This information is designed to help you better understand HIPAA and help your office become HIPAA compliant. The information was obtained from a variety of sources and is not intended to be legal advice. If you have difficulty understanding any part of the HIPAA regulations, you should consult your legal counsel.
First, there are no HIPAA policies. No one will come to your office to inspect it and see if it is HIPAA compliant. A complaint must be filed for any action to be taken.
What is HIPAA?
HIPAA stands for Health Insurance Portability and Accountability Act. It was enacted by the federal government in 1996 as part of a health care reform effort. HIPAA is intended to ensure the confidentiality of all patient-related health care information. It is also intended to simplify health care administrative processes, thereby reducing health care costs and administrative burdens.
One thing to remember is that the HIPAA Law uses the word “reasonable” several times. You and your office staff must do everything reasonable to protect your patient’s privacy. For example, smaller medical offices don’t have to take the same privacy measures as large hospitals. That would not be reasonable.
Also, there is no “privacy police”. No one is going to walk in and inspect your office randomly. Someone has to file a complaint first. Complaints will be handled by the Office for Civil Rights. If someone makes a complaint, it will be investigated. The fines are very high, so you’ll want to make sure your office has good privacy practices in place and that they are followed at all times.
Another thing to keep in mind is that the type of practice can determine the level of privacy you need to acquire. For example, patients in an optometrist’s office may not be as concerned about people knowing they are there as patients in a mental health office.
There are several different components of HIPAA, each with its own implementation date.
Section 2: The Privacy Component: Implementation Date: April 2002
1. You must do everything possible to protect your patient’s privacy.
2. Patient files and information should be kept in a secure section of your office, a section that cannot be accessed by other patients.
3. Charts should not be left lying open where someone can read them.
4. If you are making a phone call about a patient or to a patient, you should do so from an area where you cannot be heard if you are giving out personal information. For example, if you’re calling your insurance company and you’re going to say the patient’s first and last name, date of birth, ID number, and/or a diagnosis, then you don’t want to do it where others, perhaps in a hospital room. wait, he can hear you.
5. If patient records are ever removed from the office, you must have a policy in place. For example, you should have a checkout sheet that lists the patient’s name, the date it was taken, by whom, and then sign back in when the record is returned.
6. If records are removed, they should be in a case marked “confidential – medical records.” If you were ever involved in an accident, or separated from the bag for any reason, authorities or medical personnel would secure the information for you. Or at least he would have done everything reasonable to protect that information.
7. If computer screens are in a position where patients can see them, you may want to move them or get a screen cover. A screen cover makes the computer screen readable only when you are directly in front of it.
The above are just a few things to keep in mind when complying with HIPAA. Each office will have their own areas that need to be checked. The above are many of the common areas.
Section 3: Administrative Simplification: Compliance Date: October 2002
This component requires standardization of data transmissions, or EDI, and procedure/diagnostic codes.
As for the standardization of procedure/diagnosis codes, this just means that you should use CPT-4 codes for procedure codes and ICD-9 codes for diagnosis codes.
As for EDI standardization, that refers to your electronic invoicing. To submit your claims electronically, you must submit them in a HIPAA compliant format.
Section 4: Security Component – No implementation date set yet
This component requires healthcare professionals, billing services, and clearinghouses to take appropriate security measures to ensure that health information belonging to an individual remains secure and cannot be accessed by others.
Things to consider:
Where is your fax machine? Are you in a location where only office staff can access incoming faxes? Is it on 24 hours a day? When you’re not in the office (outside office hours), can anyone else access your fax machine?
Whenever you fax personal information about a patient, you must use a fax cover sheet with a confidentiality statement. The statement must explain that the following fax contains personal medical information and that if the fax is received by someone other than the intended party, the fax must be destroyed and you must be notified that it was received in error.
Do you hire a cleaning person/crew? Are they in the office when you are not? Do they have access to the patient’s personal information? You may want to ask them to sign a confidentiality statement.
Do you rent office space? If yes, does your landlord have access to your office? Do they ever enter your office without you being present? If they do, you can ask them to sign a confidentiality statement.
By asking people who have access to your practice to sign a confidentiality statement, you are making a reasonable attempt to protect your patient’s privacy. It is not always reasonable not to allow anyone access to areas that contain private information. If those people sign an agreement and then break it, you will not be responsible.
If you conduct any business via email, you must use an encryption service. This will ensure that if someone were to intercept your emails, they would not be able to read them.
Section 5: Privacy Officer
All offices must appoint a mandatory “privacy officer.” This person would be responsible for making sure that all staff are HIPAA trained and that privacy policies are written and followed. He would also be the person that staff members or patients could go to with any HIPAA compliance concerns or questions. Even if you have a very small practice, you MUST have someone designated as your privacy officer. It can even be the Doctor himself.
Section 6: Release of Information/Patient Consent
You must have the patient’s written consent to release any of their records/information.
(Exception: if the request is due to the immediate/urgent care of the patient).
You should review your current consent and authorization forms to ensure they are HIPAA compliant. HIPAA requires that you obtain consent for the use and disclosure of information from each of your patients. You may refuse to treat patients who do not sign the consent form.
Section 7: Unique Identifiers – An implementation date has not yet been set
HIPAA will require the use of unique identifiers. More to come on this component. You will most likely have a national provider number, rather than a different provider number for each insurance company.
Section 8: Policies and Procedures Required by HIPAA
1. Identify the individuals on your staff who require access to protected health information.
2. Prevent access to protected health information by unauthorized persons.
3. Make sure the “minimum necessary” amount of information is released for routine disclosures (only release information related to what is requested, not the entire patient record).
4. Verify the identity of the requester of the information.
5. Provide patients with access to their records, the opportunity to request corrections, and access and accounting of disclosures.
6. Each office must have written policies regarding privacy practices.
Summary
Evaluate your physical office for potential privacy and security risks. One of the best things you can do to be “prepared” for HIPAA is to walk (better yet, have someone else walk through) your office as if you were a patient. Look around you EVERYTHING. Do you see? Do you see any personal patient information, graphics in view? Start at the front door and go through all the rooms in your office, especially the rooms that patients have access to. Then continue to perform regular checks to ensure continued compliance.
Make sure you have written policies regarding any privacy practices, such as picking up office records, faxing patient information, reviewing patient complaints, etc. Also, be sure to designate a “privacy officer.”
Make sure all staff members are trained on HIPAA policies. Remember to train all new employees on HIPAA policies. You should also review your current HIPAA policies regularly.