Are hearing care professionals feeling a little bit like they are being deluged with “everything HIPAA” lately? That’s probably because they are, and hopefully, they have been paying attention! When I first heard the name “HIPAA” more than 2 years ago, my reaction was “Oh great, another acronym for a hearing test that I have to remember—as if the hearing care field needs another acronym!”

Of course, hearing care professionals and hearing instrument manufacturers have come to find out that HIPAA certainly isn’t a hearing test. In fact, the Health Insurance Privacy and Accountability Act is arguably the most sweeping set of regulations to impact health care in the last decade. Right now, the hearing care industry is, or at least should be, in the midst of implementing all the necessary steps to comply with HIPAA.

What is HIPAA?
There has been much written lately in the trade press about HIPAA (see sidebar for articles and other resources). Hearing care professionals can also find many HIPAA-related references on the Web sites of the various professional organizations, including the American Academy of Audiology (AAA), American Speech-Language-Hearing Association (ASHA) and Hearing Industries Association (HIA).

HIPAA is a law that sets regulations governing privacy, security, and administrative simplification standards for the movement of health care information (Author’s note: one should always get nervous when a government regulation uses the term “simplification.”) HIPAA regulates the ways that protected health information (PHI) is handled to ensure the highest degree of patient confidentiality. The law was designed to regulate the way electronic claim submissions, eligibility requests, payment and remittance advice, as well as the coordination of benefits are all handled. HIPAA also mandates safeguards to ensure that information is transmitted and received with the highest degree of security.

It would seem that HIPAA affects everything that has anything to do with a patient’s personal health information. And in a sense, when it comes to the hearing care profession, that means that HIPAA does now affect “everything” we do.

There are three key parts of HIPAA that will directly impact the delivery of hearing care: Privacy, Security, and Standardization of Electronic Transactions. Each of these parts has implications. Each impacts how hearing care professionals run their offices/practices and how hearing instrument manufacturers interact with hearing care professionals.

The HIPAA regulations are broad in scope. All an individual has to do is take a look at the hundreds of pages that make up the published regulations. But like everything in life, individuals most often want to know: “How does it affect me?” Presently, what hearing care professionals and hearing instrument manufacturers need most to be concerned about are the Privacy Rules.

Privacy and the Business Associate Agreement (BAA)
From a business perspective, it is clear that HIPAA will impact both hearing care professionals and hearing instrument manufacturers alike. This is a very important point to bear in mind, considering the unique relationship between dispensing professionals and manufacturers in the delivery of hearing instruments to end-users. Hearing care professionals are considered “Covered Entities” under HIPAA.

By now, everyone involved in health care should be familiar with the basic definitions for each “group” affected by HIPAA:

  • Patients: The recipient and user of health care services.
  • Covered Entities: Health care providers, payers, hospitals, nursing homes, and health plans—this is the group to which hearing care professionals belong.
  • Business Associates of Covered Entities: Anyone who, on behalf of the Covered Entity, has access to protected health information—this is the group to which hearing instrument manufacturers belong.

Covered entities must have a Business Associate Agreement (BAA) with all entities that provide services for or on behalf of the Covered Entity to the patient. Bottom line: The hearing instrument manufacturer is the Business Associate to the hearing care professional for all aspects of the manufacture, delivery, and repair of hearing instruments. Therefore, the dispensing professional is responsible for having a signed BAA in place with each manufacturer he/she works with by April 14, 2003.

Do you have these agreements on file?

A “Common” BAA
In order to assist hearing care professionals to get their BAAs in place, the Hearing Industries Association (HIA) recently convened a task force of representatives from many of the largest hearing instrument manufacturers. This group agreed on a common BAA format that can be used by any dispensing professional with any hearing instrument manufacturer. At the time this article was being completed, the American Academy of Audiology (AAA) and the International Hearing Society (IHS) also endorsed this document.

A copy of this BAA can be obtained from the Internet by visiting HIA’s HIPAA Helpdesk at: www.hearing.org/hipaa (for more information, see page 14 of the March 2003 HR).

Checklist of Action Items for HIPAA Compliance
If a hearing care professional has not started the process of HIPAA compliance in their practice, there is only one piece of advice for such individuals: Get moving! In addition to the BAA, there are other important steps that should be taken. The following 10 steps are a starting point to help hearing care professionals ensure that their practices are in compliance with federal regulations:

  1. Determine whether you need to comply with the Transaction Standards/Code Sets regulations.
  2. Assign privacy and security responsibilities.
  3. Determine how PHI is used in your practice.
  4. Establish rules to protect patient privacy — and follow-up to ensure staff compliance.
  5. Allow your patients to access their own PHI.
  6. Publish a “Notice of Privacy Practices”, and make them available and visible in your office waiting area.
  7. Make sure the people with whom you do business also protect PHI. Do not be shy about inquiring thoroughly about your business associates handling of PHI. (This is where the BAA comes in!)
  8. Train employees so that they are knowledgeable about HIPAA and how it applies to their responsibilities.
  9. If you market and/or advertise your practice, make sure your ads and promotions do not violate the rules.
  10. Stay informed. Many professional organizations and hearing instrument manufacturers have established HIPAA information lines, Web sites, and help desks to assist professionals with compliance.

The last point is perhaps the most important thing that hearing care professionals can do now and in the future. The various professional organizations that serve the hearing care profession are excellent resources for HIPAA information.

There are also several consulting firms, like Hearing Healthcare Analytics, LLC, a firm specializing in hearing care which has created a HIPAA compliance “Tool-kit.” Another such Tool-kit is available from AAA (www.audiology.org). Check out all of the sites and resources listed in the resource box (see sidebar) for the most recent HIPAA news and information.

