Massachusetts Medical Society
MY MMS
Name:   
Password:   
Login help
 
 
Search
AboutJoin/RenewCalendarCareersContactSite Map
 
 
 
My MMS
Advocacy and Policy
Member Benefits and Services
Member Participation
Continuing Education
For Patients
Public Health
Physician Practice Resource Center
MMS Governance
Charitable Foundation
News and Publications
publishers of The New England Journal of Medicine
Massachusetts Medical Society
860 Winter Street
Waltham MA 02451
(800) 322-2303 or (781) 893-4610
© Copyright 2004
HIPAA Is Around the Corner: April 14 Deadline

Within one month, your practice needs to be compliant with HIPAA Privacy Standards. Are you ready? As of April 14, physician practices that perform electronic transactions will need to institute updated policies and procedures, utilize HIPAA-compliant forms and train office employees. HIPAA Privacy Standards were created to protect patients' health information when it is disclosed and can be categorized into two sections: (1) Individual Rights and (2) Provider Responsibilities.

Individual Rights
Individuals, under HIPAA, will have the right to

Privacy and Security Walk-Through Checklist

Can you say "yes" to each of the below statements for your workplace?

-- Conversations with the patient/family regarding confidential patient information are not held in public areas.

-- Phone conversations and dictation are in areas where confidential patient information cannot be overheard.

-- Dictation is completed in an area where confidential patient information cannot be overheard.

-- Computer monitors are positioned away from public areas to avoid observation by visitors.

-- The screens on unattended computers are returned to the log-on screen or have a password-enabled screen saver. Staff protects their ID and password and never shares them, or the use of a workstation, while logged in.

-- Paper records and medical charts are stored or filed in such a way as to avoid observation by patients or visitors. For units that are not staffed 24 hours, patient records are filed in locking storage cabinets or locked rooms.

-- Confidential patient information is not left on an unattended printer, photocopier, or fax machine unless these devices are in a secure area.

-- Answering machine's volume is turned down, so information being left cannot be overheard by other staff or visitors. Voice mail passwords are not the default settings or the last four digits of your phone number.

-- Visitors and patients are appropriately escorted to ensure they do not access staff areas, dictating rooms, chart storage, etc.

Source: University Hospital, University of Missouri Health Care, Columbia, Mo.

To get answers to your HIPAA questions, attend the upcoming "Workaday HIPAA" seminar on April 11 in Boston, sponsored by HIPAA Compliance Alert. For more information or registration, call (800) 260-1545 and mention code C618-M for your exclusive MMS member discount or go to www.compliancealert.net/conferences/workadayhipaamms.

  • Inspect and copy protected health information
  • Amend (or to append) their medical record
  • An accounting of disclosures
  • Have reasonable requests for confidential communications accommodated
  • File a complaint with the Office of Civil Rights or with the covered entity
  • Written notice of privacy practices from providers and health plans

Provider Responsibilities
Providers, under HIPAA, are required to create administrative processes and develop legal documents to maintain an individual's rights and comply with HIPAA.

Administrative Requirements

  • Designation of a Privacy Officer is required. The Privacy Officer is responsible for developing and/or implementing the office privacy policies and procedures, as well as training the staff on these policies.
  • Development of a documentation process for employee training.
  • Development of a process that allows patients to request an amendment to their medical record. As a physician, you have the right to deny such a request if you believe that the information in the medical record is accurate.
  • A system to provide patients, within 60 days of the request, with an accounting of the parties to whom you have disclosed their protected health information. You will need to account for any disclosure required by the Department of Public Health, by law, etc.
  • If your office agrees to a patient's restriction regarding confidential communications, there should be a process in place to ensure that everyone in the practice is aware of the restriction and abides by the request.
  • Designation of someone in the office to handle patient complaints that their privacy rights have been violated.
  • A log to note disposition of complaints.

Legal Documents

A Notice of Privacy Practices must be provided to each patient prior to their first treatment date after April 14. Covered entities must make a good faith effort to obtain acknowledgement of receipt from patients. The notice must include the following:

  • Legal header
  • Statement of covered entity's duties and its right to revise the notice
  • Description of individual rights under HIPAA
  • Statement of individual's right to complain to the Department of Health and Human Services and/or to the covered entity about violation; non-retaliation statement
  • Name/title and phone number of contact person
  • Effective date of the notice

Authorizations are required for any use or disclosure not otherwise permitted under the Privacy Standards. For example, pre-employment physicals, disability and life insurance, and school forms.

The authorization should, in plain language

  • Describe information to be disclosed
  • Identify recipient of information
  • Include an expiration date
  • State an individual's right to revoke and how to do so
  • State that information disclosed may be subject to re-disclosure and no longer protected
  • Be signed and dated by individual

Business Associate Contracts are also required between the covered entity and any individual or organization that perform services on behalf of covered entity involving the use/disclosure of protected health information (PHI). This includes contractors and agents: legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial. Business Associate Contracts should include permitted and required uses and disclosure of PHI by business associate as well as appropriate safeguards to prevent use/disclosure of PHI.

- Dana Holmes

For general HIPAA questions, MMS members may call Dana Holmes at (781) 434-7218. For legal questions regarding HIPAA, MMS members should call Saliha Khaja, Esq., at (781) 434-7520.
HOME SEARCH ABOUT JOIN/RENEW CALENDAR CAREERS CONTACT SITEMAP FEEDBACK
PRIVACY POLICY SITE CREDITS