Thank you for sharing!

Your article was successfully shared with the contacts you provided.
Editor’s note: On May 20,Texas Lawyer gathered a group of health industry counsel to discuss the ins and outs of the Health Insurance Portability and Accountability Act, otherwise known as HIPAA. The act is causing consternation among many in the health industry. Counsel at the roundtable discussed privacy regulations, security issues and the difficulties of complying with the law and preparing to comply for it. Part of the discussion appears below, edited for length and style. Brenda Sapino Jeffreys, senior reporter, Texas Lawyer: I’d like to start out by asking all the panelists to give us all a little bit about their backgrounds, how they got to the positions they have right now, the size of the legal departments and your responsibilities. Tom Cox, director of legal affairs, Dallas County Hospital District: I’ve been with Parkland about 20 years. And I got into it because, back about 1980, the hospitals and facilities decided they all needed lawyers, and I was looking for a job. … [O]ur legal department is one other attorney, three paralegals, contract administrators and a couple of secretaries. We make extensive use of outside firms to provide areas of specialty where we need them [in] med mal, labor and collections. Neill Fleishman, assistant general counsel, Blue Cross Blue Shield of Texas: I’ve been with Blue Cross for about 22 years, and I got into it very similar to the way Tom did. My wife didn’t like the small town in North Carolina we were living in and said, [can we] … move to a city? Blue Cross offered me a job; I said it sounds good to me, and here I am. Currently, we have seven attorneys. Like Parkland, we use a lot of outside attorneys, especially in litigation. We have a couple of paralegals, a couple of staffers, not a very large department for a multibillion-dollar company. My personal responsibilities are basically legislative compliance and, if we do something wrong, it wasn’t my fault. The Health Insurance Portability and Accountability Act fell into my lap because of the portability piece back in ’96, when they first enacted. The first thing we had to put in place was how to do credible coverage for pre-existing conditions. That fell in my lap, and, unfortunately, I got stuck with the rest of it as well. I also do other legislative compliance. I’ve got some state work, and … [there is a] a regulator who I have to deal with on a regular basis. … So legislative compliance, both on the state and federal level, are part of my responsibilities on a day-to-day basis. HIPAA is just one of those duties. Barbara Holthaus, director of project development, Life Health & Licensing Program, Texas Department of Insurance: I started out at TDI in the legal division. We have about … 60 or 70 lawyers. They do all kind of things. But I actually began as a criminal defense attorney. For about nine years, I did felony capital appeals in Kentucky … . Then I came to Texas, and I was general counsel for the state psychology board. And from there, I came to TDI. So I’ve always been interested in … the essential relationship between mental health providers and patients [which is based on] confidentiality and privacy. I came into HIPAA [through my work with] the Gramm-Leach-Bliley Act [of 1999] and the privacy provisions in that statute — having had that dumped on my lap, when HIPAA came along, they said, “Well, here, you can have that too.” And for about the last year, I’ve been … developing the implementation plan for the Texas Department of Insurance for compliance with Gramm-Bliley and HIPAA and, now, S.B. 712, which deals with state financial privacy and S.B. 11, which … deals with state health privacy reform. Margaret O’Donnell, senior attorney, Christus Health: I have a nursing background. Actually, I grew up in Dallas, but I moved to Houston to go to nursing school, and I worked as a nurse for about seven years. And after a couple of years, I went back and got my law degree and worked in risk management at the hospital. I worked at St. Joseph’s in Houston, did some administrative work, medical records, quality assurance — all those great departments reported to me for a while. And I started working in the general counsel’s office for Christus Health about four years ago. My responsibilities there are primarily hospital operations, regulatory licensing and … [other] fun things that deal with physician credentialing issues. … I’m on the HIPAA task force for Christus Health. Michael L. Silhol, assistant secretary and vice president of legal operations, Triad Hospitals Inc.: Like Christus, Triad is only 3 years old. We’re a spin-off from HCA. We moved our headquarters to Dallas in May of ’99 primarily because of the airport. We have 50 hospitals in 16 states, and we’re continuing to grow and continuing to add to our legal department, to all of you who wish to give me your business cards at the end of today. We currently have six lawyers in our department, and we’re growing. We handle pretty much everything that comes in the door. Because of our size and our fast growth, however, we