HIPAA Tip of the WeekApril 15, 2003Want to have the HIPAA Tip of the Week delivered to your email? Subscribe to Vital Signs This Week.
4/11/03
HIPAA Privacy Compliance: April 14
All required documents must be ready by Monday, April 14
Model Business Associate language
Sample Authorization Form, Sample Accounting of Disclosures Log, Sample Notice of Privacy Practice
4/4/03:
Is Posting the Notice of Privacy Practice Sufficient?
No, the HIPAA Privacy Regulation requires a covered health care provider with direct treatment relationships with individuals to give the notices to every individual no later than the date of first services delivery to the individual and to make a good faith effort to obtain the individual's written acknowledgment of receipt of the notice. Providers must also post the notice in their facility (office or other physical space) in a clear and prominent location where individuals are likely to see it, as well as make the notice available to those who ask for a copy.
More information on Notice of Privacy Practice and other HIPAA Privacy requirements
3/28/03:
HIPAA Tests with Payers Must Begin April 16
By April 16, covered entities must begin testing HIPAA electronic transactions with their trading partners. This means physician practices or their vendors must test electronic claims submissions with payers to make sure they work using the HIPAA-mandated electronic formats.
Reference “Questions to ask your vendor” in Appendix A & B of the Getting Ready for HIPAA guide
3/7/03:
Final Security Regulation
An analysis of the final security regulations is available on HIPAAdvisory.com. The regulation is effective April 21, 2003. The date for compliance is April 21, 2005.
2/28/03:
Are there Minimum Necessary Requirements for Training Situations?
The guidance issued from the Office for Civil Rights on Dec. 4, 2002, clarifies that medical residents, medical and nursing students, and other medical trainees are not prohibited from accessing patients' medical information in the course of their training. Under the definition of "health care operations," the Privacy rule provides for "conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers." Covered entities can institute policies and procedures regarding minimum necessary uses and disclosures to permit medical trainees access to patients' medical information (including the entire medical record).
2/14/03:
CMS Finalizes HIPAA Security Standards
The Centers for Medicare and Medicaid Services announced that the final
rule adopting HIPAA standards for the security of electronic health information
will be published in the Federal Register on Feb. 20.This final rule specifies
a series of administrative, technical and physical security procedures for
covered entities to use to assure the confidentiality of electronic protected
health information. The standards are delineated into either required or addressable
implementation specifications.
Final Rule (.pdf)
2/7/03:
Online List of HIPAA Resources
The WEDI (Workgroup for Electronic Data Interchange) website contains a
directory that includes a listing of resources that are available through regional
SNIP affiliate solutions to aid in HIPAA education and implementation. This
includes sample tools, forms, agreements and other resources.
HIPAA Tools Resource Directory
1/31/03:
Updates to Your Notice of Privacy Practice
Q. Is your medical practice required to notify patients through the mail of any
changes to our notice?
Per the OCR guidance issued in Dec. 2002, a covered health
care provider is not required to mail out its revised notice or otherwise
notify patients by mail of the changes to the notice. However, when a change is
made, physicians with a direct treatment relationship with individuals should make
the notice available upon request to patients on or after the effective date of
the revision. Additionally, the revised notice should be posted in a clear and
prominent location and continue to be provided at the first service delivery.
1/24/03:
Incidental Uses and Disclosures
The following question and answer is excerpted from the OCR guidance issued on
Dec. 4, 2002.
Do the HIPAA Privacy Rule's provisions permitting certain
incidental uses and disclosures apply only to treatment situations or
discussions among health care providers?
No. The provisions apply universally to
incidental uses and disclosures that result from any use or disclosure
permitted under the Privacy Rule, and not just to incidental uses and
disclosures resulting from treatment communications, or only to communications
among health care providers or other medical staff. For example:
A provider may instruct an administrative staff member to
bill a patient for a particular procedure, and may be overheard by one or more
persons in the waiting room.
A health plan employee discussing a patient’s health care
claim on the phone may be overheard by another employee who is not authorized
to handle patient information.
If the provider and the health plan employee made reasonable
efforts to avoid being overheard and reasonably limited the information shared,
an incidental use or disclosure resulting from such conversations would be
permissible under the Rule.
Guidance on Incidental Uses and Disclosures
1/10/03:
Guidance on the Notice of Privacy Practices
The Office for Civil Rights (OCR) guidance, issued in December,
addresses some of the questions posed by Massachusetts physicians regarding how
to get acknowledgment of receipt in "non-standard" situations.
For instance, OCR indicates that:
- If a
notice is delivered electronically, the electronic return receipt or other
return transmission is considered a valid written acknowledgement of the
notice.
- If
notice is delivered in paper at first service delivery date, a notation in
the provider's computer system of individual's receipt is not considered a
valid written acknowledgment.
- If
first treatment encounter is over the phone or in some other manner that
is not face-to-face, a provider "satisfies the notice provision
requirement of the Privacy Rule by mailing the notice to the individual
the same day, if possible. To satisfy the requirement that the provider
also make a good faith effort to obtain the individual's acknowledgment of
the notice, the provider may include a tear-off sheet that requests the
acknowledgment be mailed back to the provider."
- When
first contact is to schedule an appt or procedure, the notice provision
may be satisfied when the individual arrives for his/her appointment.
