|
Many
physicians have fears regarding implementation
of the HIPAA’s Standards for Privacy of Individually
Identifiable Health Information (the “Privacy
Rule”). The Privacy Rule is intended to protect
a patient’s Protected Health Information
(PHI) without interfering with the access to or
quality of care. The following is a brief overview
of the impact of the Privacy Rule on the physician’s
practice.
WHAT IS HIPAA?
The Health Insurance Portability and Accountability
Act of 1996 has several components, including
insurance portability, fraud and abuse, health
revenue issues, tax issues related to health,
group health plans, and administrative simplification.
Under the Administrative Simplification component
of HIPAA, there are three subparts including electronic
data interchange, the Privacy Rule, and Security.
In 2000, Health and Human Services (HHS) issued
final regulations concerning the Privacy Rule
that were later amended in August of 2002. The
deadline for compliance with the Privacy Rule
is April 14, 2003.
PRIVACY
RULE
The Privacy Rule controls the use and disclosure
of PHI and applies to healthcare providers, health
plans, and healthcare clearinghouses, referred
to as “covered entities.” Protected
health information includes any information, oral,
recorded, written, or electronic which relates
to the past, present, or future physical or mental
health or condition of an individual, the provision
of healthcare to an individual, or billing and
payments made for the provision of healthcare
to an individual. It includes any personal health
information that may connect the patient to the
information, such as the patient’s name,
address or social security number.
The
Privacy Rule allows covered entities, such as
physician’s practices, to use and disclose
protected health information for three general
purposes without first obtaining the patient’s
authorization: treatment, payment, and healthcare
operations. There are a few other permitted uses
of PHI that do not require the patient’s
authorization, including reporting for public
health, law enforcement, tissue and organ procurement,
to medical examiners and coroners, and for oversight
activities, such as audits.
PRIVACY
NOTICE
The Privacy Rule requires practices to provide
patients with a Privacy Notice detailing the rights
and responsibilities of the patient and the practice
in protecting the privacy and confidentiality
of PHI.
The
Privacy Notice should be shared with patients
upon delivery of service, or as soon as feasible
in an emergency. It must be available to patients
in print, written in clear, understandable language,
and be posted at each service site. The notice
should contain the patient’s rights, the
practice’s duties, and a description of the
types of uses and disclosures of PHI. The practice
must attempt to obtain the patient’s written
acknowledgement that the privacy notice was provided.
Each time the practice’s privacy policies
change, the privacy notice should be revised.
Written acknowledgement must be obtained with
each privacy notice revision. The patient acknowledgement(s)
and a copy of the privacy notice and each revision
must be maintained for at least six years. A written
acknowledgement may serve for the entire length
of treatment unless the privacy notice is revised.
MINIMUM
NECESSARY
Each practice must make reasonable effort to limit
use and disclosure of PHI to the minimum necessary
to accomplish the intended purpose of the use,
disclosure, or request. This means that disclosures
of PHI by staff should be limited to the minimum
necessary to accomplish their specific job function.
Job descriptions for staff members should identify
the types of information an employee may access
and disclose.
AUTHORIZATION
In most situations, the patient’s authorization
must be obtained when PHI is used or disclosed
to any third party for purposes other than treatment,
payment, and operations. For instance, if a product
representative requests the names of patients
for marketing, the patient’s authorization
must be obtained and must be specific for the
use or disclosure. It is only used for that purpose
and is time limited.
The
Privacy Rule distinguishes between uses and disclosures
for payment, treatment, and healthcare operations
for which no consent or authorization is required
and authorizations where consent is needed, such
as marketing, fundraising, and employment determinations.
Unless disclosure is for payment, treatment, or
healthcare operations or unless an exception
applies, PHI cannot be disclosed absent an authorization.
Where an authorization is needed, in order to
be valid, several defined provisions must be included
in the form and particular procedures must be
followed in accordance with the Privacy Rule.
MINORS
In general, the scope of the personal representative’s
authority to act for a minor patient under the
Privacy Rule derives from his or her authority
under applicable law to make healthcare decisions
for such patient. Therefore, the Privacy Rule
allows parents, as personal representatives, to
access patient information for their minor children.
However, there are a few exceptions when parents
are not permitted access to minor’s health
information, such as healthcare treatment that
a minor may consent to without parental consent,
in cases of abuse or neglect, or if the court
authorizes someone other than the parent to make
treatment decisions.
BUSINESS
ASSOCIATES
The HIPAA Privacy Rule applies only to covered
entities – health plans, healthcare clearinghouses,
and certain healthcare providers. Most physicians
do not carry out all of their healthcare activities
and functions by themselves. Instead, they often
use the services of a variety of other persons
or businesses. The Privacy Rule allows physicians
to disclose PHI to these “business associates”
if the providers obtain satisfactory assurances
that the business associate will use the information
only for the purposes for which it was engaged
by the covered entity, will safeguard the information
from misuse, and will help the covered entity
comply with some of the covered entity’s
duties under the Privacy Rule. Typical business
associate functions include: answering services,
independent contractors for transcription, billing
and collections, claims processing, and accounting.
INTERACTION
OF PRIVACY RULE WITH FLORIDA LAW
The Privacy Rule establishes, for the first time,
a foundation of Federal protections for the privacy
of protected information. The Privacy Rule does
not replace Federal, State, or other law that
grants individuals even greater privacy protections,
and physician practices are free to maintain or
adopt more protective policies or practices.
COMPLIANCE
EFFORTS
The Privacy Rule generally requires physician
compliance as follows: • Notify patients
about their privacy rights and how their information
can be used.
• Adopt and implement privacy procedures
for the practice.
• Train employees so that they understand
the privacy procedures.
• Designate an individual to be responsible
for seeing that privacy procedures are adopted
and followed.
• Secure patient records containing PHI so
that they are not readily available to those who
do not need them.
Failure to comply with the provisions of the Privacy
Rule may result in civil penalties of $100 per
violation up to a maximum $25,000 per year for
the same violation and criminal penalties of up
to $250,000, imprisonment, or both for intentional
violations.
The
HIPAA Privacy Rules are the first federal guidelines
aimed at regulating the privacy of health information.
Most practices are sensitive to their patient’s
rights for privacy and already take effective
measures to protect patient privacy. However,
in light of the requirements set forth by the
Privacy Rule, the policies and procedures of your
practice should be reviewed to ensure proper compliance.
FPIC
offers a one-hour training program on Privacy
Rule Compliance. If you are interested in scheduling
this inservice or need further assistance, please
e-mail rm@fpic.com
or call FPIC’s Risk Management Department
at 800-741-3742 extension 3100.
Sample
compliance tools, such as Privacy Notices and
additional reference material, may be obtained
by visiting the FPIC risk management website at
www.medmal.com.
Other helpful websites include:
•
www.ahima.org
• www.ama-assn.org
• www.hhs.gov/ocr/hipaa
• www.hipaadvisory.com
• www.himss.org
• www.mgma.com
Disclaimer
NOTE: FPIC provides HIPAA guidance as a benefit
to its policyholders for educational and informational
purposes only. Any representations or written
reports rendered in conjunction with this benefit
should not be considered a certification of HIPAA
compliance nor should it be interpreted as offering
legal, financial, or other professional services.
Policyholders that are developing policies and
procedures to comply with HIPAA’s Privacy
Rule should seek legal and/or professional assistance
to be sure that an appropriate compliance plan
is implemented for their particular practice.
BACK
TO HIPAA
|
