HIPAA Regulatory Alert: HIPAA Q & A

Question: What are the deadlines for compliance with the HIPAA rules?

Answer: There are three sections of HIPAA, each with its own deadline, says Michael R. Callahan, partner and head of the HIPAA section for Katten Muchin, a Chicago-based law firm. "April 14, 2003, is the deadline for complying with the privacy rule, and Oct. 15, 2003, is the date to be in full compliance with the transaction code sets," he says. The security rules still are up in the air; and at press time, they had not received final approval. Once approved, providers have two years to comply with the security rules, he adds.

"The difficulty with the unapproved security rules is that many of the security requirements overlap with privacy requirements, such as development of passwords to protect electronic patient information," Callahan points out. This overlap means that an organization must implement some security measures along with privacy measures, he explains. Many organizations are basing their policies and implementing new activities based upon the proposed security rules and hoping they don’t change significantly, he adds.

Question: Who must comply with HIPAA?

Answer: "Any health care provider, billing clearinghouse, or other vendor that submits claims electronically must comply with HIPAA," Callahan says. Even if you don’t handle everything electronically, if any part of your process is electronic, such as verifying coverage, you must implement measures to meet HIPAA requirements, he adds. For example, if your program submits claims information on paper to a billing company that subsequently files claims electronically, your program must comply with the standards.

Question: How do I assess my readiness for the privacy requirements?

Answer: Start by looking at all of your policies and procedures to see which already comply with HIPAA, says Callahan. Depending on your organization’s resources, this step can be accomplished externally with a consultant or internally, he says.

"Many state associations and trade associations have posted information on the Internet to help hospitals and other providers review their HIPAA readiness," he says.

Compare your state regulations to the HIPAA requirements, he suggests. Many state trade associations have undertaken this task to help their members, he says. "In Illinois, we had to go line by line through 324 state statutes and regulations and compare them to HIPAA," he points out.

The good news is that most state regulations are more stringent than HIPAA requirements. "If the state requires more than HIPAA, you follow the state requirements," says Callahan.

As you go through your assessment, be sure to look not only at your policies, but at your actual practice as well, suggests Callahan. "We’re finding that most problems are related to sloppiness," he says. The most typical problems in hospitals are:

Medical records sitting on a desk or countertop in an area that is open to public traffic. Records can be left in a designated place for physicians to sign or to enable easy access for nurses, but they must not be left in an area in which nonhealth care providers travel.

Computer monitors that display patient information are positioned so that people in the reception area can see them. Turn your monitors or rearrange desk areas so that only the employee can see the information.

A scheduling whiteboard that includes patient names, procedures, or surgeons, on which nonhealth care providers can see names. Make sure this information is placed in a location that is seen only by appropriate health care personnel.

A sign-in sheet contains not only the patient’s name but also some other identifier such as procedure or reason for coming into the facility. Sign-in sheets are fine, as long as they don’t contain other information that is related to the patient’s medical history, Callahan points out.

As you review your HIPAA readiness, remember that patients may come to you and ask for an accounting of how their protected health care information was used and to whom it was given, says Callahan.

"Be sure your records are linked in such a way that you can find any and all information related to billing, medical treatment, and claims filings," he says. "You must be able to pull together all of the information, along with the log sheet showing how the information was shared, within 30 days."

This requirement means that you may have to find parts of records in radiology, laboratory, pharmacy, quality assurance, accounting, and any number of other areas, he says. You also want to work with your information technology department or consultant to make sure additions can be made easily to the record, because Callahan points out, "In addition to giving the patient the right to inspect records, the patient also may amend the record, so make sure you have that capability in place."

Question: Does the signed acknowledgement of notification of privacy rights have to be a separate form?

Answer: "Home health agencies are extremely concerned about the amount of paperwork that patients must review, and in some cases, sign, especially during the initial or admission visit. Agency staff members are acutely aware that patients and/or their family members often are ill, tired, in pain, afraid, and worried during the initial visit," says Elizabeth E. Hogue, Esq., a home health attorney in Burtonsville, MD. This means that reviewing and signing multiple forms is quite burdensome to many patients, she adds.