- For
service provided electronically, the notice must be sent electronically
automatically and contemporaneously in response to the individual's first
request for service.
12/13/02:
OCR Releases Guidance on Final Modified Privacy Rule
The Office for Civil Rights (OCR) released guidance explaining key elements of the requirements of the HIPAA Standards for Privacy of Individually Identifiable Health Information (Privacy Rule) with the adopted modifications of the Rule on August 14, 2002.
OCR Guidance
12/6/02:
CMS Provider HIPAA Readiness Checklist
The Centers for Medicare & Medicaid Services (CMS) has posted a "Provider HIPAA Readiness Checklist" on its website, focusing on what steps to take toward compliance with the Electronic Transactions and Code Sets requirements.
Provider HIPAA Readiness Checklist
11/22/02:
Final HIPAA Security Regulations to Be Published Dec. 27
Health and Human Services Secretary Tommy G. Thompson expects to publish final HIPAA Security Regulations on Dec. 27.
Proposed regulations and FAQs
11/15/02:
Next Steps Toward Compliance After Filing for HIPAA Extension
You've filed for your HIPAA Extension, what steps should you now take? The HIPAA Education Coordinating Committee has prepared a high-level checklist for complying with the Electronic Transactions and Code Sets.
MMS HIPAA compliance checklist
11/8/02:
AMA Launches New HIPAA Tool
Responding to physicians' need for HIPAA assistance, the AMA recently launched AMA HIPAALink, an online HIPAA education and compliance tool designed specifically for physician practices. AMA HIPAALink helps physicians identify current shortcomings in their security and privacy policies and generate new HIPAA-compliant policies and procedures. AMA HIPAALink also includes in-depth training for a practice's privacy officer and intermediate training for physicians and staff who deal with protected health care information.
AMA HIPAALink
11/1/02:
CMS Named Enforcement Agency for HIPAA Electronic Transactions And Code Sets
HHS Secretary Tommy G. Thompson announced last week that the Centers for Medicare and Medicaid Services (CMS) will be responsible for enforcing the transaction and code set standards that are part of the administrative simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
CMS will also continue to enforce the insurance portability requirements of HIPAA. The HHS Office for Civil Rights (OCR) will enforce the HIPAA privacy standards.
The new CMS office will establish and operate enforcement processes and develop regulations related to the HIPAA standards for which CMS is responsible. The office also will conduct outreach activities to HIPAA covered entities, such as health care providers and insurers, to make sure they are aware of the requirements and to help them comply.
CMS press release
10/18/02:
New Frequently Asked Questions About the HIPAA Privacy Rule
The Office for Civil Rights has updated their site to include Frequently Asked Questions.
10/11/02:
Are You a Covered Entity?
Guidance on how to determine whether an entity is a covered under the Administrative Simplification provisions of HIPAA.
Find out if you are a covered entity
10/4/02:
CMS HIPAA Toll Free Numbers
CMS now has a toll free number to call for HIPAA questions relating to electronic transactions and code sets: (866) 282-0659. For questions on HIPAA privacy regulations, contact the Office for Civil Rights at (866) 627-7748.
9/27/02:
HIPAA Compliance Test
The AMA has developed a new HIPAA compliance test that has been posted on the AMA website. It is a simple test -- a series of easy "yes" and "no" questions -- to help physicians determine whether they must comply with the privacy, security, transactions and other related standards of HIPAA.
HIPAA Compliance Test
9/20/02:
Model Compliance Plan Extension Request - Box 3 Clarification
Clarification was received from CMS regarding Box 3 on the model compliance form asking for the Medicare Identification Number(s). The directions indicate that physicians should use their UPIN number for this field. However, CMS has clarified that Medicare providers can put their Medicare provider number in Box 3. For non-participating providers, the tax identification number can be repeated in Boxes 2 and 3.
Additional questions about completing the form can be directed to CMS at (410) 786-4232 or Dana Holmes, MMS Manager, Health Systems at (781) 434-7218 or dholmes@mms.org.
9/13/02:
What is a Trading Partner Agreement (TPA)?
Physician practices and other organizations that transmit electronic information with health plans may have heard, or will begin to hear, more about completing a Trading Partner Agreement. These agreements are related to the exchange of information in electronic transactions whether the agreement is distinct or part of a larger agreement, between each party to the agreement. The substantive reason for the agreements will be to ensure that each party is taking the necessary and reasonable steps to maintain privacy and security when transferring health information between the two parties.
9/6/02:
Privacy Regulations Hotline For Office For Civil Rights
HIPAA privacy regulations are under the jurisdiction of the U.S. Department of Health and Human Services’ Office for Civil Rights. Questions about privacy can be directed to their hotline at (866) 627-7748 or submit questions online.
8/23/02:
Who Is Exempt From HIPAA Standards?
According to the AMA's 'How To “HIPAA” -- Top Ten Tips' booklet, a physician practice is exempt from the HIPAA standards only if:
It does NOT submit electronic transactions (because it takes no forms of insurance or submits only paper or otherwise) AND it does NOT accept Medicare patients.
- OR -
It accepts Medicare but has less than 10 full-time employees AND does not submit electronic transactions (because it takes no forms of insurance or submits only paper or otherwise).
