New Medical Information Rules Cause Confusion

New Medical Information Rules Cause Confusion

By SHELLY GARCIA



Senior Reporter

Companies are snapping up new security software.






Human resources workers are rushing to seminars.






Consultants are fanning out in all directions.






What’s causing all the stir is a new law that went into effect April 14 that seeks to ensure the privacy of health and medical information.






The health insurance Portability and Accountability Act (HIPAA) is primarily intended for health care providers and insurers. But because the legislation affects the way all medical information is handled, it also has far-reaching implications for just about any company with an employee benefits plan.






The trouble is that for many companies, just what those implications are is unclear.






“I get calls once a week from my clients saying, ‘what do I do now?’” said Cynthia Elkins Hogan, an attorney in Warner Center. “It’s causing every single one of my clients tremendous anxiety and concern. They don’t know where to turn and how to do the right thing.”






HIPAA provides a number of patient rights they can receive copies of their medical records, request that health care providers disclose who has seen their records and, if they wish, opt out of hospital directories that list their name and room number.






It also limits who can have access to medical records, which means that companies have to assign specific workers who are trained to handle an employee’s medical information, keep those records separate from other personnel records and lock it all up tight.






That last provision has been a boon to Symark Software, a Westlake Village based maker of internal security programs that saw its earnings rise by 15 percent last year thanks to HIPAA and other privacy-related legislation that has come down the pike in recent years.






Symark makes security products for Unix systems, which have traditionally been secured with jerry-built programs created in house. Those systems are no longer acceptable.






“In terms of the audit it will come up that it just isn’t going to hold against the strict requirements,” said Suzanne M. Dickson, Symark’s vice president of product marketing of users’ traditional security techniques. “That’s where it’s given us an advantage. For us, the regulations have put the stuff front and center at a different level in the organization.”






The legislation, first passed by Congress in 1996 and adopted in 2001 with a two-year grace period for compliance, was designed to make sure that confidential medical information did not fall into the hands of those who might use it for their own gain (drug marketers who might want to buy patient lists from health care providers) or for employment discrimination (bosses who might be inclined to withhold promotions if they knew about an employee’s illness). It calls for companies to appoint privacy officers who can oversee these procedures and written policy and procedures for handling confidential medical information.






It all sounds simple enough, until it comes time to implement the policies and procedures.






What kinds of employee authorization do companies now need? What information can a company require if an employee is requesting a medical leave of absence? How much information can be given to the employee’s supervisor? What assistance can a company provide to an employee having trouble getting reimbursement for a medical claim?






“There’s a lot of confusion,” said Wendy Platt, helpline consultant for the Employers Group, a non-profit human resource management association based in Los Angeles, who has been fielding many of the calls about HIPAA. “There’s not been a lot of information, and the information that exists is very convoluted.”






21st Century Insurance Group has been working on programs to comply with the new regulations for the past 18 months. The Woodland Hills-based company has sought outside advice along with its in-house staff, and it has made significant progress.












Systems in place






There are now new fire walls in place in the computer system; employees designated to handle medical information have been assigned and trained; and other systems to notify employees of the new privacy regulations and ensure confidentiality of information are up and running.






“Now when employees come in and hand off any information, you can’t just leave it on a desk,” said Carol Brennan, corporate counsel for 21st Century. “You have to put it in a sealed envelope and only certain people can open it.”






But even for 21st Century, many questions remain unanswered.






“There’s still questions about how HIPAA meshes with labor laws,” said Brennan. “If an employee has an extended absence, in the past they’ve been required to get a doctor’s note. They can still get a doctor’s note, but we have to get an authorization to see the doctor’s note.”






Other companies have completed the task of notifying employees of the changes and their rights but they are still hammering out other questions, like how to handle confidential information at locations remote from designated headquarters personnel.






“Normally, what happens is the employees call me because I handle benefits, and I help them,” said Kathy Heath, senior benefits specialist at Rocketdyne Propulsion