HIPAA: If you haven’t started, move fast to develop privacy policies
HIPAA: If you haven’t started, move fast to develop privacy policies
Focus on access to and use of patient information
On April 14, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to be in compliance with the new Standards for Privacy of Individually Identifiable Health Information.
"This implies that you have to have trained people in what the policies are," explains Larri Short, Esq., of Washington, DC-based Arent Fox, which serves as counsel to the Atlanta-based American Association of Occupational Health Nurses on HIPAA matters. "Also you have to begin giving all defined [privacy] rights by April. As an example, AHA’s [American Hospital Association’s] model notice is 12 pages long — and you have to actually say what you as an organization intend to do."
That being the case, it would have been prudent by now to have thought through the regulations, taken a good first stab at appropriate new policies and procedures, and framed what you need to do to make all of this really happen. "If not, you need to move forward as fast as you can to assess the situation and develop policies," Short advises.
Not all-encompassing
The new requirements are not as broad as some might fear. "You only have to apply these requirements to data that can reasonably be linked back to a person," Short explains. "If the information is aggregated, you don’t have to worry about it."
In essence, Short explains, the new regs break down into three major pieces:
• How providers handle information. Covered entities are required to have permission to use or disclose individual patient information. This can be written permission from the patient or, in some cases, it can come in the form of regulatory provisions that allow you to use and disclose information for a designated list of pubic policy issues. Examples would be a response to judicial demands or law enforcement.
• Patient privacy rights. The use of information will be restricted to the "minimum necessary" to accomplish the purpose at hand, which maximizes patient privacy. "For the first time, we have a set of privacy rights for the patient at the federal level," says Short. "Every patient has the right to access his or her own medical information. You have the right to have your health care provider give you a notice to explain how they are going to use your information." Some of the rights outlined in the new standards are only a right to ask; for example, if an employee is not happy with what the employer says it will do with the information, the provider can say they can’t accommodate the request. If the employer agrees, however, it is then bound to do so.
• Privacy compliance program. Covered organizations must appoint an individual who will be responsible for making sure the organization addresses the first two parts of the new standards. There are to be written policies and procedures that can be surveyed and, where feasible, technical safeguards and access controls are to be put in place. The Centers for Medicare & Medicaid Services (CMS) sends surveyors for institutional Medicare providers.
Outside help available
If you do not have the in-house expertise necessary to bring your facility into compliance, there are a wide variety of resources available, says Short. "You can look to the Office of Civil Rights web site, retain attorneys or consultants, or attend workshops. The HHS [Department of Health and Human Services] site [www.hhs.gov/ocr] provides lots of links," Short adds.
A "Frequently Asked Questions" document about the HIPAA privacy rule is posted on HHS’ web site. The document answers questions ranging from privacy rights to compliance dates. "Does the rule create a government database with all individuals’ personal health information?" and "If patients request copies of their medical records, are they required to pay for them?" are examples of the subjects covered. To see the questions, go to www.hhs.gov/ocr/faqs1001.doc.
The good news is that enforcement will be "kinder and gentler" than it is for some other government regulations, she adds. "The government will seek to achieve voluntary compliance,’ with punishment as a last resort," Short explains. In other words, if all of your preparation is not completed by April 14, you should simply attempt to get it done as soon as possible. "As long as you are cooperative and have made a sincere effort, I don’t expect you to get really slammed unless you work in an organization that was certified to participate in Medicare," she adds. Such organizations are subject to some risk outside of HIPAA through CMS; if they do not meet certain quality standards, reimbursements could be threatened.
On April 14, covered entities under the Health Insurance Portability and Accountability Act (HIPAA) are expected to be in compliance with the new Standards for Privacy of Individually Identifiable Health Information.Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.