'How To “HIPAA” -- Top Ten Tips' booklet (.pdf)
8/16/02:
Final Privacy Rule Published
On August 14, 2002, changes to the HIPAA Privacy Rule were finalized and published in the Federal Register. The modifications maintain the privacy compliance date of April 14, 2003. Changes to the following areas have been made:
- Consent requirements
- Business associate contracts
- Authorization forms
- Minimum necessary standards
- Incidental uses & disclosures
- Parents and unemancipated minors
More information and explanation of changes
Health and Human Services fact sheet
Final Rule (.pdf)
8/9/02:
Take the HIPAA Quiz
The Department of Health and Human Services' Office of Civil Rights has created a quiz to address the Top 15 Privacy Concerns.
Find out how well you understand HIPAA as both a patient and a health care provider
7/26/02:
Electronic Transaction Requirements and Eligibility
Recently, there has been some confusion about HIPAA and Medicare requirements that has led to questions from MMS members. Below is information to help physicians determine if they are covered entities under the HIPAA regulations, and if they meet an exception to the Administrative Simplification Compliance Act (ASCA).
1) If a healthcare provider does not perform ANY electronic functions in his/her practice (e.g. billing, eligibility checks, referral authorization, financial transactions), he/she is NOT a covered entity under HIPAA regulations and does not need to comply with Electronic Transaction and Code Set standards or the Privacy Standards. Note: If the provider has a billing company or entity that performs these functions on the provider's behalf, the provider is still considered to be performing electronic transactions under HIPAA, because the billing company is an agent of the provider and performing these functions for the provider.
More information
HOWEVER, 2) Healthcare providers are MANDATED to submit claims electronically to Medicare beginning October 16, 2003, if their practice consists of greater than ten (10) full time equivalents (FTEs), including clinical staff, by the Administrative Simplification Compliance Act.
Review the law and exceptions under Section 3 (PDF)
7/19/02:
HIPAA Hotlines
The Centers for Medicare & Medicaid Services (CMS) have created a hotline and e-mail address for covered entities to ask HIPAA related questions. The CMS Hotline is (410) 796-4232 and e-mail address is askhipaa@cms.hhs.gov.
7/12/02:
MMS HIPAA Resource Kits Available
The MMS Physician Practice Resource Center has compiled information regarding HIPAA into a Resource Guide that is available now by contacting the MMS Department of Health Policy/Health Systems at (781) 434-7222. The Resource Guide includes: the Electronic Compliance Extension form with instructions, a model form under the current Privacy Standards, WEDI/SNIP Small Practice Implementation Guide, Office for Civil Rights Guidance, FAQs, and information on helpful internet links.
6/28/02:
Claim Adjustment and Status Codes
HIPAA Electronic Transaction regulations include standardization of claim adjustment and status codes that healthcare providers will receive after submitting their claims. These include paid/pend/denial/adjustment reasons. All of the health plans will need to move to these standard codes. Physicians can access the list of adjustment reason codes and claims status codes at no charge on the web at www.wpc-edi.com.
6/21/02:
Patient Rights Under HIPAA
It is important to understand the rights afforded to patients under the HIPAA Privacy Rule. Patients have the right:
- To Inspect and Receive a copy of their medical records
- To Request Amendments to their records
- To Receive an Accounting of Disclosures of their Protected Health Information not related to treatment, payment, or healthcare operations
- To Request Restrictions on the use and disclosure of their information
Physicians have the right to deny inclusion of an amendment into the record and have the ability to notify patients that they cannot comply with the restriction requested.
6/14/02:
Training your Employees or Workforce [164.530(b) and 164.530(e)]
Physician practices must train all members of their workforce in the policies and procedures required by the Privacy Rule. The employees must be trained by the Privacy compliance date, April 14, 2003, and thereafter, every new employee or employee whose functions change within the organization. Training should be documented and include the sanctions that will be applied if an employee fails to adhere to the office's privacy policies or procedures.
More information on HHS' guidance for training employees
5/31/02:
Mass. Health Data Consortium Sponsors HIPAA Educational Programs
As part of its commitment to coordinate HIPAA education in Massachusetts, the Mass. Health Data Consortium has launched a series of workshops on HIPAA implementation topics.
Workshop information
5/24/02:
Business Associate Agreements
A business associate (BA) is a person or company that performs services on behalf of a covered entity involving the use/disclosure of protected health information (PHI). Business associates include legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. Covered entities are required to have a contract with business associates. The contract should include the following requirements:
1) Permitted and required uses and disclosure of PHI by BA
2) BA will use appropriate safeguards to prevent use/disclosure of PHI
3) BA will report unauthorized uses of PHI to the covered entity when discovered
4) BA will ensure that any agents, including subcontractors, agree to the same restrictions
5) BA will make policies available to the Secretary of Health and Human Services, if necessary
6) BA will return or destroy PHI at termination of the contract
5/17/02:
Timeline of HIPAA Deadlines
With extensions, proposed modifications, and testing dates floating around it is important to know what dates are set in stone to assist your practice in working toward meeting the compliance deadlines. Below is a timeline of important dates to be aware of:
Oct. 15, 2002:
Date by which a CMS Compliance Extension Request form must be filed in order to qualify for a one year extension for ELECTRONIC TRANSACTIONS AND CODE SET regulations only. Forms can be completed online at http://www.cms.gov/hipaa/hipaa2/TCSFormInstructions.asp
Oct. 16, 2002:
ELECTRONIC TRANSACTIONS AND CODE SETS compliance date for covered entities (other than small health plans) who did not file for an extension.