do send a lot of work to outside counsel. And because we’re in so many different states, state pre-emption issues and dealing with various state laws are a huge issue for us as we implement HIPAA. Jeffreys: As lawyers, what are you doing to start preparing for this law when the rules are changing and are subject to interpretation? Fleishman: The privacy regulations have been and probably will continue to be a moving target. That creates challenges. But our company is a third-party payor, wears a couple of hats and everybody thinks of us as we pay providers, pay[ing with] other people money. That is, of course, our biggest function. We are a service entity. However, we’re also an employer — a fairly large one, as you might guess. Here in Texas, we have more than 5,000 employees. Our combined company has more than 11,000 employees nationwide. So we are a big employer. So what we did, early on, is we created an office to coordinate … HIPAA. So [we've all] been meeting for more than two years on about an every-other-week basis. And it also includes what we call “transaction sets”… . Transaction sets are the technique people. Those are computer issues. So we have been working on this … for better than two years, and we’re just trying to try to keep it in a big circle so we can get the circle smaller and smaller and, hopefully, one day contain it. That day hasn’t quite gotten here yet, but we’re working on it. … [W]e’ve always been interested in privacy, but now what we’re trying to show is documentation to a government investigator, who will probably come in a year or three or six from now and say, “OK, Blue Cross, show us, in writing, what you’ve done.” And folks, that’s why most of you need to be concerned. It’s not a question of whether you’ve printed or sold or given away privacy. The question is, can you show what you did to prevent it from happening? Holthaus: The best piece of advice I can give you, from learning about HIPAA, is to read it. It’s amazing how many people I deal with every day who call me up and ask me a million questions, and I say, “Well, have you read it?” “Well, no.” And there are no HIPAA experts. They’ll tell you: There are a lot of people happy to take your money and say, “I’m a HIPAA expert, come learn from me.” But the point is, it’s not been interpreted by the courts. It’s not even really fully functioning. And so the idea of how to learn from it is to read it and think through it. In terms of what I tell the people who call me up scared every day and say, “I don’t know what I’m supposed to do,” two things … the first thing is: You can’t even begin to understand what you need to know until you understand what your own company or entity or partnerships’ privacy policies are. Get a handle on that. Understand what they are, because, for the most part, in terms of the people we regulate, what we’re going to be looking at is not so much what are you doing, but what is your policy? And then, are your internal policies and all the things that you’re doing congruent with what your policy is? … [A]gain, in terms of educating yourself, I also think it’s important to look at it holistically, to look at the big picture, and to realize that it’s here and to look at how it fits into this scheme that doctors and providers and third-party payors are dealing with. The other piece of advice I would give you is, when someone calls you and says, “People are saying I can’t do this because of HIPAA,” or “I can’t do that because of HIPAA,” the first thing I’d ask myself is, “Does that make sense?” because HIPAA and privacy rules, all those things, are set up to enable providers to continue to provide health care. They’re set up to [allow] payors to continue to pay the claims. So when people come in and say, “HIPAA will stop us from doing something we’ve always done, and we need to do to help the consumer,” I would ask yourself, “Does that even make sense?” Ask them why they think that, and tell them to show you in the rules [where that issue exists]. … Consumers keep calling me up saying, “We can’t get information about our claim because they say that it hurts privacy — they can’t tell me information about myself.” Well, that just simply doesn’t make sense. In other words, I think a lot of people are paralyzed; I call it “HIPAA hysteria.” They’re afraid to give out any information because they’re afraid they’re going to do something that’s wrong and they’re going to get sued. So I think common sense and an understanding of what you’re dealing with will take you a long way. Cox: It’s not that HIPAA restricts us from giving it out. What that really means is, “We lost your file, and we can’t find it.” O’Donnell: We obviously have a HIPAA action committee. … It’s primarily driven by IT; it started out being information technology. Clearly, it’s a bigger issue. It has to be multidisciplinary. Two things that have helped me the most, and then I want to identify one that’s a huge gap. Number one, through the county health association, we started an in-house counsel consortium, and we talk once a month, on a telephone conference, about what they’re doing for implementation