By Cindy Atoji

August 19, 2008 | In the wake of one of the largest fines levied by HHS for a HIPAA (Health Insurance Portability and Accountability Act) violation, HIPAA official Karen Trudel says to expect further audits and enforcement proceedings as federal officials begin to extend compliance reviews. “Where appropriate, we will not hesitate to use all of the tools that we have at our disposal,” says Trudel, deputy director of the CMS (Centers for Medicare and Medicaid) Office of HIPAA Standards.

The security breach at Providence Health and Services resulted in a $100,000 HHS (Health and Human Services) fine and a corrective plan to protect patient information, after the Seattle-based firm allegedly failed to properly secure electronic backup media and laptops containing patient health data. “From our perspective, enforcement, especially for security, is something that is multi-faceted,” says Trudel. “So we have the compliance review, our enforcement process and the penalties we can bring to bear if necessary—and all of these are important.”

On the NPI front, despite industry rumblings of a large increase in rejected claims after this spring’s NPI (National Provider Identifier) deadline, Trudel says, “we are rejecting almost no claims because of a lack of NPI. I’d say things are going well.” Trudel spoke with Digital HealthCare & Productivity about HIPAA developments at CMS, which include ePrescribing and personal health records, as well as her thoughts on how well NPI is working.

DHP: What is your role at CMS? 

Trudel: I’m the executive director of the office of e-health standards and services. We have responsibility for HIPAA standards development, with the exception of privacy, which is the Office for Civil Rights, and the HIPAA enforcement process. I also oversee e-prescribing and a number of HIT initiatives, including personal health records.

DHP: CMS hired PricewaterhouseCoopers (PWC) to determine whether health care organizations are complying with HIPAA security standards. How have those reviews been going?

Trudel: At this point they’re looking at covered entities where there has already been a compliant filed. So PWC is looking at the complaint itself and how the covered entity has addressed or fixed the issues involved. In particular, they’re looking at remote access policies and procedures, because remote access, whether it’s laptops, PDAs, or other portable devices, account for a considerable number of the security breaches in the news. It’s an ever increasing problem as these devices proliferate.

We’re about half way through the number of audits we propose to do, and we’ll be turning each of these reviews into a de-identified use case that we’ll be posting on our web site, which will discuss the problem was, the findings, and what they used to solve problem. We hope that this will be instructive to other covered entities that are looking to improve their security compliance. We all know that security is not something that happens—it’s a program that is put into effect. And you have to keep looking at it make sure additional problems aren’t occurring or that people are not following procedures.

DHP: When you say you’re halfway through—are you looking at 10-20 different organizations?

Trudel: We had initially thought 10-14, depending on the size and complexity; I think we are going to look at 10.

DHP: So you’re not going to be looking at entities where there is no filed complaint?

Trudel: Not with this particular contract. In future years, we will begin to expand into compliance reviews of other entities.

DHP: So the May 23 NPI deadline has come and gone. How is it going?

Trudel: We’re not hearing very much—it seems to be going pretty well. Our own Medicare processes are running well. We had started using NPIs in advance of the May 23 date, so we had some expectation of what we were going to see. I know there was a lot of concern but we haven’t seen that concern translate into significant problems where providers are not being reimbursed. There are always pockets of concern when you do something this big but I’m seeing nothing systemic.

DHP: Part of your task is to educate and inform institutions on HIPAA. What are the most common questions or difficulties you encounter?

Trudel: Sometimes just knowing when a person is a covered entity or not and that would seem to be very simplistic. But with respect to the NPI, there was a number of people who didn’t get NPIs because they thought they weren’t covered entities because they didn’t do any billing, such as a physician working in clinic. But they needed an NPI anyway, because that NPI had to go on the clinic bill.

I think with respect to security, one of the most difficult messages has been that we did not provide specific technology requirements. People want a checklist: “tell me what I need to do to become compliant.” We deliberately didn’t do that, because it’s not a one-size-fits-all approach, and what is good for making a small physician’s office HIPAA compliant is not the same as what makes a large hospital system HIPAA compliant, with respect to security. They have figure out, in their own security risk analysis, what their risks are, and what’s best for them to address those risks.

DHP: Can you discuss what CMS is doing to bring the benefits of health information technology to Medicare beneficiaries?

Trudel: One of the main things we’re working on is ePrescribing initiatives. We have developed a number of standards for use under Medicare part D that basically allow for the interoperability of prescription transactions, including medication history transaction, formulary, and benefit information. All of that information can flow between prescribers, pharmacies, and health plans in a structured manner.

We’re also doing some pilot testing to look at potential new standards that will allow us to structure prescription dosing instructions that a physician now writes out in free text. We’re trying to develop standards that will allow that to be structured and codified so that a computer can read it more easily. And we’re pilot testing a drug terminology called RXnorm that would make it easier for physicians to identify a clinical drug.

DHP: What about personal health records (PHRs)? Are you working on anything in that field?

Trudel: We’re really excited about personal health records because we think this is something extremely useful to Medicare beneficiaries, especially those with chronic conditions. As personal health records become more widespread, as people come into Medicare in the next five to ten years, they will have already have experience with PHRs, and they’ll be interested in using them as they come into Medicare. One of the projects that we’re doing right now is a pilot taking place in South Carolina, called MyPHRSC. It provides free access for any Medicare beneficiary who wants to sign up for the PHR tool, called HealthTrio. We’re working with HealthTrio to automatically populate the PHR with Medicare claims data. If you’re familiar with PHRs, this is something of a departure, because many of the PHR tools require a lot of manual entry of information. We’ll go back and do an evaluation to see how beneficial this tool is for Medicare beneficiaries to give us a better idea of how we can better serve this population.