Apr. 14, 2003:
PRIVACY regulation compliance date for covered entities (other than small health plans). There are currently proposed modifications to the Privacy rule, however, these modifications will NOT change the effective date.
Apr. 16, 2003:
Covered Entities who submitted an extension form for ELECTRONIC TRANSACTION AND CODE SETS are required to begin their testing phase no later than this date.
Oct. 16, 2003:
ELECTRONIC TRANSACTION AND CODE SET regulation compliance date for covered entities who applied for the extension and small health plans.
Oct. 16, 2003:
Date that Medicare will no longer accept PAPER claims from Medicare providers who do not qualify for one of the following waivers:
a) you are a "small provider of services or supplies"
b) there is no method available for the submission of claims in electronic form
c) you are a beneficiary submitting claims on your behalf
d) you are small health plan
5/10/02:
Privacy Pieces of HIPAA You Can Focus on Now
While the future of consents and authorizations in the HIPPA privacy regulation is being determined, here are some areas you can focus on now in preparing your office for HIPAA compliance:
1) Begin developing a Notice of Privacy Practices that outlines for patients their individual rights, a description of permitted uses and disclosures of protected health information (PHI), the practice’s right to revise the notice, a contact person, and the effective date of the notice. For more information, go to: http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm (page 67 of 89)
2) Create a policy manual for your practice to demonstrate compliance with HIPAA's requirement to implement policies and procedures that comply with HIPAA privacy regulations. Review the verbal and/or written policies and procedures that currently exist at your office as a starting point. For more information, go to: http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm (page 87 of 89)
3) Educate your employees on existing and new policies that meet HIPAA privacy requirements. Document policies and procedures that govern your employees and employee performance. For more information, go to: http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm (page 83 of 89)
5/3/02:
Decode ANSI Electronic Transmission Standards Codes
Confused about what ANSI Electronic Transmission Standards mean? Here's a quick reference to decode what's behind the numbers.
270/271: Health Care Eligibility/Benefit Inquiry and Information Response
276/277: Health Care Claim Status Request and Response
278: Health Care Services Review -- Request for Review and Response
834: Benefit Enrollment and Maintenance
835: Health Care Claim Payment/Advice
837: Health Care Claim: Institutional
837: Health Care Claim: Dental
837: Health Care Claim: Professional
More about ANSI standards
4/19/02:
Privacy Audits Can Help Ensure Compliance
A properly managed privacy audit program is one of the best tools for ensuring compliance with appropriate use and disclosure standards throughout your enterprise.
A privacy audit requires much more specific data than a security audit, including the ability to track the viewing and editing of specific patient records. This level of audit data is not typically available from network operating systems and must come instead from the applications themselves.
Here are a few basic principles to help you get maximum value from your privacy audits:
- Be proactive. The purpose of a privacy audit program is to prevent breaches and catch violations before they become serious issues. A regular ongoing audit program can help you catch problems early.
- Be selective. Any attempt to examine all accesses of all patient records is doomed to failure. Even if you had the resources, the large volume of data would prevent the patterns from being obvious. Some possibilities include auditing these access types:
- VIP records
- Employee records
- The employee and the patient have the same last name
- The patient has been discharged for more than X days.
- The location doesn't match the patient location
- Be open about your audit program. Instead of conducting these audits from a central office, have unit supervisors audit accesses for patients assigned to their units. They are in the best position to judge appropriate access. And, the more people involved in the program, the more your employees will know about it and understand that you are serious about protecting privacy. Don't be afraid to make known that you have disciplined, or even terminated, employees for these violations of hospital policy. Publicity for the audit program will prevent more violations than almost anything else you do.
More information on HIPAA privacy
This information was excerpted from an article in Phoenix Health Systems’ HIPAAdvisory by Tom Grove, director, Phoenix Health Systems.
4/12/02:
HIPAA Survival Guide from AMA
There are just six months to go before the first HIPAA deadline. This American Medical Association article highlights what physicians can do to comply with the electronic transaction regulations. The site also offers helpful hints and web links to HIPAA resources.
"HIPAA survival guide: Steps to getting your practice ready"
4/5/02:
Don't Forget State Privacy Laws
While preparing for your HIPAA compliance, consider the nature of your practice and the type of personal health information routinely provided to you by your patients and others. This will help you identify existing state laws protecting individual privacy interests, in order to better ensure that you are compliant with both state and federal laws protecting privacy. Types of information that may warrant heightened protection under state law include HIV status and testing, mental health, and substance abuse. While the HIPAA privacy regulations may carve out some new protections, existing state laws protecting individual privacy interests are still in place and will likely need to be followed alongside HIPAA, after the April 2003 deadline.
3/29/02:
Requesting Compliance Extension
The Centers for Medicare & Medicaid Services has published the HIPAA Model Compliance Extension Form, which can be used by covered entities to request a one-year extension for standard transactions and code sets compliance from Oct. 16, 2002 to Oct. 16, 2003.