because this is not [set] in stone. When you read these regs, I know what they say, but I don’t know what they mean, … so that’s been the hardest thing for me. How do you translate this into what does it mean to be a nurse or provider? And that has helped enormously because, with 18 lawyers on this call, there are 25 different variations of opinions. But we’re kind of congealing that, and it’s getting down to what makes sense for us. The second thing is [that] we have an Internet Web site for Christus where we started giving, kind of, questions and answers. … [T]he phone calls started coming in to me, you know, like the questions that she said: “Does this mean we can’t release information?” So we have started to try to educate our employees on some of these basic things, and this Web site has helped enormously to cut down on phone calls. The biggest gap we have is in education of our physicians. We don’t primarily employ physicians — we do have some in Louisiana where you can employ [them]. But our own independent physicians are coming to us looking for information, and we’re reluctant to take on the role of [the one to implement it]. I mean, we can educate, but we don’t want to be the one to implement it. Somebody can make a bunch of money if [they] go and develop education models for physicians because I know there are people out there [who educate], but we have not been able to find them. [Doctors] … are looking to us [for] … a company name. So if there are some entrepreneurs in the audience, this is really an area that has been sorely needed. And it’s of concern to me because there are health care providers — obviously, there’s a primary health care provider — but they are really behind the gap on this. And most of them are independent and don’t have the resources to get up to speed on this. Silhol: We employ about 400 physicians in about 10 states, and when we talk to those physicians and tell them what HIPAA’s going to require, their eyes get real big and their jaws hit the ground. They are incredulous. They think that because I’m an in-house lawyer, I must not be telling the truth, so they want to hire an outside lawyer. And I agree with Margaret. There’s a huge market out there to get education and training for physicians. But getting back to the question, … there was a [notice of] proposed rulemaking … which came out from Health & Human Services in March that did stop us a little bit in developing our privacy policies. We had already set up some policies, and again, like Christus, we have an intranet site that our hospitals can click on to. We have a little HIPAA logo if you get to our intranet, which lists our policies that are in development, lists frequently asked questions, that type thing. We had to pull back on those privacy policies that were in the developmental stage and still are holding off on some of them until we find out what HSS does with their notice of proposed rule-making, although the comment period, I guess, ended last month. But there’s still an awful lot that we can do. We continue to report. The biggest thing that we find we’re having to do is somewhat similar to what we did with Y2K, and that is do a gap analysis — going out [and] having each hospital identify [their] … business associates. We don’t necessarily need to enter into a business-associate agreement, but we at least want to know who they are. Identifying all the software that we need to get into compliance with the transaction codes, that’s what Neill talked about and Tom talked about a little bit earlier. [We are] [l]ooking at our privacy policies so at least we know what they are now, so when the regs finally do become final — if they ever become final — we’ll be able to make that change. One thing we’ve also had to hold off on is our state pre-emption analysis. Because we’re in so many different states, we can’t have one policy for our entire system. It’s going to have to be a state-by-state approach. … So for the outside lawyers, that means there is this logjam of work that is awaiting you. We’re not sending any of it out now, but the minute those regs come, clear your desks off because we’re just going to be sending an avalanche of work to all of you. MEETING DEADLINES Jeffreys: Privacy regulations are in flux. Do you believe the deadline for putting them into effect should be extended? Will you be ready? Do you think they’re too aggressive? Cox: Our departments will be ready. I just want to flip a couple other things out. The trade associations of American newspapers have run out the proposition that, in their view, that it’s Communist — that HIPAA is unconstitutional, interferes with their ability to gather and disseminate news. For those of you who remember a few years back, a starting tackle for the Dallas Cowboys [who] put his car into a pillar on the North Dallas Tollway was taken to Parkland. And you would be surprised at the number of reporters that were in the emergency [room] trying to determine what exactly his blood alcohol content was. So there are some fine points. The other thing — I see several of you in the room that are defense lawyers in medical negligence cases