The trusted source for
healthcare information and
Compliance may be two years away, but you’re well advised to start now making sure your practice will comply with the new Health Insurance Portability and Accountability Act (HIPAA) privacy regulations.
"The last thing physicians want to do is to wait until the last minute, then make an all-out effort to comply," says Peter Adler, JD, a health care attorney with the Washington, DC, office of Foley & Lardner.
Information on the specific requirements for compliance is sketchy now because the regulations are so new. But within three months, there is likely to be a plethora of information available, including some package plans for compliance, predicts Janice Cunningham, JD, an attorney with The Health Care Group, a Plymouth Meeting, MA, consulting firm.
However, there are some steps that you can take now to make sure you will be in compliance when the Feb. 29, 2003, deadline rolls around. Start by examining your current policies and procedures for protecting patient information and comparing them to the HIPAA regulations, suggests Jon Zimmerman, senior manager for HIPAA and e-business initiatives for Siemens Medical Solutions Health Services Co. (formerly Shared Medical System) in Malvern, PA. "Once physician practices understand their policies, procedures, and practices, they can determine where the gaps are and what they need to do vs. what they are actually doing now," Zimmerman says.
Look at where the gaps in patient privacy occur in your office and take steps to close them up, he adds. In some instances, it may be as simple as moving your files to a locked room. "The rule is that identifiable patient information is supposed to be inaccessible. If that means building a wall or moving the documents to a secure location, that’s what the practice will have to do."
A small practice can probably make a good start toward establishing HIPAA compliance in a short time. It will take a large physician group a lot more time, Zimmerman says. "The requirements of HIPAA are scalable. Other than the privacy rights notices and the consent, small practices don’t have to do the same level of things as large organizations do," Adler says.
Here are some other do’s and don’ts for HIPAA compliance:
• Understand whom you communicate patient information to. Determine which entities you do business with qualify as a covered entity or a business associate under HIPAA regulations. Review all your forms, policies, procedures, and contracts with your business partners to make sure they are HIPAA compliant. Understand what steps your covered-entity partners are going to make and what steps your business associates are going to make to become compliant, and coordinate with them. If you do business with a hospital on a regular basis, you should define your policies and make sure they coincide with the policies of the hospital.
• Start developing a HIPAA compliance plan. Your policies and procedures to protect patient privacy should reflect how all communications will be handled, even conversations in the hall. Set up a checklist of issues that have to be resolved for your practice to be in compliance.
• Appoint a designated privacy officer. This staff member will be in charge of formulating and compiling your privacy policies and procedures and keeping up with documentation. The privacy officer will also deal with patient questions or complaints about your privacy policies and procedures.
• Develop a plan for training your staff on privacy regulations and come up with a way to document the training. Training should cover topics such as who has the right to identifiable patient information, what consent form is required for distributing the information, patient rights to access their information, and other privacy and confidentiality issues. If your practice just has a blurb covering privacy and confidentiality in your policies and procedures manual, that won’t be sufficient. You must document that every employee has received the training in your office, even if they previously worked for another medical practice. All employees must be re-certified every three years.
• Determine whether your state’s privacy regulations will pre-empt the federal regulations. If your state already has privacy laws that are more stringent than HIPAA, the state laws will take precedence. If you are practicing across state lines or involved in telemedicine, look at the laws in all the states in which you practice.
• Before buying a packaged compliance plan, make sure it can be tailored to meet the needs of your individual practice. The problem with canned plans is that one plan can’t possibly cover medical practices ranging from solo practitioners to 100 or more physicians, Cunningham says.
• Don’t go it alone. Consult with your health care attorney to make sure you are doing what you need to do within your particular practice. Professional organizations and the large payers in your community may be able to provide sample consent forms or checklists to aid in compliance, Adler suggests.
• Include money in your budget over the next two years to cover the cost of HIPAA compliance.