CYBERCARE
EMRs and HIPAA
There's more to HIPAA than just privacy; consider cost too.

Richard Hom, O.D., F.A.A.O.

HIPAA. It sounds innocent, yet beneath this acronym lie regulations that may dramatically change the way you run your office or the complexion of your practice management software (PMS). No one can predict the results of this far-reaching piece of legislation.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 grew out of earlier concerns of the President George H. Bush administration to protect the confidentiality of healthcare information and to reduce the administrative costs of healthcare .

Protecting confidentiality

Numerous federal, state and local statutes and regulations currently bind providers to a high level of confidentiality regarding patient paper records. Now HIPAA showcases these regulations by requiring a minimum level of "privacy" for manual records and computer systems. Where states have more restrictive regulations, HIPAA will not supersede those regulations.

Doctors must secure electronic medical records (EMRs) from unauthorized access. Provider computer systems will require enhanced security and authentication for physical and logical access to your computer system.

• Physical access means that users are able to physically touch a keyboard or the actual computer.
• Logical access is the security scheme for logging onto the computer itself (usually controlled by the operating system) and onto the PMS package.

EMRs must be associated with their true author. EMRs must also track edits to ensure that the true author can't repudiate a version at a later date. The privacy portion of HIPAA requires compliance by all parties by April 2003.

Reducing costs

HIPAA's other focus (administrative cost reduction) concerns transactions between providers and payers. Achieving this might be difficult for vision EMR packages and vision care payers because of the requirements for standardized transactions and code sets. The penalty for non-compliance may include monetary fines or even punitive incarceration.

Most EMR packages and manual record keeping are excellent at recording transactions, but they're challenged when they must seamlessly exchange information with another business or EMR package (such as a vision care plan).

To facilitate interoperability, the early planners of HIPAA adopted Electronic Data Interchange (EDI) in the 1960s. EDI became the savior of large corporations that processed purchase orders, invoices and shipping documents by hand from thousands of suppliers.

EDI is a framework whereby companies could agree on a standard categorization and description of a product or service.

In eye care, Medicare has established services description and nomenclature. But no standard exists for products. Product standards must be detailed enough to describe a product as if you ordered it from the manufacturer yourself.For frames, it would be the manufacturer, style, color, temple size, etc.

An issue that needs attention

EMR vendors will need to agree on transaction rules and code sets. They'll need to evaluate their current software versions to determine the financial feasibility for compliance. Will EMR vendors unite and agree on standards? Will doctors who rely on manual records be forced to purchase EMR packages? Will payers force standards on EMR vendors and providers? I hope the profession and the EMR vendors take note.

DR. HOM IS A PRODUCT MANAGER FOR NETWORK APPLIANCE, INC., AN ENTERPRISE DATA AND STORAGE MANAGEMENT COMPANY BASED IN SUNNYVALE, CALIF. REACH HIM AT RICHARD.HOM@NETAPP.COM.