and at least one who does some commercial collection work for us. You guys are all going to be asked to sign business-associate agreements, and all the expert witnesses are going to be asked to sign business-associate agreements. And I’m trying to figure out how I can make the plaintiffs’ lawyers do that, too. I’m working on that part. But we do expect to come into compliance. The comments I’ve seen in response to these changes were from the Association of American Medical Colleges, which Parkland is a part of, and Texas Hospital Association, which is basically the same. And they have some problems with, in particular, the medical centers with research and fund-raising areas. So there’s still some room to massage these regulations. Fleishman: The regulations can still be improved upon, but I expect that the effective date is unlikely to be changed. And we will be prepared and ready. We’ve been gearing up all along. Our fear is not of change; we don’t need a change or postponement of the effective date. Our fear is they will come down with new rules at the last minute, and that will throw a monkey wrench into our preparation and compliance. But assuming the rules stay similar to what has either been approved, adopted, or those that have been recommended and don’t change too much, we’ll be ready. Holthaus: I think a lot of companies have already spent a lot of time and resources in getting their systems ready to come into compliance, and I think they’d be outraged if all that time and trouble went to waste. I also think that, at this point in time, the [public] ha[s] become sensitive to the issue of privacy, [so] that I think if we keep putting off HIPAA, they will begin to see that as us being not protective of the people’s individual privacy. So those are two reasons I don’t think they’ll be postponed. As far as Texas is concerned, privacy rules are already up and running. S.B. 712, concerning financial privacy, … went into effect Sept. 15, 2001. And the S.B. 11, as far as it relates to people that seek out regulation for health privacy, went into effect Jan. 1 of this year. And anyone who’s not yet complying with HIPAA … [is] already required to be compliant with the privacy regulation that TDI has in place. And that means, you guys, if you’re not doing it, you’re behind the curve. I just have one more comment concerning the issue of constitutionality. I will note that there have been several attacks against the Gramm-Leach-Bliley Act about the privacy provisions in that act based on a variety of constitutional issues. And the ones that have made it into court, the statute’s been consistently upheld. I see the same thing happening, probably, with any litigation concerning the constitutionality of the act. O’Donnell: I guess my concern about the deadlines is there’s a different deadline for every regulation right now, and I don’t want to push us back anymore. I want to get on to another requirement. I’ve about had it. And I fully support privacy confidentiality, especially with my clinical background, but we’re moving ahead like April is the date. You need to because, at one point, you’ve got … so many employees, huge hospitals. We’ve got to just pick a course. I was thrilled to see the modifications, though, because, as you understand this law, the modifications, to this extent, are huge. I mean, essentially, you continue to follow what your current state law is on consent and authorization. And hopefully, we’re already doing a pretty good job of that, and so we can do that. So I’m hopeful that that will be a success. Obviously, there are a few issues out there about research and marketing and coordinating it with the Senate bill. The Texas bill is hard. And I don’t know if that’s going to change in January at all, but we have to assume that what we’ve got right now is where we’re going. And so I’m hopeful that the federal privacy law is finalized as soon as possible, whatever format it’s in, because we really need to kind of move forward with what we’ve got. Silhol: And while it’s difficult to predict, I wouldn’t be surprised to see a delay in the effective date of privacy regs. They’re effective April 14, 2003, if I remember correctly, and still we don’t have final regs yet because the notice of proposed rule-making is coming on. The comment period has expired, but we don’t know yet what’s going to happen, so we have less than a year to get going on this. The other thing, too, is we still don’t have any security regs, and a lot of people are saying you can’t have privacy without security, and our IT people are telling us this. And while you can have policies and you have to follow state law, you saw a year delay in the effective date of the [standardized electronic transaction code requirements]. I wouldn’t be surprised if we see a delay in the effective date of the privacy regs. Jeffreys: Does anyone else have any thoughts on the security issues, on how you implement privacy if you don’t know for sure what to do about security? Holthaus: One of the requirements that goes along with securing somebody’s privacy is going to be hav[ing] systems in place not only that allow