from Hipaa and every kind of business transmitting individuals’ health information--even companies with no relation to the health industry--must comply.

It seems while the larger hospitals, laboratories, pharmacies, and health insurers in Puerto Rico are pretty much up-to-date regarding the understanding and compliance with Hipaa’s patient privacy provision, thousands of other entities--many of which aren’t even directly involved with the health industry--aren’t informed and are way behind schedule, according to health industry insiders.

If they don’t become compliant as soon as possible, they face stiff federal penalties that range from fines to time in jail.

What is Hipaa all about?

Hipaa covers every single entity that transmits individuals’ health information. This goes way beyond companies in the health industry to include institutions such as universities or private companies that have medical clinics on site, and even every kind of business that offers a health insurance plan to employees.

Employees at every level in health and medical organizations and small medical offices around Puerto Rico and the Virgin Islands will have to be trained to become familiar with Hipaa compliance requirements. This means tens of thousands of workers must undergo training starting immediately. The employer will be held responsible for all employees being fully aware of the laws. Companies’ records will have to show every single employee was trained and made aware of the law.

Hipaa was designed by the federal government to achieve administrative simplification while enhancing the privacy and security of individually identifiable health information. Individually identifiable health information is also known as protected health information.

It also calls for more effective portability of health insurance. According to the federal Centers for Medicare & Medicaid Services (CMS), the portability provisions in Hipaa are meant to protect workers’ health insurance coverage when they change or lose jobs.

Protected health information, or individually identifiable information, refers to a person’s health information. For example, the medical record of a patient comes into this category.

According to McConnell-Valdes attorney Mario Paniagua, an expert in legal issues pertaining to Hipaa, this law has three main purposes: controlling the use and disclosure of protected health information by covered entities; establishing rights individuals may exercise with respect to protected health information in covered entities, and preventing employers from using such information to make employment-related decisions.

Responsible entities will be health insurance companies, a healthcare clearinghouse, or a healthcare provider, such as a doctor, hospital or laboratory, where peoples’ health information is processed or transmitted. This also includes other businesses where protected health information, such as an employee’s health insurance plan, is handled.

In the first set of regulations, covered entities must comply with aspects which pertain to privacy, with the deadline for compliance set for April 14, 2003, about a month from today. Small health plans with premiums under $5 million have an extra year to comply.

The privacy regulations set standards for how protected health information should be controlled by setting out what uses and disclosures are authorized or required and what rights patients have with respect to their health information.

There is a second set of regulations that deals with codes and transactions. This part, due Oct. 16, 2003, represents an effort to reduce paperwork and increase efficiency and accuracy through the use of standardized administrative and financial transactions.

According to experts, Hipaa will bring a series of benefits to the healthcare industry. "Hipaa’s administrative simplification provisions will bring more efficiency in the billing process and this will make the cash-flow more efficient. Implementing Hipaa is very costly, but in the end it will improve our billing processes," explained Milton Cruz, CEO of San Pablo Health System.

Although Hipaa’s implementation will be costly--certainly much more costly than getting ready for Y2K--CMS estimates that nationwide, it could eventually produce savings of up to $16.7 billion in the codes and transactions areas, and up to $22 billion in privacy matters.

How prepared are we?

According to health industry insiders interviewed by CARIBBEAN BUSINESS, complying with the privacy provisions of Hipaa entails training all staff who come into contact with protected health information, and amending the contracts of business associates to ensure compliance with privacy provisions. Complying with privacy also includes documenting policies and procedures and enhancing information systems so protected health information is only available to those who need access to it.

Apparently most large companies affected in Puerto Rico--ranging from pharmacy chains such as Walgreens and hospital systems such as Pavia Health, to clinical laboratories such as Clendo, health insurers such as Triple-S Inc., and even the government--are well on their way to becoming compliant with Hipaa’s privacy provision by the April 14 deadline. Not only are they getting ready for the privacy provisions, many are also getting ready to comply with the codes and transactions provisions, which relate more to the enhancement of information systems.

In the process of ensuring compliance with Hipaa, local businesses are advised to conduct a pre-emption analysis. "In a pre-emption analysis, the entity verifies which law–state or federal–applies," said Dalila Allende, compliance chief and attorney at Triple-S Inc. "In some cases the local laws are more stringent than the rules established by Hipaa. When this happens, the local law supersedes Hipaa’s rules," she added.

"At Clendo all of our staff and clients are aware of Hipaa’s privacy and confidentiality provisions. Now we are preparing the amendments for our business associates’ contracts. Regarding electronic transactions, we are meeting with our technology provider and studying the regulations that affect electronic transactions," said Ivelisse Melendez, chief compliance officer at Clendo Reference Lab.

Melendez added that the management of many smaller laboratories are worried because they don’t know Hipaa thoroughly and also because a lot of myths and false information are running around. "Generally speaking, the smaller labs have a lot of questions. Some have trained their staff, but others haven’t. However, the labs we do business with are up-to-date with Hipaa compliance, including the development of policies and procedures."