Form and instructions available online
3/22/02:
Summary of Privacy Rule Modifications Released
On March 21 the U.S. Department of Health and Human Services (HHS) released a summary of the proposed modifications to the HIPAA Privacy Rule expected to be published in the Federal Register on March 27, 2002.
Following are some of the areas that will be affected by the proposed modifications, per the HHS summary: Consent and Notice, Minimum Necessary and Oral Communications, Business Associates, Marketing, Parents and Minors, Uses and Disclosures for Research Purposes, and Authorizations.
Privacy rules modifications fact sheet from the HHS
Press release from the HHS
MMS comments on the proposed changes
3/15/02:
Technology Assessment Comments [page 50315- Regulation Text]
Based on comments to proposed Electronic Transaction regulations, DHHS recognized that there are certain transmission modes (telephone voice response, “faxback”, and Hyper Text Markup Language (HTML) interactions) in which use of the format portion of the final electronic transaction standard is inappropriate. However, the final regulations do not exempt these transactions from conforming to the data content portion of the standard.
The “direct data entry” process, using dumb terminals or computer browser screens, where the data is directly keyed by a health care provider into a health plan's computer, will not have to use the format portion of the standard, but the data content must conform. If the data is directly entered into a system that is outside of the health plan's system, to be transmitted later to the health plan, the transaction must be sent using the full standard (format and content). We have included this clarification in Sec. 162.923 (Requirements for Covered Entities).
3/8/02:
Assess Office Reporting Needs for Compliance with HIPAA's Minimum Necessary Requirements
HIPAA requires that you take reasonable efforts to use only the minimum necessary amount of patient's protected health information for an intended purpose, such as generating a list of all patients who have outstanding balances, or a list of all patients on a certain medication.
HIPAA's minimum necessary requirement can have effects on both your financial and clinical operations. You may want to take the following assessment of information needs in your office: 1) what reports your practice generates; 2) what information is necessary to accomplish an intended purpose; and 3) who needs access to this information.
These early steps can help you reduce impact of complying with HIPAA's minimum necessary requirement.
3/1/02:
HIPAA Compliance Deadlines Approaching
The HIPAA compliance deadlines are approaching, affecting different areas of your practice's operations.
- Electronic Transactions: October 16, 2002. October 16, 2003 if an extension is filed. Extension forms will be available from CMS on April 1st. These regulations simplify electronic transactions such as billing, enrollment, and referrals.
- Privacy Standards: April 14, 2003.
- Security Standards: Regulation not finalized. No compliance date set.
Privacy and security regulations complement each other, but differ in the following ways: Privacy standards relate to the policies and procedures protecting patients' protected health information, such as consent and authorization forms, privacy notices, and business associate agreements. Security standards relate to the technical and physical protection of protected health information, which includes computer passwords, network firewalls, locked file cabinets and file rooms that contain patient medical records.
2/22/02:
Clarify HIPAA Myths
The U.S. Office for Civil Rights provides technical assistance and guidance on areas such as oral communications, minimum necessary disclosure of protected health information and consent to assist physicians with implementation of HIPAA regulations. The information helps identify and clarify HIPAA "myths."
National standards to protect the privacy of personal health information
2/15/02:
Do an Office Practice Gap Analysis
Physician practices need to perform a gap analysis to determine where patient information may be inadvertently exposed within the office setting. Persons responsible for conducting a gap analysis can start with areas of patient interaction. When patients arrive, are they required to sign a sign-in sheet? If so, does the sign-in sheet contain limited information only? Are patient medical records stored in clear or easily accessible holders on exam room doors? Does your office post the names of new patients, or post daily patient schedules in common areas?
These are some of the issues that should be identified during a gap analysis. For more information go to http://snip.wedi.org/public/articles/smallpractice.pdf
2/8/02:
Health Care Operations
Under HIPAA, patient consent is required for the release of protected healthcare information relating to treatment, payment, and health care operations. What constitutes health care operations? Health Care Operations include activities such as case management, quality assessment, peer review of practitioners, supervised training, and accreditation or credentialing. For more information about Health Care Operations see 45 CFR 164.501 at http://aspe.hhs.gov/admnsimp/final/PvcTxt01.htm
2/2/02:
Verification Requirement for Disclosure
The Privacy Standards indicate that an entity making a disclosure of protected health information (PHI) should verify the authenticity and legitimacy of the request for the information as well as the identity of the person to whom the PHI is released. Privacy Standards state that if the covered entity has exercised "professional judgment", or acts on "a good faith belief" in using or disclosing PHI, the verification requirement is satisfied. Covered entities could take reasonable steps to ensure legitimacy of the request by asking that the requestor provide a written request citing its authority to obtain the PHI prior to releasing the information.
1/18/02:
HIPAA Applies to PDAs/ Handhelds
Physicians must be aware that the HIPAA security and privacy regulations apply not only to their practice computers, but also extend to their personal digital assistants (PDAs) or handhelds. Like your computer, patient information on a PDA must be protected during storage, synchronization, and wireless transactions. To ensure patient privacy if the PDA is lost or stolen, verify that your PDA has user ID and Password level security.