you to implement your own internal policies, but also [that restrict] sharing my information [if] somebody else [wants to share it]. I mean, you’re going to have to have an information systems program or a little paper program or something to keep track of all those things. I also believe that most of the companies we deal with are certainly well able to protect the security of information that they want to secure already, [like] proprietary information and things like that. Certainly, when it comes to talking about sharing information and some of the other statutes we’ve had where providers are going to be providing information to other entities, they seem to have no trouble with not sharing anything with them. So I believe, first of all, that most companies are able to maintain the security. And when you look at the security provisions that are in the proposed reg, they go hand-in-hand with what’s required. So I think that it’s a little naive to pretend that we don’t have any idea how to maintain the security of information. I think most companies are doing it already. And doctors have always been required to do it. For the most part, anybody who picks up information from doctors and health care providers is already bound by state law. Fleishman: I think security will be a problem. We will all comply with the rules whenever they’re effective, hopefully in April. We don’t know exactly what detail of security will be required by the regulations. But many of us at the table are in service industries, hospitals [and] insurance companies. And one of the problems with the rules is basic service. And most of you — I’m looking at the age group — look like you could have a spouse or [you could have] a child … between 10 and 25 years old … [o]r you could have a mother or father on Medicare or [who is] a patient in a hospital. And we are all fairly used to calling your insurance company or calling the hospital — “May I speak to Mrs. Fleishman?” “May I get some information on my wife’s claim, on my son’s claim?” And we would like to be able to do that for you and all of our other customers in the foreseeable future. But the rules do create slight problems. Am I really the husband or loved one of this person? And is my daughter having medical treatment that maybe dad shouldn’t know about? My daughter may, in fact, call and say, “Don’t tell my dad, he’ll kill me. Literally.” That creates problems for systems people because we don’t really know who’s calling us or if you are really who you say you are. And in order to be really secure, we’d turn off our customer service phone lines, and we are not going to do that. So we’re going to have to take a little bit of risk in assuming that when Neill calls, he’s Neill. There are ways: There are passwords, et cetera, but it is all very difficult. I personally have children covered under my plan and a spouse. I personally have parents under Medicare, and trying to get information from somebody on my parent’s claim or talk to their physicians or their hospital ain’t easy, guys. It won’t get any easier. So in return for some privacy, we’re not going to get the information we used to get, good, bad, indifferent. That’s just the way it is. But the answer to the bottom-line question is, yeah, it’s kind of hard to know exactly what type of security you’re going to have, but it’s reasonably secure right now, and it will be April of next year. Jeffreys: Is there going to be any grace period or first warning? Holthaus: It’s interesting you bring that up because, first of all, the Texas Department of Insurance has no authority at all to enforce HIPAA because it’s fed[eral]. And so what we’ll be doing when we get complaints about it is, we’ll be looking to see is this only a complaint under the federal requirements, and if so, we’ll ship them off to federal. But we’ll also be looking at them in terms of compliance with our rules and with our statutes, and that’s going to be very difficult because, for one thing, it’s talking about explaining this whole concept. They keep saying but it’s going to be in the next guide, it’s going to be in the next set of rules, and they keep putting it off. I can tell you from the department’s point of view and also from reading the guidelines, now, they’re backing away from this idea that it’s any inadvertent error. I can tell you with the department that what we are looking at in terms of compliance is going to be the overall attempts to comply, whether what we get are isolated incidents, and whether they establish a pattern of carelessness or intentional release of information. And again, I do agree with what you say, there’s going to be a huge backlash of complaints and laws and things coming in, but a lot of it is going to be because of the lack of education of the public about what privacy means because they do not understand that, by availing themselves of a service, they are giving up some of their rights of privacy, like Neill said. One of the biggest complaints we get every day is people [who] call up and complain that we were required to sign this big, huge global consent form for disability insurance because