Review of Ophthalmology: November, 2001

MEDICARE

Six Ways to Prepare for the HIPAA Privacy Standard

Carol Poindexter
Kansas City, Mo.

If you start now, you just might be ready in time.

IN ABOUT 18 MONTHS, NEARLY EVERY MEDIcal practice and health-care facility will be required to comply with the Health Insurance Portability and Accountability Act Standards for Privacy of Individually Identifiable Health Information, the "Privacy Rule." While it's just one component of the broader, four-part 1996 HIPAA law, the Privacy Rule is more than a discrete change in practice policies. It is revolutionary in scope and will likely require significant changes in the way most practices operate.

The catalyst for ratifying HIPAA's privacy standard is a growing concern about identity theft, as well as insurance, lending and employment refusals that can occur when confidential health information is disclosed. The Privacy Rule establishes national standards that govern the use and disclosure of individually identifiable health information.

At first glance, the compliance date of April 14, 2003 seems doable. But it seems less generous when you consider how much time will be consumed as you and your staff work to develop and implement policies and procedures to comply with the Privacy Rule's requirements. Few medical offices have an extra full-time person to devote to the task, so I'm advising my clients to start this process right away.

Here are some important steps that will help you begin the journey toward HIPAA compliance.

1. Become familiar with the rule. Many trade organizations, like the American Academy of Ophthalmology, offer help, as does the government's official HIPAA website (www.hhs.gov/ocr/hipaa). When you visit this website, from the Office of Civil Rights, click on "Guidance," and you will find answers to basic HIPAA privacy questions as well as explanations about key requirements.

HIPAA Has Teeth

One compelling reason to comply with HIPAA's privacy standard is that the rule has real teeth. There are civil and criminal penalties, depending on the level of error: The lowest penalty is a $100 fine. This can increase to $25,000 per year for each patient and standard violated. If the patient information is obtained with the purpose of selling it or harming the individuals, the penalty can be as high as $250,000 plus a 10-year jail sentence.
These penalties can be levied against individuals (i.e., you or a staff member) and the organization (i.e., your practice). In some circumstances, you can even be sanctioned for violations by one of your business associates. These civil and criminal penalties illustrate the importance of thoroughly preparing your practice to comply with the HIPAA privacy rules by the April 2003 compliance date.  C.P.

The HIPAA privacy rule requires health-care providers who transmit any health information in electronic form in connection with a standard transaction covered by HIPAA to protect the confidentiality of all individually identifiable health information. These restrictions apply to electronic data transfers, such as e-mails or faxes, as well as written and verbal communication. Medical information is "identifiable" when it contains the patient's name, address, birth date, or anything that can be used to identify him or her (without these identifiers, the record loses its HIPAA protection and you can disclose the data). Failure to comply can result in civil and/or criminal sanctions.

The privacy rule contains detailed and specific requirements, including, but not limited to:

• Provide patients with a "privacy notice. You must give patients a clear, written privacy notice that explains how you typically use or disclose their medical information. The final regulations have specific requirements for the content and format of this privacy notice, so review these requirements carefully. Notably, the privacy notice cannot be combined into one document with the patient consent form.

• Only disclose the minimum information necessary. The regulations require that the practice take reasonable steps to limit the use and disclosure of protected health information. There are exceptions, including an exception for disclosures to or requests by a health-care provider for treatment purposes.

• Give patients easy access to their medical records (with some exceptions). In general, patients must be able to get copies of and request amendments to their medical records. They can ask physicians to keep some communications confidential, and they may ask you to account for disclosures from your practice.

• Get patients' consent to use and/or disclose protected health information. Certain uses and disclosures require an additional authorization.

• Have contracts with business associates (e.g., any person or entity that works on your behalf, such as claims processors or data analysts) that govern the use and disclosure of protected health information the practice provides to the business associate. While you're not expected to actively monitor your business associate's compliance, the rule does require you to take certain actions if the business associate breaches the terms of the contract by improperly using or disclosing the protected health information.

2. Gain top physician and administration support. You will need top-down approval to complete the HIPAA privacy process. Everyone, especially the decision-makers in the practice, must understand this is not a one-time event, such as Y2K, where the focus was on information technology. It's a comprehensive effort that focuses on virtually all of your operations and procedures and may involve extensive restructuring of those procedures.

Don't forget to consider which resources will be necessary to achieve compliance. Management may want to evaluate the benefit of engaging an outside HIPAA expert to help the practice conduct its risk assessment, prepare privacy notices, review contract issues and review and/or develop policies and procedures. An experienced consultant can help you to avoid reinventing the wheel. The cost, however, may be prohibitive. If the practice elects to conduct its HIPAA compliance efforts on its own, it's advisable to have your health-care attorney review, at a minimum, the privacy notice you prepare and the contracts with business associates.

3. Designate a privacy officer. Every practice, large and small, must designate a privacy officer who will lead the practice through the process, and then supervise ongoing compliance with HIPAA. Larger group practices might also want to appoint a privacy committee to work directly with and support the privacy officer.

The privacy officer typically is the person in charge of office administration. He or she will develop and implement the privacy compliance plan, train staff to comply with the new policies, and monitor and audit the practice to assure the practice stays in compliance.

4. Look at how you use and disclose information now. This means evaluating all the of the ways the practice uses and discloses protected health information (e.g., patient reminders, recalls, patient telephone calls, prescription information, current medical record release policies, and information from clinical studies). A thorough look at these will indicate the changes you need to make to comply with HIPAA privacy rule. This operational review should include an assessment of security practices (e.g., locks, passwords, computer systems) and technical safeguards (e.g., encryption, message authentication), as well as a privacy review that focuses on the practice's current policies and procedures relating to confidentiality.

For instance, consider the amount of confidential information currently available to your billing staff. It may not be necessary for these folks to have complete access to patient charts.

5. Develop a plan for change. Carefully assess your areas of highest risk for disclosing confidential information. What physical safeguards should you take? This could include restricting access to charts and soundproofing walls. What technical safeguards should you take? This could include restricting computer access with passwords, instituting automatic computer log-off, and sending warning screens before transmitting e-mail with patient information.

You should also consider developing a confidentiality agreement with your staff. You'll also need to review business contracts, and develop policies on document retention (What will you keep, and for how long? How will you dispose of documents?).

6. Develop new policies and procedures and revise forms. This is the most demanding part of the process. The practice has to look at every form, every policy, every way it uses and discloses protected health information. New forms and/or procedures may need to be developed, including: a patient privacy notice; patient consent and authorization; a reporting process for patients who feel their privacy has been violated; and an employee reporting system, such as a "whistle blower" process for reporting violations of confidentiality.

Even if you have consent forms now, they may not contain sufficient information to comply with HIPAA. You'll also need to create a separate authorization form for certain uses and disclosures (such as for research or disclosure to a non-business associate). Don't forget to look at your patient encounter forms either. You may want to limit the amount of protected health information on the encounter form, such as patient history information. You may also need to have tighter controls on patient encounter forms, assuring that each one is accounted for at the end of the day.

This may all sound overwhelming, but if you start now, you can complete the task by the compliance deadline. Look at this as an opportunity to improve your practice while protecting the confidences your patients entrust to you.

Ms. Poindexter is a health-care attorney with Shook, Hardy, Bacon, LLC, and an editor of our regular column, Medicare Q&A.