HIPAA deadline looms: Is your facility ready?

If you’re not moving, start

On April 14, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to be in compliance with the new Standards for Privacy of Individually Identifiable Health Information.

"This implies that you have to have trained people in what the policies are," explains Larri Short, Esq., of Washington, DC-based Arent Fox, which serves as counsel to the Atlanta-based American Association of Occupational Health Nurses (AAOHN) on HIPAA matters. "Also you have to begin giving all defined [privacy] rights by April. As an example, AHA’s [American Hospital Association’s] model notice is 12 pages long — and you have to actually say what you as an organization intend to do."

That being the case, by this time, it would have been prudent to have thought through the regulations, taken a good first stab at appropriate new policies and procedures and thought of framing what you need to do to make all of this really happen. "If not, you need to move forward as fast as you can to assess the situation and develop policies," Short advises.

Not all-encompassing

The new requirements are not entirely as broad as some might fear. "You only have to apply these requirements to data that can reasonably be linked back to a person," Short explains. "If the information is aggregated, you don’t have to worry about it."

In the occ-health context there will be some providers — be they nurses or physicians — who will not be subject to the new regulations, depending on where they work. The three categories of covered entities are health care clearinghouses, health plans, and health care providers. Commercial health insurers, HMOs, and government-funded health care programs such as Medicare, Medicaid, and Tricare are health plans under HIPAA, says Short.

"More occupational health physicians are likely to work in an environment where the rule will apply to them than nurses, but the construct is the same for both," says Short. "Plus, if you don’t engage in standard transactions, i.e., filing health claims, coordinating benefits, checking claim status, electronically, the rule doesn’t apply to you."

In essence, Short explains, the new regs break down into three major pieces:

  1. How providers handle information. Covered entities are required to have permission to use or disclose individual patient information. It can come in the form of written permission from the patient or, in some cases, it can come in the form of regulatory provisions that allow you to use and disclose information for a designated list of pubic policy issues. Examples would be a response to judicial demands, or to law enforcement.
  2. Patient privacy rights. The use of information will be restricted to the "minimum necessary" to accomplish the purpose at hand, which maximizes patient privacy. "For the first time at the federal level, we have a set of privacy rights for the patient," says Short. "Every patient has the right to access his or her own medical information. You have the right to have your health care provider give you a notice to explain how they are going to use your information." Some of the rights outlined in the new standards are only a right to ask; for example, if an employee is not happy with what the employer says it will do with the information, the provider can say they can’t accommodate the request. If the employer agrees, however, it is then bound to do so.
  3. Privacy compliance program. Covered organizations must appoint an individual who will be responsible for making sure it deals with the first two pieces of the new standards. There are to be written policies and procedures that can be surveyed and, where feasible, technical safeguards and access controls are to be put in place. (The Centers for Medicare & Medicaid Services sends surveyors for institutional Medicare providers.)

Outside help available

If you do not have the in-house expertise necessary to bring your facility into compliance, there are a wide variety of resources available, says Short. "You can look to the office of civil rights web site, retain attorneys or consultants, or attend workshops," she suggests. For example, AAOHN’s web site (www.aaohn.org) offers a series of workshops on the topic. There are a number of sources on the Internet as well. "The HHS [Department of Health and Human Services] site [www.hhs.gov/ocr] provides lots of links," Short adds.

The good news is that enforcement will be "kinder and gentler" than it is for some other government regulations, she adds. "The government will seek to achieve voluntary compliance,’ with punishment as a last resort," Short explains. In other words, if all of your preparation is not completed by April 14, you should simply attempt to get it done as soon as possible. "As long as you are cooperative and have made a sincere effort, I don’t expect you to get really slammed unless you work in an organization that was certified to participate in Medicare," she adds.

Such organizations are subject to some risk outside of HIPAA through CMS; if they do not meet certain quality standards, reimbursements could be threatened.

[For more information, contact:

Larri Short, Esq., Arent, Fox, Kitner, Plotkin & Kahn, PLLC , 1050 Connecticut Ave. N.W., Washing-ton, DC 20036. Telephone: (202) 775-5786. E-mail: short.larri@arentfox.com. Web: www.arentfox.com.]