they have to release information about bank accounts and education and all kinds of things. And we have to explain to them, “Well, [with] a disability policy, they look at your … present ability to earn money, and so all of those things are relevant.” So I think these things will have to be sorted out over time. I will point out to you, I barely have time to work on the actual regulations that we promulgate in accordance with the government code, and so we don’t have time to have those secret regulations. BENEFITS OF HIPAA Jeffreys: We’ve talked a lot about the difficulties of complying with this law and preparing to comply for it. Are there any institutional benefits? Silhol: There were, but they were delayed. I mean, it is amazing when you go to Washington, D.C., and you talk to the career government officials who say that HIPAA will save the health care industry — I believe the last quote was $11.7 billion. Yet, on the other hand, American Hospital Association is saying HIPAA combined is going to cost us $24 billion. You know, who’s right? These savings — the cost savings — are supposed to be part of the administrative simplification section — and you know why you don’t call that by its acronym — which were a part of HIPAA which, quite frankly, made sense. And that is the simplification of all the claim forms and paperwork that people like Blue Cross would provide us, that if you didn’t put the color of eyes of the patient, Blue Cross would reject that claim. And really, what HIPAA is doing is trying to prevent those types of parochial, if you will, claim forms and getting everybody under a standardization, and that’s the electronic codes, that’s the transaction code sets, which were delayed a year. So any cost savings that we were supposed to start to enjoy have been delayed until … October, I believe, of 2004. Am I correct? But so we’ll have to wait to see. Cox: Hospitals and doctors never code anything. Fleishman: But if they could figure out how to fill out a UB-92, I think we can figure out how to process them. Jeffreys: How is this complicating or simplifying how you deal with your business partners? Fleishman: I’m not finding a great deal of awareness in the provider community as it relates to contracting or even payment of claims. I think the provider community is now learning of HIPAA. But as far as paying a claim, you’re submitting it to a third-party payor and getting it processed, HIPAA really raises no impediment. It’s exempt, for lack of a better word. So I haven’t found it to be a problem. I think the new rules or the new proposed rules are a big help to the provider community. They were very much concerned about signing consents and authorizations and all that good stuff. And so that has actually improved their lot in life. But I have not actually seen any conflict or disagreements, and I think that’s partially because I have not seen yet actual HIPAA language negotiated between business associates. And by the way, providers are not our business associates for all purposes. Broad statement, but basically true. But we do need records from time to time, and, hopefully, they’ll give it to us … and they want us to pay them. That’s generally the incentive to get us some information about the patient. But I haven’t seen a great deal of conflict or even cooperation. We have put on some workshops … for employers. I think the last group of people who know nothing about HIPAA are employers. Large ones, self-funded ones, including firms represented in this room. We all think of ourselves as our business. I mean, we’re a third-party payor, but by God, we’re a big employer. So are some of your firms. You are businesspeople. You are not just lawyers. You have a company with maybe 300, 400, 500 employees or even 30 or 40. Keep that in mind when you go back. You’ve got to figure out what you do with this information. The big hole in HIPAA is health plans. They have all this information about you, as employees, and your families. And when you file your workers’ comp claim, they may be sifting through some of that information and see just when your back first started to hurt. But the question has to do with the conflict or the inner workings, and I haven’t seen a great deal of conflict. Cox: [I]t varies because a lot of states, like the Galveston med school, have their own hospital. It’s pretty much [accepted that] you can share data between your hospital and your medical staff. The problem … [arises in situations like] UT Southwestern … where you have four or five physical hospitals, all of whom you’re now trying to fit yourself into the organized health care arrangement so you can share that information because patients go back and forth between Parkland, Zale Lipshy, to a certain lesser extent, Children’s Medical Center, and St. Paul. There are some MRI facilities that are owned by everybody … . [T]o qualify, you have to hold yourself out to the public as an organized health care arrangement. Well, these entities like Parkland and the University of Texas have limited liability. People like Children’s and Zale Lipshy do not. So when you think about [limited] liability, you