HIPAA Regulatory Alert: Physician groups scared of HIPAA

Small groups have few resources available

San Francisco-area attorney Steven Fleisher, who is HIPAA consultant to the California Medical Association and provides compliance services to providers and employers, says that health care providers working in solo and small groups have the fewest resources available to deal with HIPAA compliance and are experiencing "fear and loathing on the HIPAA trail."

Speaking at the Sixth National HIPAA Summit in Washington, DC, Fleisher described small physician practices as a "distressed cottage industry," noting that income is flat or even declining, while costs continue to grow. "Doctors are unhappy with their practice realities," he asserted.

Many providers are resisting HIPAA, according to Fleisher, viewing it as yet another unreimbursed government mandate and expressing concern about the changes it will bring about and how much they will cost. Physician fear has been made worse, he said, by "unscrupulous pandering and rumor mongering" by vendors and others, creating fear about penalties and enforcement.

Physicians who use electronic means to engage in covered transactions are considered covered entities under HIPAA, Fleisher said, noting that even use of a swipe card for eligibility determination could lead to being considered a covered entity. Most physicians who bill will be covered by HIPAA in the next several years, he indicated.

Because the Department of Health and Human Services’ Office for Civil Rights has said that its enforcement of HIPAA will be complaint-driven and has very limited resources, Fleisher said that only those who are "really bad" will be going to jail for HIPAA violations. There may be a more significant problem with civil liability since consumer lawyers seem eager to file privacy lawsuits. He predicted that the HIPAA privacy and security regulations are likely to become the national standard of care for health care records over the coming months and years.

Practical help for small practices

"So far," Fleisher declared, "small and solo practitioners feel broke and besieged. They are afraid of HIPAA. Most will be covered despite some opt out of HIPAA’ campaigns, and so the question now is how they can be helped."

Addressing the privacy rule, he said that confidentiality is a concept that providers understand, and what they need to do is enhance existing awareness, afford specific rights to patients, and increase staff training. Fleisher said his firm focuses on simple and practical steps that providers can take, helping them to realize that compliance simply involves work.

While technology, especially expensive or complex technology, can help a small practice, it can’t be at the center of compliance strategies for most practices, he said. His practical privacy tips for providers include:

  • put one person in charge of privacy and give that person training, authority, and time to do the job;
  • inventory types, uses, and disclosures of protected health information;
  • be aware of pitfalls in telephone, hallway, and office conversations;
  • remove protected health information from easy patient access, looking at chart racks, chart holders, reception areas, exam rooms, hallways, and physicians’ desks.

Clearance and training procedures need to be developed for practice staffs, Fleisher said, along with proper uses and disclosures, sanction procedures, and termination procedures. Attention should be paid to incoming materials such as faxes and other protected health information, and outgoing materials such as faxes and those sent with commercial couriers. He recommends that there be a written agreement with patients if e-mails are to be exchanged with the practice.

Document patient communications

All activities should be documented, he said, including any patient request, the practice response, and actions taken. Patient communications should be filed separately, especially complaints, and there should be only one request in place at a time to limit use of protected health information or alternative channels of communication.

A practice’s Notice of Privacy Practices should be done last, he said, to assure consistency and conformity for specific practice issues such as questions of joint custody of children seen by pediatricians and treatment areas or support groups for oncology patients.

Fleisher advises practices to be sure that all their forms, policies, and procedures comply with state law as well as with HIPAA. "Pre-emption analysis and application to procedures and forms is a complex task," he cautioned, urging small medical groups to beg, buy, or borrow an analysis from another group such as a state medical association, bar association, hospital association, state agency, or academic privacy project.

Any materials that are borrowed from other sources still must be evaluated for their applicability to small provider issues, a check made of sources reviewed, and an inventory performed of state laws compared with HIPAA impacts, assumptions, and updates. Key areas to be aware of, according to Fleisher, are highly confidential protected health information, access rights, application to minors, psychotherapy notes, and authorizations.

Several business associate agreements likely

Fleisher also discussed the need for business associate agreements with groups such as billing services, transcription services, collection agencies, software vendors, and outside practice managers. He said that typically practices can amend their existing agreements to include the provisions required under HIPAA. "Respond if you have any reason to believe that a business associate has breached the contract," he said. "And watch for any state law issues."

Turning to the HIPAA security rule, Fleisher said it is important to understand that the Department of Health and Human Services is concentrating on principles rather than details. "Risk assessment is critical and the place where security compliance must start," he declared. "This isn’t rocket science. Use common sense."

He pointed out that industrial security, while commonplace in some other sectors, is a new concept in health care. Access restrictions can include office locks and keys, physical access to computers, chart racks, and supervision of visitors and patients. He recommended shredding paper waste.

Access to computers should be limited to authorized staff, according to Fleisher, and proper security arrangements should be made for storage of backups and removable media, as well as for home use and storage. He cautioned that the theft of personal digital assistants and laptop computers is not uncommon and must be addressed. Also needing to be addressed are lab and treatment devices that store or contain protected health information and chart racks.

Computer security techniques

He gave several suggestions for computer security, including examples of effective passwords that are a combination of letters, numbers, and symbols with no inherent meaning. Passwords should not be shared, he said, and should not be on Post-It notes stuck to a terminal. Passwords should be changed on a regular schedule.

Access rights to information stored on a computer should be assigned according to function, audit, and authorization, Fleisher said. He also recommended that protected health information be encrypted before being sent over the Internet.

Recognizing that it can be very difficult for physicians in smaller practices to organize compliance on their own, Fleisher suggested trying to secure help from local medical societies and private vendors for training and education, implementation planning, and policies, procedures, and forms that integrate state preemption analyses.

He shared examples of materials developed on CD-ROM by the California Medical Association for use by member practices that have policies, procedures, and forms customized for California law by association attorneys. The association also is providing training for physicians and staff, implementation planning, and regular updates.

Fleisher says that while most frontline physicians love high-tech equipment in the hospitals, they don’t want a high-tech office, and thus "HIPAA compliance for most will be a low-tech affair." He urged focusing on the possibility that the rules actually will provide a benefit to small practices by forcing them to move closer to the 21st century.

[Editor’s note: Contact Fleisher at (415) 882-5159 or e-mail fleisherassociates@att.net.]