This information is designed to help you better understand HIPAA and to assist your office in becoming HIPAA compliant. The information was obtained from a variety of sources and is not intended to be legal advice. If you are having difficulty understanding any portion of the HIPAA regulations you should consult your legal counsel.
First, there are no HIPAA police. No one is going to come into your office to inspect you to see if you are HIPAA compliant. A complaint must be filed in order for any action to be taken.
What is HIPAA?
HIPAA stands for The Health Insurance Portability And Accountability Act. It was enacted by the federal government in 1996 as part of a healthcare reform effort. HIPAA is intended to ensure confidentiality of all patient related health care information. It also intends to simplify the administrative processes of health care, thereby reducing the costs and administrative burdens of health care.
One thing to remember is that the HIPAA Act uses the word "reasonable" several times. You and your office staff must do whatever reasonable to protect your patient's privacy. For instance, smaller medical offices do not have to take the same privacy measures as large hospitals do. That would not be reasonable.
Also, there are no "privacy police." No one is going to come in and inspect your office randomly. Someone must file a complaint first. The complaints will be handled by the Office of Civil Rights. If someone puts in a complaint, then it will be investigated. The fines are very high, so you will want to be sure that your office has good privacy practices and that they are followed all of the time.
Another thing to keep in mind is that the type of your practice may determine the level of privacy that you need to acquire. For example, patient's in an optometrist's office may not be as concerned about people knowing they are there, as opposed to patient's in a mental health office.
There are several different components of HIPAA, each one having its own implementation date.
Section 2: The Privacy Component: implementation date: April 2002
1. You must do everything within reason to protect your patient's privacy.
2. Patient's files and information should be kept in a secure section of your office, a section that is not accessible by other patients.
3. Charts should not be left lying around, open where someone can read it.
4. If you are making a phone call about a patient or to a patient, you need to do it from an area where you can not be overheard if you will be giving out personal information. For example, if you are calling their insurance company, and you will be saying the patient's first and last name, date of birth, ID #, and / or a diagnosis, then you do not want to do it where others, perhaps in a waiting room, can hear you.
5. If patient's charts are ever removed from the office you need to have a policy in place. For example, you should have a sign out sheet which states the patient's name, date taken, by whom, and then signed back in when the chart is returned.
6. If charts are removed, they should be carried in a case that is marked "confidential – medical records." If you were ever involved in an accident, or separated from the bag for any reason, either authorities or medical personel would secure the information for you. Or you would have at least done whatever reasonable to protect that information.
7. If computer screens are in a position that patients can view them, you may want to move them, or get a screen cover. A screen cover makes it so that the computer screen can only be read when directly in front of it.
The above are just some things that you will need to consider when becoming HIPAA compliant. Each office will have it's own areas that need to be reviewed. The above are many of the common areas.
Section 3: Administrative Simplification: compliance date: October 2002
This component requires the standardization of data transmissions, or EDI, and procedure / diagnosis codes.
As for the standardization of procedure / diagnosis codes, this just means that you must use CPT-4 codes for procedure codes and ICD-9 codes for diagnosis codes.
As for the standardization of EDI, that refers to your electronic billing. In order to submit your claims electronically, you must do so in a HIPAA compliant format.
Section 4: Security Component: no implementation date set yet
This component requires that health care professionals, Billing Services, and clearing houses take appropriate security measures to assure that health information pertaining to an individual remains secure and is not accessible by others.
Things to consider:
Where is your fax machine? Is it in a place where only office staff can access incoming faxes? Is it on 24 hours a day? When you are not in the office (after office hours) can anyone else access your fax machine?
Whenever you fax personal information about a patient you should use a fax cover sheet with a confidentiality statement. The statement should explain that the following fax contains personal medical information and that if the fax is received by anyone other than the intended party, that the fax should be destroyed and they should notify you that it was received in error.
Do you hire a cleaning person / crew? Are they in the office when you are not? Do they have access to the patient's personal information? You may want to ask them to sign a confidentiality statement.
Do you rent office space? If yes, does your landlord have access to your office? Do they ever enter your office without you being present? If they do, you may want to ask them to sign a confidentiality statement.
By asking people who have access to your office to sign a confidentiality statement, you are making a reasonable attempt to protect your patient's privacy. It is not always reasonable to never allow anyone access to areas that contain private information. If those people sign an agreement and then breech that agreement, you would not be held responsible.
If you do any business by email, you will need to use an encryption service. This will ensure that if anyone were to intercept your emails, they would not be able to read them.
Section 5: Privacy Officer
All offices must designate a mandated "privacy officer." This person would be responsible for making sure all staff are HIPAA trained and that privacy policies are typed up and followed. They would also be the person that staff members or patients could go to with any concerns or questions about HIPAA compliance. Even if you are a very small practice, you MUST have someone designated as the privacy officer. It may even be the Doctor themself.
Section 6: Release of Patient Information / Consent
You need to have the patient's written consent in order to release any of their records / information.
(Exception: If request is due to immediate / urgent care of patient.)
You should review your current consent and authorization forms to make sure they are HIPAA compliant. HIPAA requires you to obtain consent for the use and disclosure of information from each of your patients. You may refuse to treat patients who will not sign the consent form.
Section 7: Unique Identifiers: No implementation date set yet
HIPAA will mandate the use of unique identifiers. More to come on this component. Most likely you will have one national provider number, instead of a different provider number for each insurance company.
Section 8: Policies and Procedures Required by HIPAA
1. Identify people on your staff who require access to protected health information.
2. Prevent access to protected health information by unauthorized persons.
3. Ensure that the "minimum necessary" amount of information is released for routine disclosures (only release information pertaining to what is requested, not the patient's entire file.)
4. Verify the identity of the requestor of information.
5. Provide patients access to their records, the opportunity to request corrections, and access to and accounting of disclosures.
6. Every office must have written policies regarding privacy practices.
Evaluate your physical office for potential privacy and security risks. One of the best things that you can do to become "ready" for HIPAA is to walk through (better yet – have someone else walk through) your office as if you are a patient. Look around at EVERYTHING. What do you see? Do you see any personal patient information, charts in full view? Start right from the front door, and go through every room in your office, especially the rooms that patients have access to. Then continue to do periodic checks to ensure ongoing compliance.
Make sure that you have written policies regarding any privacy practices, such as removing charts from the office, faxing patient information, reviewing any complaints from patients, etc. Also, make sure you designate a "privacy officer."
Make sure all staff members are trained regarding HIPAA policies. Remember to train any / all new employees regarding HIPAA policies. You should also review your current HIPAA policies regularly.