suddenly find that maybe it isn’t such a nice thing to have after all, and maybe we don’t need all that information. That’s the quandary … [of] everybody … [having] access. O’Donnell: For a provider like Christus Health that is a Texas nonprofit corporation but has, probably, about 200 other different various forms of organization, as the issue was brought up, is the sharing of information between [organizations]. I mean, we aggregate our quality information to look at it as a system, and so some of those issues have been challenged. We’re a health care provider, we’re an employer, we’re a health plan, and we’re also a clearinghouse because we’ve got a collection agency … . And so it has really made us examine our relationships: We have to sit and think what hat we are wearing and where this information is going. And although it is tedious, it hasn’t really all been bad. I think we, as a system, have a better understanding of our business and what it takes to really run a system this big. We have always, in Christus Health, had an emphasis that I’m sure Triad has on privacy and confidentiality. So a lot of this is not new; it’s just the devil is in details, as they say. And I mean, to me, the best thing that health care could have would be an electronic medical record that’s seamless, where you could really go from Houston to New York, and if you were admitted to a facility there, people could have access to your information to treat you. That’s what really needs to occur for the best health care to happen. And you know, we haven’t done that yet. Information technology hasn’t gotten that, and if there’s a system out there, it really is not happening yet to the extent that it could. My hope is that HIPAA won’t impede that in some way. I mean, we have to be able to share information amongst the people that need it for treatment purposes, particularly without an overlying regulation that impedes what we’re trying to do for 50 years in health care — to treat people, not because we want to put it on the newspaper. So … it’s really made us examine our relationships because we’re a complex business, and I don’t think it’s necessarily been all bad, but it has been a lot of work. Silhol: I would agree with that and go back to the question as to how this has impacted our relationships with our partners and whatnot. We’ve always been friends with Blue Cross, so I guess that will stay the same. But … we’re expecting the payors to be on board with the electronic transaction code sets. So that, quite frankly, is the least of our worries because we have the trust and the faith that the payors — this is an important thing for payors, and we’re expecting them to do it. … Where it’s impacting our relationships with existing business partners are twofold. One, our software vendors, and although many, quote, HIPAA experts will tell you that HIPAA is not like Y2K because Y2K came and went and HIPAA will be with us forever, there are a lot of similarities. And part of what we’re doing in our gap analysis [of what you would need to do to make your system come into compliance with HIPAA requirements] is going back, looking at our software systems. Because we’ve acquired multi-companies and hospitals, they have a lot of legacy software systems, especially with physician practices. You know, there must be some computer programmer in Moline, Ill., that did a software program for billing that we can’t find. And his software billing is on a couple of physicians that we employ now. So we’re going to have to delete that software and get new software. So it’s impacted our ability to go after software vendors and say, “Hey, is this software HIPAA-compliant?” … [A]mazingly, a lot of these vendors who sent these letters out like we did with Y2K, we haven’t heard back from them. We don’t know if they’re still around. … So it’s really causing us to go — again, like Y2K — back to our software vendors and kick out those people that we don’t hear from, that can’t give us some assurance that, well, the transaction code set will probably be HIPAA-compliant. The second thing — and this has been talked about briefly in passing — are the business-associate agreements. I think, Neill, you mentioned that HHS and their notice of proposed rule-making did set forth some model business-associate agreement language, and, quite frankly, that’s something that I’m interested in learning about. Will the whole health care industry go to a model business-associate agreement mainly that everybody just signs and it’s standardized, or are we going to have to negotiate untold thousands of business-associate agreements on a line-by-line basis in order to get all these agreements in place by either April 2003 or 2004, depending upon situation? And that’s something, quite frankly, that we’ve heard nothing about. I’ve been listening in on these teleconferences that many firms and health care associations have put forth about whether or not we’re going to go toward standard business-associate agreement. And I’ve not heard anything as to where we are, and quite frankly, that concerns me.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.