1/11/02:
Evaluate Office Policy Regarding Telephone Messages
Privacy Regulations governing Protected Health Information under HIPAA extend to messages left for patients on answering machines. Therefore, your organization should evaluate the office policy regarding telephone messages. It is suggested that messages be sufficiently vague as to not link a patient with his or her medical condition. Whether a visit reminder or information about a test result, messages for patients should be limited to requesting a return phone call only. In addition, do not share Protected Health Information with your patients' family members, unless the patient has given you permission to do so.
1/4/02:
Help Prevent Non-Compliance
Consider creating guidelines for Workstation Use to be implemented now. Document instructions/procedures delineating the proper function to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings, of a specific computer terminal site or type of site, dependant upon the sensitivity of the information accessed from that site.
Areas may include:
This information has been reprinted with permission from Healthcare Computing Strategies. Additional information can be found at http://www.hcs-is.com/fr_hipaa.htm
12/21/01:
Can an Individual Ensure Against Unwanted PHI Uses?
By Steve Fox, Esq., and Rachel Wilson, Esq., Pepper Hamilton LLP
Q: Please explain a patient's rights under HIPAA to prohibit covered entities from making unwanted use or disclosure of their protected health information (PHI). If patients have the unilateral right to control the manner and purpose for which their PHI is used or disclosed, what will prevent covered entities from having as many different use and disclosure policies as they have patients?
A: Covered entities are not required to tailor their use or disclosure of PHI according to an individual patient's preference. Although individuals have the right to request restrictions on use and disclosure of their PHI, this right isn't without limitation.
From HIPAAdvisory
Steve Fox, Esq., is a partner at the Washington, D.C. office of Pepper Hamilton LLP. This article was co-authored by Rachel H. Wilson, Esq., of Pepper Hamilton LLP. http://www.pepperlaw.com/
More on PHI from the MMS
12/14/01:
Make Sure That Office Staff is Trained in HIPAA Compliance
Your office personnel can play an important role in implementing the HIPAA privacy regulations. From the receptionist to the office manager, your staff must be able to
and more.
Consider sending a staff member to a HIPAA educational seminar offered by a medical or group practice management association. Several are being held throughout Massachusetts by such organizations as the MMS, the Medical Group Practice Management Association, the Physician Insurance Agency of Massachusetts and various consulting companies. Many of these organizations also offer audio- and internet-based educational tools for HIPAA.
Read more about the MGMA programs
Read more about HIPAA Compliance on the PIAM website
11/30/01:
Privacy Standards in Oral Communications
Q: If health care providers have confidential conversations with other providers or their patients, and the conversations are overheard in the waiting room, has the Privacy Rule been violated?
A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers' primary consideration is the appropriate treatment of their patients. We also understand that overheard conversations are unavoidable. We would consider the following practices to be permissible, if reasonable precautions (such as using lowered voices, talking apart) are taken to minimize the chance of inadvertent disclosures to others who may be nearby:
From the Office for Civil Rights' Standards for Privacy of Individually Identifiable Health Information regarding Oral Communication [45 CFR §§ 160.103, 164.501]
11/2/01:
HIPAA Transaction Standards and Data Mapping Requirements
The website of the American Health Information Management Association offers information about HIPAA transaction standards and data mapping requirements. Physician practices have several options in order to comply with the regulations:
"They may continue business as usual, relying on a clearinghouse not only to convert claims to standard format, but to derive any of the additional required data content. Providers may also choose to supply standard content in nonstandard format to a clearinghouse, which would reformat it for sending to health plans. Providers may choose to send standard content to health plans through the Internet. This is called direct data entry. Finally, providers may adopt the standard format themselves and submit the standard content in standard format either to a clearinghouse or to health plans directly.
"Providers may also choose to 'mix and match' -- sending some transactions one way and others another way. For example, some may choose to use direct data entry for eligibility benefit inquiry and send standard content for a claim to a clearinghouse. Some providers may choose to send standard format and content directly to government payers and use a clearinghouse for commercial payers."
Reprinted with permission from the Journal of the American Health Information Management Association, copyright 2001.
For more information on data mapping, physician options and ways to determine vendor and clearinghouse options, go to AHIMA website From “HIPAA ON THE JOB: Data Mapping for HIPAA Transactions” by Margret Amatayakul, RHIA, FHIMSS, and Joan Bisterfeldt, RHIA
10/19/01:
Review Current Contracts and Documentation of Policies and Procedures
In preparing for compliance with HIPAA Privacy Regulations, physician offices should review current contracts as well as policies and procedures documentation. The WEDI SNIP* Security and Privacy Workgroup offers some guide questions to help you get started. A "no" answer to any of these questions indicates an area that needs to be addressed:
1. Are current confidentiality statements being reviewed for HIPAA language?
2. Do you have a disaster plan in place that could be reviewed and expanded to include contingency plans in the event of critical systems failure?
3. Do you have an employee handbook or other human resources documentation that can be expanded to cover HIPAA requirements for security training, termination policies and procedures, etc.?
4. Do you have privacy/security policies and procedures as well as training to cover special functions that may be handled off-site, i.e. transcription, medical reviews, and some accounting or claims filing?
5. Do you have a current inventory of all computer systems and software? Does this include (forbid?) use of personal software?
