Quest Diagnostics 2003 Annual Report Download - page 31

Download and view the complete annual report

Please find page 31 of the 2003 Quest Diagnostics annual report below. You can navigate through the pages in the report by either clicking on the pages listed below, or by using the keyword search tool below to find specific information within the annual report.

Page out of 109

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
  • 65
  • 66
  • 67
  • 68
  • 69
  • 70
  • 71
  • 72
  • 73
  • 74
  • 75
  • 76
  • 77
  • 78
  • 79
  • 80
  • 81
  • 82
  • 83
  • 84
  • 85
  • 86
  • 87
  • 88
  • 89
  • 90
  • 91
  • 92
  • 93
  • 94
  • 95
  • 96
  • 97
  • 98
  • 99
  • 100
  • 101
  • 102
  • 103
  • 104
  • 105
  • 106
  • 107
  • 108
  • 109

varies from state to state. In certain states these restrictions affect our ability to directly provide anatomic
pathology services and/or to provide clinical laboratory services directly to consumers.
Privacy and Security of Health Information; Standard Transactions
Pursuant to the Health Insurance Portability and Accountability Act of 1996, or HIPAA, the Secretary of
HHS has issued final regulations designed to improve the efficiency and effectiveness of the health care system
by facilitating the electronic exchange of information in certain financial and administrative transactions while
protecting the privacy and security of the information exchanged. Three principal regulations have been issued
in final form: privacy regulations, security regulations, and standards for electronic transactions.
The HIPAA privacy regulations, which fully came into effect in April 2003, establish comprehensive federal
standards with respect to the uses and disclosures of protected health information by health plans, healthcare
providers and healthcare clearinghouses. The regulations establish a complex regulatory framework on a variety
of subjects, including:
the circumstances under which uses and disclosures of protected health information are permitted or
required without a specific authorization by the patient, including but not limited to treatment purposes,
activities to obtain payment for our services, and our health care operations activities;
a patient’s rights to access, amend and receive an accounting of certain disclosures of protected health
information;
the content of notices of privacy practices for protected health information; and
administrative, technical and physical safeguards required of entities that use or receive protected health
information.
We have implemented the HIPAA privacy regulations, as required by law. The HIPAA privacy regulations
establish a “floor’’ and do not supersede state laws that are more stringent. Therefore, we are required to
comply with both federal privacy standards and varying state privacy laws. In addition, for healthcare data
transfers relating to citizens of other countries, we need to comply with the laws of other countries. The federal
privacy regulations restrict our ability to use or disclose patient-identifiable laboratory data, without patient
authorization, for purposes other than payment, treatment or healthcare operations (as defined by HIPAA) except
for disclosures for various public policy purposes and other permitted purposes outlined in the final privacy
regulations. The privacy regulations provide for significant fines and other penalties for wrongful use or
disclosure of protected health information, including potential loss of licensure and civil and criminal fines and
penalties. Although the HIPAA statute and regulations do not expressly provide for a private right of damages,
we also could incur damages under state laws to private parties for the wrongful use or disclosure of
confidential health information or other private personal information.
The final HIPAA security regulations, which establish requirements for safeguarding electronic patient
information, were published on February 20, 2003 and became effective on April 21, 2003, although healthcare
providers have until April 20, 2005 to comply. We are conducting an analysis to determine the proper security
measures to reasonably and appropriately comply with the standards and implementation specifications by the
compliance deadline of April 20, 2005.
The final HIPAA regulations for electronic transactions, which we refer to as the transaction standards,
establish uniform standards for electronic transactions and code sets, including the electronic transactions and
code sets used for claims, remittance advices, enrollment and eligibility. The transaction standards became
effective in October 2002, although covered entities were eligible to obtain a one-year extension if approved
through an application to the Secretary of HHS. We received this one-year extension through October 16, 2003
from HHS.
HHS issued guidance on July 24, 2003 stating that it would not penalize a covered entity for post-
implementation date transactions that are not fully compliant with the transactions standards, if the covered
entity could demonstrate its good faith efforts to comply with the standards. HHS’ stated purpose for this
flexible enforcement position was to “permit health plans to mitigate unintended adverse effects on covered
entities’ cash flow and business operations during the transition to the standards, as well as on the availability
and quality of patient care.’ We continue to work in good faith to complete the implementation of these
standards with those payers who either were not ready to exchange files in the standard formats as of the
compliance date, or who have varying interpretations of the requirements. Working with these payers requires
that we continue to trade electronic claims files and payments in legacy formats, even after the compliance
deadline of October 16, 2003.
14