The revisions to the final privacy regulations of HIPAA generally require patients to sign an acknowledgement that they have received an agency’s notice of privacy rights at the first service delivery, Hogue points out. Because this is yet another form that patients must sign upon admission, many agency managers would like to include the acknowledgement along with other consent forms so that patients only have to sign once, she says. As long as your process is consistent with the final privacy regulations, you may include the acknowledgement required by HIPAA in a form along with other items, she says.

Here is what the revisions to final regulations published in the Aug. 14, 2002, Federal Register say on this subject:

"The department also agreed with commenters that the notice acknowledgement process must be flexible and provide covered entities with discretion in order to be workable. . . . The rule requires only that the acknowledgement be in writing and does not prescribe other details such as the form that the acknowledgment must take or the process for obtaining the acknowledgment.

"For example, the final rule does not require an individual’s signature to be on the notice. Instead, a covered health provider is permitted, for example, to have the individual sign a separate sheet or list, or to simply initial a cover sheet of the notice to be retained by the provider. . . . In addition, those covered health care providers that choose to obtain consent from an individual may design one form that includes both a consent and the acknowledgement of receipt of the notice.

"Covered health care providers are provided discretion to design the acknowledgement process best suited to their practices."

Question: What information can discharge planners give home health agencies without a patient’s permission?

Answer: Because gathering complete and accurate information upon home health admission is important, many home health managers are concerned that HIPAA regulations will restrict the type and amount of information that can be given upon patient referral.

Not so, according to Hogue.

"Home care providers should not expect any change in the ability of discharge planners, social workers, or case managers at referral sources to share information with agencies about patients they want to refer once the HIPAA privacy regulations in effect on April 14, 2003," she says.

"First, this is because revisions to the final regulations allow providers to share information for treatment, payment, and health care operations without patients’ consent or authorization," she says.

Since hospitals and long-term care facilities, for example, are required by Medicare conditions of participation to provide discharge planning services, sharing information to comply with this requirement may fall within this exception to the need for consent or authorization, she adds.

This same exception allows providers to share information with other providers for treatment and payment purposes, points out Hogue. This portion of the exception also may serve as the basis for sharing such information since the information is necessary for other providers to render services to patients, she adds.

Staff responsible for discharge planning may be concerned, however, about referrals to entities that their employers own or in which they have a financial interest, Hogue says.

Concerns may be based on the section of the revised final HIPAA privacy regulations that state that patients’ authorization is needed for marketing purposes, she says.

"Because discharge planners are making referrals to other entities owned by their hospitals, they may be concerned that such referrals constitute marketing services that require authorization from patients," she explains. On the contrary, the revised final HIPAA privacy regulations make it clear that such activities constitute case coordination, not marketing, for which patients’ authorizations are not needed, she adds.

"Anecdotally, we are already hearing reports of discharge planners who misunderstand the HIPAA privacy requirements," Hogue says. What should agencies do when the discharge planners in their hospitals misunderstand the above requirements?

"The best course of action may be to go to the designated privacy official within the organization to ask for clarification and communication with discharge planners," she suggests.

[For more information about compliance, contact:

  • Michael R. Callahan, Partner, Head of HIPAA Section, Katten, Muchin, Zavis, Rosenman, 525 W. Monroe St., Suite 1600, Chicago, IL 60661-3693. Telephone: (312) 902-5634. Fax: (312) 902-1061. E-mail: Michael.Callahan@kmzr.com.

For resources on compliance, contact:

  • The Department of Health and Human Services’ Office of Civil Rights has released a new guidance document to address frequently asked questions about the medical privacy rule. Web: www.hhs.gov/ocr/hipaa/privacy.html.
  • Workgroup for Electronic Data Interchange, 12020 Sunrise Valley Drive, Suite 100, Reston, VA 20191. Telephone: (703) 391-2716. Fax: (703) 391-2759. Web: www.wedi.org.]