This information is intended to help you better understand HIPAA and to help your office become HIPAA compliant. The data was gathered from various sources and is not intended to be legal advice. If you are having trouble understanding any of the HIPAA regulations, you should seek legal advice.
For starters, there are no HIPAA enforcers. Nobody is going to come into your office and check to see if you are HIPAA compliant. In order for action to be taken, a complaint must be filed.
What exactly is HIPAA?
The Health Insurance Portability And Accountability Act is abbreviated as HIPAA. The federal government enacted it in 1996 as part of a healthcare reform effort. The purpose of HIPAA is to ensure the confidentiality of all patient-related health care information. It also intends to simplify health-care administrative processes, lowering health-care costs and administrative burdens.
One thing to keep in mind is that the word “reasonable” appears several times in the HIPAA Act. You and your office staff must do everything possible to safeguard your patient’s privacy. Smaller medical offices, for example, are not required to take the same privacy precautions as large hospitals. That is not a reasonable position to take.
There are also no “privacy cops.” Nobody is going to come into your office at random and inspect it. Someone must first file a complaint. The Office of Civil Rights will handle the complaints. If someone files a complaint, it will be looked into. The fines are extremely high, so make certain that your office has good privacy practises in place and that they are strictly adhered to at all times.
Another thing to consider is that the nature of your practise may dictate the level of privacy that you require. Patients in an optometrist’s office, for example, may be less concerned about people knowing they are there than patients in a mental health office.
HIPAA is divided into several components, each with its own implementation date.
Section 2: The Privacy Component: April 2002 implementation date
1. You must take reasonable precautions to protect your patient’s privacy.
2. Patients’ files and information should be kept in a secure area of your office that other patients cannot access.
3. Charts should not be left open where anyone can read them.
4. If you are giving out personal information, you must make a phone call about or to a patient from a location where you cannot be overheard. For example, if you are calling their insurance company and will be saying the patient’s first and last name, date of birth, ID#, and/or a diagnosis, you should not do so in a public place, such as a waiting room.
5. You must have a policy in place if a patient’s chart is ever removed from the office. For example, you should have a sign out sheet that includes the patient’s name, date taken, and who took it, as well as a sign back in sheet when the chart is returned.
6. If charts must be removed, they must be carried in a case labelled “confidential – medical records.” If you were in an accident or became separated from your bag for any reason, authorities or medical personnel would secure the information for you. Or, at the very least, you would have done everything possible to safeguard that information.
7. If computer screens are in a position where patients can see them, consider moving them or purchasing a screen cover. A screen cover restricts access to the computer screen to those who are directly in front of it.
The items listed above are just a few of the factors to consider when becoming HIPAA compliant. Each office will have its own set of areas that must be reviewed. Many of the common areas are listed above.
Section 3: Administrative Simplification: deadline for compliance: October 2002
This component necessitates the standardisation of data transmissions, also known as EDI, as well as procedure/diagnosis codes.
In terms of procedure/diagnosis code standardisation, this simply means that you must use CPT-4 codes for procedure codes and ICD-9 codes for diagnosis codes.
In terms of EDI standardisation, this refers to your electronic billing. You must submit your claims electronically in a HIPAA-compliant format if you want to do so.
Section 4: Security Component: No implementation date has been set as of yet.
This component requires health care professionals, billing services, and clearing houses to take appropriate security measures to ensure that an individual’s health information remains secure and is not accessible to others.
Consider the following:
What happened to your fax machine? Is it in a location where only office personnel have access to incoming faxes? Is it on all the time? Can anyone else use your fax machine when you are not in the office (after office hours)?
When faxing personal information about a patient, use a fax cover sheet that includes a confidentiality statement. The statement should state that the following fax contains personal medical information and that if it is received by anyone other than the intended recipient, the fax should be destroyed and you should be notified that it was received in error.
Do you employ a cleaning crew? Are they at work when you are not? Is it possible that they have access to the patient’s personal information? You might want to have them sign a confidentiality agreement.
Do you have an office that you rent out? If this is the case, does your landlord have access to your office? Do they ever come into your office when you’re not there? If they do, you should have them sign a confidentiality agreement.
You are making a reasonable attempt to protect your patient’s privacy by requiring those who have access to your office to sign a confidentiality statement. It is not always reasonable to deny anyone access to areas containing sensitive information. You would not be held liable if those people signed an agreement and then broke it.
If you conduct business via email, you must use an encryption service. This ensures that if your emails are intercepted, no one will be able to read them.
Section 5: Data Protection Officer
Every office is required to appoint a “privacy officer.” This person would be in charge of ensuring that all employees are HIPAA trained and that privacy policies are typed up and followed. They would also be the point of contact for any concerns or questions about HIPAA compliance from staff or patients. Even if your practise is small, you must designate someone as the privacy officer. It’s possible that it’s the Doctor himself.
Section 6: Patient Information Release/Consent
To release any of the patient’s records or information, you must first obtain their written consent.
(Exception: If the request is for immediate/urgent patient care.)
Check to see if your current consent and authorization forms are HIPAA compliant. HIPAA requires you to obtain consent from each of your patients for the use and disclosure of information. Patients who refuse to sign the consent form may be refused treatment.
Section 7: Unique Identifiers: No implementation date has been set as of yet.
The use of unique identifiers will be required by HIPAA. More information on this component will be provided in the near future. You will most likely have a single national provider number rather than a different provider number for each insurance company.
Section 8: HIPAA-Required Policies and Procedures
1. Determine who on your team needs access to protected health information.
2. Prevent unauthorised individuals from accessing protected health information.
3. Ensure that only the “minimum necessary” amount of information is released for routine disclosures (release only information relevant to the request, not the entire patient file).
4. Confirm the identity of the information requestor.
5. Allow patients access to their records, as well as the ability to request corrections and access to and accounting for disclosures.
6. Every office must have written privacy policies in place.
Examine your physical office space for potential privacy and security hazards. One of the best things you can do to get “ready” for HIPAA is to walk through your office (or have someone else walk through it) as if you were a patient. Take a look around at EVERYTHING. What do you notice? Is there any personal patient information or charts visible? Begin at the front door and work your way through.
Steve has 12 years of experience in medical coding, billing, What Are 3 Major Things Addressed In The HIPAA Law? and compliance. He is the editor and marketing manager for Folio3, and he is in charge of the HIPAA security rules conference.