Ivette Delgado, district supervisor at Walgreens, said the pharmacy chain has always made sure privacy provisions were in place to protect patients’ information. She added that the company’s employees are being trained regarding Hipaa rules and compliance. "We are also going to distribute a CD-ROM that explains Hipaa rules and are taking measures so pharmacists counseling patients do so in a private manner."

Hospitals have an advantage over other branches of the health industry. Those that are accredited by the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) have always been required to ensure the privacy of individually identifiable health information, according to Cruz, but Hipaa raises the bar on this issue and is more rigorous.

"We began working towards Hipaa compliance years ago. Before Hipaa was enacted in 1996, Puerto Rico’s laws already had privacy provisions. We formed a Hipaa compliance committee to revise our privacy policy and then sent it to our parent company on the U.S. mainland so they could check it also and make sure we at San Pablo comply with Hipaa’s privacy rules. I am sure we will be fully compliant by the deadline," said Cruz, adding that the three hospitals that comprise San Pablo Health System are in the process of preparing the amendments to the business associates’ contracts so they know their responsibilities regarding Hipaa.

Cruz said San Pablo has already upgraded its information systems with the codes and transactions required to be Hipaa compliant.

The Inter American Hospital of Advanced Medicine’s (HIMA) two hospitals in Humacao and Caguas began working to ensure privacy back in October 2000, according to Special Project Vice President Giovanni Piereschi. "We have always made sure we keep patients’ information private. We formed a compliance department a year ago and have also begun training our staff. Right now we are in the process of writing down policies and procedures," said Piereschi.

Carmen Gonzalez, reimbursement and compliance director for Pavia Health, said the company began by establishing a compliance department and by performing a gap analysis of the operations to see how compliant each department was before beginning to implement Hipaa provisions. "Afterwards, we hired staff to develop our policies and procedures for Hipaa compliance and to integrate them with the policies and procedures we had already established. We are also seeing what local laws will supersede Hipaa’s rules. The next step is to train all our staff."

But not every hospital on the island is getting ready in a timely fashion. "I doubt very much that every entity covered by the law will be fully compliant with Hipaa’s privacy provisions by April 14," said Piereschi. Other industry insiders say it is very possible small hospitals won’t be ready.

The government will also be affected by Hipaa, especially the Health Department and all its branches, most notably the Health Insurance Administration (ASES by its Spanish acronym), which runs the island’s Health Reform. ASES recently began implementing a pilot program with what it calls a Smart Card, which has a device that saves patients’ information, and thus is covered by Hipaa’s rules.

"The Smart Card already complies with Hipaa’s privacy provisions. It has a biometric code that only allows those with a need to know to access the patient’s information," said Orlando Gonzalez, executive director of ASES. He said ASES, which only has 80 employees, is getting ready to train its staff. It has also met with business associates--health insurers--to discuss the amendments Hipaa requires in order to ensure compliance.

"This week we are closing a deal with a firm that will put together an electronic eligibility system to comply with the codes and transaction provision. The firm will establish a central database, an intranet, to connect the 90 eligibility offices we have all over the island," said Gonzalez. "We didn’t begin preparing as soon as we would have liked to, but we will be compliant by the deadline," he added.

How much is Hipaa costing locally?

Ever since President Bill Clinton signed the Hipaa Act in 1996, the cost forecasts have mostly agreed on one fact: Because it is an ongoing process instead of a one-shot deal, implementing Hipaa will cost much more than getting ready for Y2K. While Y2K was a one-shot process, Hipaa will be never-ending as technology continues evolving, new privacy issues keep arising, and new employees are hired.

According to Gonzalez, the entire Health Department, including ASES, will end up spending about $20 million to comply with Hipaa. This money, he said, will come from a loan from the local Office of Management & Budget. "We have already spent about $1 million," he added.

Pavia’s Gonzalez said the company has already spent about $2.8 million to upgrade its information systems, which now offer more privacy controls and simplify the billing procedure. She added another $500,000 has been spent to train staff and perform a gap analysis in order to comply with privacy regulations.

Cruz said San Pablo has invested more than $2 million, while Piereschi said HIMA has invested about $500,000.

Clendo has only spent about $50,000 because the company developed its information systems in-house, which allowed the company to save a lot of money, said Melendez.

As for health insurers, Triple-S has invested about $3 million, according to Allende, and Cooperativa de Seguros de Vida (Cosvi) about the same amount, said Rene de Leon, compliance officer.

Who will check for compliance?

"The federal agency in charge of the implementation and enforcement of the privacy rule is the Office for Civil Rights (OCR) of the Department of Health & Human Services," explained Paniagua.