6. Do you have a regular virus check and mitigation process in place?
For low cost privacy and security recommendations, please see "HIPAA Compliance for Small Provider Practices" (pages 66 - 70) in the "WEDI SNIP Security White Paper Version 3.0 DRAFT - July 2001" at http://snip.wedi.org/public/articles/s&p_version3.0.pdf
Excerpted from the WEDI SNIP Security White Paper Version 3.0 DRAFT - July 2001
*Workgroup for Electronic Data Interchange Strategic National Implementation Process
10/12/01:
A Low Cost Privacy and Security Recommendation*
To help you assess your office's privacy and security, conduct a privacy and security walkthrough. Here are some awareness-raising questions to help you determine if your office complies with HIPAA regulations.
1. Are patients' sign-up sheets with names and other information kept out of plain sight?
2. Are patients' schedules away from plain view?
3. Do confidential conversations take place only in areas where they cannot be overheard?
4. Are computer screens with patients' health information out of plain view?
5. Do office staff members regularly change their passwords and safeguard access to their work areas?
6. Are medical records, lab reports, and faxed information easily accessible only to those who "need-to-know?"
7. Do you have documented safeguards regarding the transfer of patient's protected health information, such as medical records, orders, images, and lab specimens?
The answer to each of these questions should be a resounding "yes." A "no" answer indicates an area that needs improvement in order to comply with HIPAA privacy and security requirements.
For low cost privacy and security recommendations please see HIPAA Compliance for Small Provider Practices (pages 66 - 70) of the "WEDI SNIP Security White Paper Version 3.0 DRAFT - July 2001" at http://snip.wedi.org/public/articles/s&p_version3.0.pdf
*Excerpt from the WEDI SNIP Security White Paper Version 3.0 DRAFT - July 2001
10/5/01:
To Logoff or Not to Logoff
As health care organizations become increasingly automated, they conduct more and more operations through PCs or terminals that link to networks, databases, data repositories, computerized medical records, the Internet, and other open networks. The proposed HIPAA Security Rule mandates implementing and enforcing procedures that prevent information exposure to unauthorized parties.
One critical implementation issue sounds simple -- securing the workstation during business hours. However, implementing automatic logoff on inactive workstations can be problematic. Many users are frustrated by having to re-log on to the computer system every time they leave the computer unattended.
Organizations have options that will reduce user frustration and delays in completing essential tasks:
- Investigate varying the inactivity time clock per job position or device location. Workstations in locations with little unauthorized traffic are not likely to need the short logoff timing required in more exposed areas.
- Inquire into setting up "screen locks." Screen locks don't logoff but rather disable the device from being accessible to unauthorized persons.
- Minimally, consider implementing screen savers and screen inhibitors on devices so that patient information cannot be seen inadvertently.
Security, as defined by HIPAA, is not a one-size-fits-all proposition. The Department of Health and Human Services went to great lengths to ensure that covered entities have latitude in implementing security plans that are appropriate to their specific circumstances.
Source: HIPPANOTES from HIPAAdvisory
9/28/01:
Understanding Health-Related Communications and Marketing with HIPAA
The Privacy Rule defines marketing as "a communication about a product or service a purpose of which is to encourage recipients of the communication to purchase or use the product or service." The Privacy Rule carves out activities that are not considered marketing under this definition. Under the rule, it is not marketing for a covered entity to use an individual's personal health information to tailor a health-related communication to that individual, when the communication is:
- Part of a provider's treatment of the patient and for the purpose of furthering that treatment. For example, recommendations of specific brand-name or over-the-counter pharmaceuticals or referral of patients to other providers is not marketing.
-
Made in the course of managing the individual's treatment or recommending alternative treatment. For example, reminder notices for appointments, annual exams, or prescription refills are not marketing. Similarly, informing an individual who is a smoker about an effective smoking-cessation program is not marketing, even if that program is offered by someone other than the provider or plan making the recommendation.
Health-Related Communications and Marketing
9/21/01:
Transactions and Code Sets
Health care providers have to train employees on the new standards, ensure that all required transaction data is captured electronically, and update billing and coding procedures. They must inventory and review all software contracts with their vendors, initiate and complete enterprise-wide assessments, amend or create budgets, and prepare remediation plans. If software conversions or upgrades are necessary, financial and staffing requirements must be balanced with requirements of other IT projects. While software vendors update the billing systems, health care providers should review and manually update reference masters, policies and procedures to avoid conflicts. Testing and implementation dates should be synchronized with trading partners.
Action Resources - Transactions and Code Sets
9/14/01:
Determine Restrictions
Before developing your privacy policy, it is important to determine what restrictions can be operationalized within your practice. Once you agree to a patient's restriction(s), you must be able to fully comply with the request. The HIPAA guidance indicates the following individual rights:
An individual may request restrictions on uses and disclosures of health information for treatment, payment, and healthcare operations. The covered entity need not agree to the restriction requested, but is bound by any restriction to which it agrees.
9/7/01:
Work with Vendors to Determine Data Elements
With the HIPAA compliance deadline for electronic transactions just one year away, physician offices and their software vendors should be working together to determine what additional data elements must be submitted electronically and whether or not these elements are being collected in an electronic version.
