82.1 F
San Fernando
Thursday, Mar 28, 2024

New Medical Information Rules Cause Confusion

New Medical Information Rules Cause Confusion By SHELLY GARCIA Senior Reporter Companies are snapping up new security software. Human resources workers are rushing to seminars. Consultants are fanning out in all directions. What’s causing all the stir is a new law that went into effect April 14 that seeks to ensure the privacy of health and medical information. The Health Insurance Portability and Accountability Act (HIPAA) is primarily intended for health care providers and insurers. But because the legislation affects the way all medical information is handled, it also has far-reaching implications for just about any company with an employee benefits plan. The trouble is that for many companies, just what those implications are is unclear. “I get calls once a week from my clients saying, ‘what do I do now?'” said Cynthia Elkins Hogan, an attorney in Warner Center. “It’s causing every single one of my clients tremendous anxiety and concern. They don’t know where to turn and how to do the right thing.” HIPAA provides a number of patient rights they can receive copies of their medical records, request that health care providers disclose who has seen their records and, if they wish, opt out of hospital directories that list their name and room number. It also limits who can have access to medical records, which means that companies have to assign specific workers who are trained to handle an employee’s medical information, keep those records separate from other personnel records and lock it all up tight. That last provision has been a boon to Symark Software, a Westlake Village based maker of internal security programs that saw its earnings rise by 15 percent last year thanks to HIPAA and other privacy-related legislation that has come down the pike in recent years. Symark makes security products for Unix systems, which have traditionally been secured with jerry-built programs created in house. Those systems are no longer acceptable. “In terms of the audit it will come up that it just isn’t going to hold against the strict requirements,” said Suzanne M. Dickson, Symark’s vice president of product marketing of users’ traditional security techniques. “That’s where it’s given us an advantage. For us, the regulations have put the stuff front and center at a different level in the organization.” The legislation, first passed by Congress in 1996 and adopted in 2001 with a two-year grace period for compliance, was designed to make sure that confidential medical information did not fall into the hands of those who might use it for their own gain (drug marketers who might want to buy patient lists from health care providers) or for employment discrimination (bosses who might be inclined to withhold promotions if they knew about an employee’s illness). It calls for companies to appoint privacy officers who can oversee these procedures and written policy and procedures for handling confidential medical information. It all sounds simple enough, until it comes time to implement the policies and procedures. What kinds of employee authorization do companies now need? What information can a company require if an employee is requesting a medical leave of absence? How much information can be given to the employee’s supervisor? What assistance can a company provide to an employee having trouble getting reimbursement for a medical claim? “There’s a lot of confusion,” said Wendy Platt, helpline consultant for the Employers Group, a non-profit human resource management association based in Los Angeles, who has been fielding many of the calls about HIPAA. “There’s not been a lot of information, and the information that exists is very convoluted.” 21st Century Insurance Group has been working on programs to comply with the new regulations for the past 18 months. The Woodland Hills-based company has sought outside advice along with its in-house staff, and it has made significant progress. Systems in place There are now new fire walls in place in the computer system; employees designated to handle medical information have been assigned and trained; and other systems to notify employees of the new privacy regulations and ensure confidentiality of information are up and running. “Now when employees come in and hand off any information, you can’t just leave it on a desk,” said Carol Brennan, corporate counsel for 21st Century. “You have to put it in a sealed envelope and only certain people can open it.” But even for 21st Century, many questions remain unanswered. “There’s still questions about how HIPAA meshes with labor laws,” said Brennan. “If an employee has an extended absence, in the past they’ve been required to get a doctor’s note. They can still get a doctor’s note, but we have to get an authorization to see the doctor’s note.” Other companies have completed the task of notifying employees of the changes and their rights but they are still hammering out other questions, like how to handle confidential information at locations remote from designated headquarters personnel. “Normally, what happens is the employees call me because I handle benefits, and I help them,” said Kathy Heath, senior benefits specialist at Rocketdyne Propulsion & Power’s Canoga Park facility, who, just days earlier, had received an e-mail about the issue from headquarters offices of its parent Boeing Co. “What this is saying is I can’t do that unless I’m a designated person.” Smaller companies with fewer resources are struggling with even basic questions like which companies must comply and which are exempt. Murky definition The regulations, for instance, apply to companies that are self-insured or those who handle $5 million in healthcare payments. “Is it $5 million a year in premiums or $5 million a year in claims?” said Anita Gorino, SPHR, who is president of Creative Resources, a human resources consultancy in Thousand Oaks. “None of us have been able to figure it out.” Many companies believe they are exempt because they are “fully insured,” meaning they contract out health care benefits services, but that is not always the case. “An employer might think it’s a fully insured employer, but if you have a flexible spending account for your employees, that type of health plan is considered self-insured because the monies are coming out of the employee’s paycheck,” said Adrian Guidotti, an attorney with Ballard Rosenberg Golper & Savitt, specialists in labor and employment issues. Questions of how to comply with the new act are fueling a kind of cottage industry of IT companies and management and benefits consultants. Guidotti and others said they have been getting e-mails daily with offers from consultants who claim expertise in HIPAA. Gorino said that attendance at a seminar she organized for the Valley chapter of Professionals in Human Resources Association in April surpassed the group’s typical meeting turnout by about 20 percent. “It is a hot ticket now,” said Gorino. “Everybody thinks HR people plan picnics, but our job is far from that.”

Featured Articles

Related Articles