HIPAA compliance: the clock is ticking

With the first deadline to implement new medical record regulations less than a year away, bioscience companies should be taking a hard look at whether these complicated US federal mandates will affect them.

It's not obvious how, or even if, biotechnology companies will be impacted by HIPAA, the Health Insurance Portability and Accountability Act of 1996, since these regulations focus largely on the healthcare industry. But experts say there are many areas where biotechnology organisations could potentially fall under the regulations' guidelines. To play it safe, all bioscience companies should look into the details behind the regulations; those that find themselves affected need to start taking steps toward compliance.

HIPAA regulations are designed to improve efficiencies in the healthcare market by standardising on electronic data exchange specifications among the many types of organisations that handle patient information, such as insurance companies, hospitals, and physician practices. They also aim to ensure the security and privacy of this data through technology standards.

Yet for biotechnology companies, HIPAA "has not been a top priority," said Stephen Bernstein, a partner with law firm McDermott, Will & Emery in Boston. While companies in this industry have not exactly had their heads stuck in the sand over the issue, it's been difficult for most organisations to figure out the regulations and determine their status. Still, they should, Bernstein said.

"For the most part, (biotechnology companies) are not covered entities, but there are a number of hidden traps and pitfalls, where some companies may be covered entities or hybrids. Pharmas and biotechs need to wake up to this issue," he said.

The most obvious place to start is at the Federal Register's web site where federal agencies post rules, notices, and executive orders. Mere mortals will likely find it difficult to decode the legislative language sufficiently, so contacting experts - lawyers or consultants well-versed in the regulations - might be the best way to start, especially since HIPAA's first compliance deadline falls on April 14, 2003.

If you dare to tackle the regulations alone, double-check with a specialist to confirm that your interpretation is correct, said Suzy Buckovich, an attorney with IBM's HIPAA National Practice in Maryland. "Figure out where you are in the (HIPAA) definition, then get consensus from legal counsel," Buckovich advised.

In general, there are three ways in which HIPAA can affect bioscience companies. A company is considered a "covered entity" by the regulations if it has direct access to patients' medical records. Some biotechnology firms will find themselves in this category, and should be actively evaluating where the gaps are between their current practice and HIPAA's specifications.

A company is also touched by HIPAA if it is a business associate of a covered entity. Since the covered entity will need to conform to regulations regarding how it provides associates with medical information, those partners need to be prepared to accept the data in ways that are consistent with the new specifications, Bernstein said.

Biotechnology firms "desperately need data, and it often comes from a covered entity, so they need to understand that process by which the covered entity is willing to give the data," he explained.

And at large bioscience companies that provide employees with group health plans, human resources and benefits departments need to understand how HIPAA will affect their handling of medical data.

The regulations state that by mid-April 2003, covered entities must comply with HIPAA's privacy standards that dictate who can and cannot access a patient's health information, electronic or otherwise. By October 16, 2003, affected companies must comply with the regulation's transaction rule, which specifies technical standards for electronic sending and receiving of health-related documents. That date was originally set for October 16, 2002, but the law has changed so that covered entities can file for a one-year extension to compliance.

There is another aspect of HIPAA that deals with the security of electronic information, but standards are still being hammered out so a deadline has not yet been set.

It's not too late to start addressing HIPAA compliance in order to meet the deadline, but time is of the essence. Information regarding HIPAA is available through Web sites and regional conferences; for example the Health Care Conference Administrators are holding a series of HIPAA Summit events in different cities this year. For those who need customised attention, an industry has sprung up of consultants and lawyers prepared to answer questions for a fee.

Whether companies decide to tackle these new regulations alone or outsource the headache to specialists, the key is to start the process now.