8/31/01:
Protect Patients' Health Information
HIPAA's privacy regulations apply to patient information in all forms: electronic, written, oral, and any other. Many physicians already make it a practice to ensure reasonable safeguards for oral information -- for instance, by speaking quietly when discussing a patient's condition with family members in a waiting room, and by avoiding using patients' names in public hallways and elevators. To comply with HIPAA, make sure that administrative, technical, and physical safeguards, as well as a posted privacy policy, protect patients' health information, both written and oral.
Standards for Privacy of Individually Identifiable Health Information
8/24/01:
Disclose Minimum Necessary PHI
HIPAA requires physicians to take reasonable steps to use or disclose only the minimum necessary protected health information (PHI) to accomplish an intended purpose or request.
This minimum necessary provision does not apply to the following activities:
- Disclosures to, or requests by, the individual who is the subject of the information or a health care provider seeking the information for treatment purposes.
- Uses or disclosures made pursuant to an authorization requested by the patient.
- Uses or disclosures required for compliance with HIPAA transactions.
- Disclosures to the Department of Health and Human Services when required under the rule for enforcement purposes.
- Uses or disclosures that are required by other law.
HIPAA requires physician practices to develop role-based policies and procedures that identify their health care providers and other employees, and describe each employee’s access to patient information, including entire medical records, for treatment purposes.
It may not be reasonable for a small, solo practitioner who has a largely paper-based records system to limit access of employees with certain functions to only certain fields in a patient record, while other employees have access to the complete record.
Alternatively, a large physician practice with an electronic patient record system may reasonably implement such controls, and therefore, may choose to limit access to certain employee groups in this manner to comply with the rule.
Physicians must make their own assessment of what PHI is reasonably necessary for a particular purpose, given the characteristics of their business and workforce. For non-routine disclosures, physicians must review and limit each request to only that information reasonably necessary for the purpose of the request.
Standards for Privacy of Individually Identifiable Health Information
8/17/01:
Difference Between "Consent" and "Authorization" Under HIPAA*
Under the HIPAA Privacy Rule, a consent is a general document that gives health care providers that have a direct treatment relationship with a patient permission to use and disclose all protected health information (PHI) only for treatment, payment and other health care operation (TPO), indefinitely. Physicians may condition the provision of treatment on the individual providing this consent.
An authorization is more detailed and specific than a consent, and gives providers permission to use specified PHI for purposes which are generally other than TPO, or to disclose PHI to a third party specified by the individual. Physicians may not condition treatment or coverage on the individual providing an authorization. The authorization covers only the uses and disclosures and only the PHI stipulated in the authorization; it has an expiration date; and, in some cases, it also states the purpose for which the information may be used or disclosed.
For example, a covered entity would need an authorization from individuals to sell a patient mailing list, to disclose information to an employer for employment decisions, or to disclose information for eligibility for life insurance. A covered entity will never need to obtain both an individual's consent and authorization for a single use or disclosure. However, a provider may have to obtain consent and authorization from the same patient for different uses or disclosures. For example, an obstetrician may, under the consent obtained from the patient, send an appointment reminder to the patient, but would need authorization from the patient to send her name and address to a company marketing a diaper service.
* Modified excerpts from the Standards for Privacy of Individually Identifiable Health Information [45 CFR Parts 160 and 164] http://aspe.hhs.gov/admnsimp/final/pvcguide1.htm
8/10/01:
Patient Consent Under HIPAA
The HIPAA Privacy Rule requires that health care providers obtain a patient’s written consent before disclosing a patient’s personal health information (PHI) to carry out treatment, payment or health care operations (TPO). Following are some HIPAA guidelines for patient consent*:
Standards for Privacy of Individually Identifiable Health Information
* Excerpts from Standards for Privacy of Individually Identifiable Health Information [45 CFR § 164.506]
8/3/01:
Verify Fax Numbers
As you continue to implement pieces of the HIPAA Privacy regulations, it is important to remember the simple steps to take. For example, verify that commonly dialed fax numbers are correct, and remember to check pre-programmed fax numbers to insure that your faxes are making it to the intended recipients.
7/27/01:
HIPAA Privacy Requirements And Guidelines
The HIPAA privacy regulation requires physicians and other providers to:
- Provide information to patients about their privacy rights and how their information can be used.
- Adopt clear privacy procedures for their office practices.
- Train employees so that they understand the privacy procedures.
- Designate an individual to be responsible for seeing that the privacy procedures are adopted and followed.
- Secure patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
* Excerpt from the Standards for Privacy of Individually Identifiable Health Information [45 CFR Parts 160 and 164]
To ease the burden of complying with the new requirements, the privacy regulation gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the rules provides a more efficient and appropriate means of safeguarding protected health information than would any single standard.
For example,
The privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties; the privacy official at a large health plan may be a full-time position, and may have the regular support and advice of a privacy staff or board.
A small physician practice may satisfy the training requirement by providing each new employee with a copy of its privacy policies and documenting that new employees have reviewed the policies; whereas a large health plan may provide training through live instruction, video presentations, or interactive software programs.
The policies and procedures of small providers may be more limited under the rule than those of a large hospital or health plan, based on the volume of health information maintained and the number of interactions with those within and outside of the health care system.
National Standards to Protect the Privacy of Personal Healt
| hipaa,hipaa tips,health systems |
|