In Puerto Rico, he added, there are several agencies authorized to hear and adjudicate complaints. They are the Health Reform Patient Solicitor (Procurador del Paciente), the Secretary of Health, the Insurance Commissioner, the Mental Health & Drug Addiction Services Administration, the Board of Medical Examiners, and the Puerto Rico Pharmacy Board.

Paniagua also explained the civil and criminal penalties noncompliant entities may incur. "There is a $100 fine per violation against any person who violates the privacy rule. The total number of penalties that can be imposed by the OCR for all violations of the same requirement or prohibition is $25,000 during a calendar year."

"For criminal penalties there is a fine of up to $50,000 and one year in prison when the violation is committed knowingly and up to $250,000 and 10 years in prison when protected health information is disclosed for commercial gain or to cause harm to the person whose protected information was disclosed," said Paniagua.

Hipaa is the most important healthcare legislation since Medicare

On Aug. 21, 1996, President Bill Clinton signed into law the Health Insurance Portability & Accountability Act (Hipaa). Hipaa, also known as the Kennedy-Kassebaum bill--after the bill’s sponsors Ted Kennedy (D.-Mass.) and Nancy Kassebaum (R.-Kan.)--calls for creating uniform standards for electronic transmission of medical information and for enhancing the privacy and security of patients’ medical information.

Industry experts have called Hipaa "the most important and encompassing healthcare legislation since Medicare in 1965."

With the passage of Hipaa, Congress addressed the need for national patient record privacy standards. Under the law, Congress gave itself until Aug. 21, 1999, to pass comprehensive health privacy legislation, but it did not meet its own deadline. That’s when the U.S. Department of Health and Human Services (HHS) stepped in and created protections by regulation.

In November 1999, HHS published its first draft of regulations to give patients new rights and protection against the misuse or disclosure of their health records. The rules attempted to protect patients’ privacy without placing obstacles to access to care or quality of care.

Then on Dec. 20, 2000, HHS released the final regulations setting a privacy provision compliance deadline of Feb. 26, 2003. This deadline was later extended to April 14, 2003. This is the real deadline most entities that have anything to do with patient health information will have to meet. This includes laboratories, pharmacies, doctors’ offices, hospitals, health insurers, even visiting nurses.

Hipaa deadlines

April 14, 2003: Privacy deadline for all covered entities, except small health plans with premiums under $5 million.

Small health plans have another year to comply.

Oct. 16, 2003: Electronic healthcare code sets and transactions deadline.

July 30, 2004: Employer Identification Number (EIN) deadline.

The EIN is the standard unique identifier for employers, providers, plans, and individuals. Small health plans have until Aug. 1, 2005 to comply.

Steps toward compliance must be taken immediately

Health industry isn’t the only one affected by Hipaa

Health Insurance Portability & Accountability Act (Hipaa) experts interviewed by CARIBBEAN BUSINESS said not only have many entities not begun preparations to meet Hipaa’s privacy deadline, but many nonhealth companies haven’t realized they must comply with the federal regulation.

Every business that handles individuals’ health information must comply with Hipaa. This includes schools with a medical clinic, human resources departments within companies that offer health insurance to employees, and others.

"The first thing noncompliant entities should do is to contact a professional association, such as the Puerto Rico Hospital Association, for guidance. Visit the associations and go to their websites. Most associations have been very proactive regarding Hipaa and can help," said Dalila Allende, an attorney and Hipaa expert at Triple-S Inc.

Mario Paniagua, also a Hipaa expert and an attorney with McConnell-Valdes, added that the next steps should be to hire a privacy officer and compose a document in which patients’ privacy rights are explained. "They should also produce another document that explains the policies and procedures to be followed as part of Hipaa compliance," he said.

Then they should begin training all the staff. The experts interviewed stressed this is one of the most important steps. According to them, everyone, from the president to the maintenance team, should be trained regarding Hipaa. One example given at many Hipaa conferences held locally is that even a janitor could violate Hipaa laws by, for example, reading a prescription that includes the name of a patient and passing the information to someone else during a casual conversation.

The following step would be to amend the contracts of business associates so they know what their duties are in order to comply with Hipaa, said Allende. Paniagua added that a business associate under Hipaa is "anyone not a member of the covered entity’s work force that assists the covered entity with a function or activity involving, among others, the use or disclosure of individually identifiable health information, including claims processing or administration, data analysis, utilization review, quality assurance, billing actuarial, accounting, and legal and financial services."

Paniagua also said there are many entities outside the health industry that must comply with Hipaa. "There are hybrid entities whose business activities include both covered and noncovered functions," he said. He provided examples such as factories with on-site clinics, universities with infirmaries, and companies that sponsor health clinics.

This Caribbean Business article appears courtesy of Casiano Communications.
For further information please contact

Self-Determination Legislation | Puerto Rico Herald Home
Newsstand | Puerto Rico | U.S. Government | Archives
Search | Mailing List | Contact Us | Feedback