Learn the components of the HIPAA privacy regs
Learn the components of the HIPAA privacy regs
Here is a synopsis of what the new the Health Insurance Portability and Accountability Act (HIPAA) privacy rules mandate:
1. You must maintain physical security of all health care information. This includes limiting access to computer terminals and physical access to paper-based documents. Records should be kept under lock and key with limited access. Nobody should be able to look over your shoulder and see any personally identifiable patient information.
2. Access to individually identifiable health information is restricted to a "need-to-know basis." All health care entities must develop criteria setting out which employees need to see identifiable health information and identifying the people or class of people who will review the requests for disclosure.
3.. You can disclose only the "minimum information necessary." For most disclosures, the regulations require you to disclose the minimum information needed for the purpose of the disclosure. If you work for a provider, you should have full access to the patients’ health records, says David Kibbe, MD, MBA, chief executive officer of Canopy Systems in Chapel Hill, NC. However, case managers for insurance companies might have trouble getting the full information in some cases because providers have the obligation to release to the insurance company only the part of the record that is relevant. "There are areas that are somewhat gray," Kibbe says.
4. Patients have significant new rights of control over their health information. Patients must sign a consent form allowing providers to disclose their personal health information in the normal processes of treating, billing, and health care management. The new law gives patients access to their individual health information that is in your organization’s files. This means providers must make the records open to a patient any time he or she wants to see them. The regulations give patients the right to a "disclosure history," which lists entities that receive the information.
5. Patients have to receive a written notification of their rights. Case managers are not likely to have to provide these written explanations, but you should be aware that your organization has to provide them. The general notice, which will be given to every patient and posted throughout the office, includes information on patients’ right to access information, to amend their chart, and what they can do if they feel their privacy has been violated. It should include a notice of your organization’s policies and procedures on use or disclosure of protected health information.
6. All entities covered by the rule must have a privacy officer. This person is in charge of ensuring that records are handled in accordance with the privacy regulations. If a patient has a complaint about how his records are handled, the privacy officer would handle it.
7. Staff must receive training on your privacy policies and procedures every three years. The training should cover all aspects of how and why you are protecting health information and should be in conjunction with security training, which will be mandated in the yet-to-be-released security regulations. The staff must be retrained and re-certified every three years. Your organization will have to provide documentation that training has been given.
8. You must make sure that anyone with whom you share confidential patient information follows the HIPAA privacy regulations. This regulation could affect case managers in private practice who contract with insurers or providers. However, the onus will be on the covered entity to make sure that the "business partners" comply with HIPAA.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.