HIPAA Resources
Recent articles, Web sites, and other reference sources for HIPAA information:

Articles

Gradle BD. Business Associates: A HIPAA Compliance Challenge. Healthcare Financial Management 2002; February issue.

Lusis I. HIPAA Privacy Requirements for Business Associates. ASHA Leader. 2002; November 19 issue.

Jacob D. How to Comply with HIPAA: A Practical Guide for Hearing Healthcare Providers. Hear Jour. 2002; September issue.

Jacob D. HIPAA Myths and Facts. Audiol Today. 2002; September/October issue.

Jacob D. How Do I Become HIPAA Compliant? Audiol Today. 2002; July/August issue.

Morgan SD. HIPAA Compliance and Enforcement: Is Your Practice Prepared? Hear Prod Report. 2003; Jan/Feb issue.

Popp P, Lane B. HIPAA for Hearing Care Professionals.

Hearing Review. 2003; March issue.

Van Houten B. Getting Hip to HIPAA. Hearing Review. 2003; February issue.

Web Sites and Links

US Government, Health and Human Services, Center for Medicare and Medicaid HIPAA Website:
http://www.cms.hhs.gov/hipaa

/hipaa1/default.asp

American Academy of Audiology HIPAA website:
http://www.audiology.org/

professional/members/hipaa/

ASHA HIPAA Web site:
http://professional.asha.org/resources

/legislative/hipaa_info.cfm

HIPAA Audiology Discussion List Server (send a blank e-mail to this address and you will be added as a member):
www.hipaaaudiology-subscribe

@yahoogroups.com

Hearing Industries Association HIPAA Helpdesk
(contains BAA form):
www.hearing.org/hipaa

Health Care Compliance Association Web site:
www.hcca-info.org

CMS HIPAA Administration Simplification Web site:
www.aspe.hhs.gov/admnsimp

Healthcare Information and Management Systems Society:
www.himss.org

Healthcare Finance Management Assn. Web site:
www.hfma.org/kn/hipaa.thm

Dept. of Health and Human Services HIPAA rules:
www.hhs.gov/ocr/hipaa

Health Insurance Association of America (HIAA) legal interpretations:
www.hiaa.org

Healthcare Analytics, LLC, consulting:
www.hcAnalytics.com

HIPAA and Manufacturers
Hearing care professionals need to be concerned about the question, “What do I have to do to comply with HIPAA?” There may be an assumption made that, as long as the hearing care professional has a signed BAA with a chosen manufacturer, then the professional is covered—meaning the hearing instrument manufacturer is in compliance… right? But what are the things that a manufacturer as a Business Associate has to do to comply with HIPAA?

It shouldn’t be surprising that the answer is: basically the same things hearing care professionals have to implement in order to maintain HIPAA compliance. For example, Siemens Hearing Instruments has taken action on the very same 10 steps suggested earlier. This included a gap analysis (ie, a review of where the company is versus where the company needs to be) of current procedures relative to the requirements of HIPAA for handling PHI. Other key steps included:

  • Identified the “Corporate Privacy Officer.”
  • Educated senior management on key HIPAA issues.
  • Created a plan to educate all company employees on HIPAA and how it pertains specifically to individual jobs and tasks.
  • Reviewed and signed BAAs.
  • Created a company HIPAA position statement.
  • Reviewed all data security procedures.

So, Will the “HIPAA Police” Come Knocking on My Door?
One question that has come up on several of the HIPAA chat lines is, “If I am out of compliance with something, what will the penalty be?” The answer starts with, don’t worry, the HIPAA police will probably not be kicking in your front door!

The whole idea of enforcement is very interesting when one considers the huge scope of HIPAA, its far-reaching regulations, and its impact on a very large population of covered entities. However, it is wise to note that HIPAA has considerable teeth for enforcement. The Federal Office of Civil Rights has been empowered to enforce HIPAA regulations and they have been granted a $44 million budget to do so!

Perhaps there are two more specific questions to ask:

  • “Will I ever get audited regarding HIPAA compliance?”
  • “Am I exposed to litigation if I am out of compliance?”

The answer is “yes” to both questions. It is very possible to be audited and, wherever there are regulations to meet, there is a chance someone can sue! In terms of an audit, a likely scenario might be that an HMO or other health contractor for whom you are a provider will audit you. What could be at risk is potential loss of that affiliation if your business/practice is out of compliance.

For litigation, there is the possibility that, if a hearing care professional is out of compliance, for example, regarding the proper protection of PHI when used for marketing purposes, an individual patient could file a complaint. Inevitably, once the first lawsuit involving HIPAA is filed, others can be expected to follow. Lastly, there will likely be watchdog groups who will be policing HIPAA in the name of everything from AARP to the Citizens for Better Government.

The bottom line: Put your HIPAA house in order; however, you shouldn’t lose sleep over thoughts of the HIPAA police raiding your office. Generally speaking, common sense and due diligence (ie, an educated and concerted effort to comply with the law) will carry the day.

Summary
The best advice there is regarding HIPAA is to educate yourself, stay informed, and comply with the HIPAA regulations. Take advantage of the many sources of HIPAA information that are now available specific to our profession and industry. And remember: HIPAA is not a hearing test!

Lesiecki William Lesiecki is director
of software and e-business
solutions at Siemens Hearing
Instruments, Prospect Heights, Ill.

Correspondence can be addressed to HR or William Lesiecki, Siemens Hearing Instruments, 16 E Piper Lane, Prospect Heights, IL 60070; email: [email protected].