[Editor’s note: This column addresses specific questions related to Health Insurance Portability and Accountability Act (HIPAA) implementation. If you have questions, please send them to Sheryl Jackson, Same-Day Surgery, American Health Consultants, P.O. Box 740056, Atlanta, GA 30374. Fax: (404) 262-5447. E-mail: sherylsmjackson@cs.com.]

Question: What is an organized health care arrangement [OHCA], and why should I join one?

Answer: With some limited exceptions, the privacy standards require every provider to present their patients with their own notice of privacy practices (NPP), says Joshua M. Kaye, Esq., an attorney with McDermott, Will & Emery in Miami.

"This could result an administrative and logistical nightmare as the ASC [ambulatory surgery center] staff overwhelms the patients with the NPPs of the ASC as well as of the patients’ treating providers," he explains.

To ease such burdens and help avoid patient confusion, the privacy standards allow for same-day surgery programs and other similar entities to be treated as an organized health care arrangement, says Kaye.

"As an OHCA, the same-day surgery program and medical staff may utilize a single joint NPP and more freely share protected health information among each other," he explains.

"Assuming your center is deemed an OHCA under the privacy standards, it is advisable to formalize this arrangement by amending your center’s medical staff bylaws to incorporate necessary provisions regarding the use and sharing of patients’ protected health information."

Question: Have the final security standards been announced?

Answer: On Feb. 13, 2003, the Department of Health and Human Services adopted final security standards that protect patient information that is maintained or transmitted electronically.

The rule requires covered entities to implement administrative, physical, and technical safeguards to protect electronic protected health information in their care. The security standards were published as a final rule in the Feb. 20 Federal Register with an effective date of April 21, 2003.

The rules require organizations to provide security awareness training to all employees, to conduct risk analyses to identify security vulnerabilities, to establish policies that allow access to protected health information on a need-to-know basis, to limit physical access to information, to establish audit controls, and to enforce sanctions. The regulations will become enforceable for most covered entities April 21, 2005.