|
|
How Will HIPAA Privacy Regulations Affect PAs?
from October 30, 2002, issue of AAPA News
By Steven Lane
At a luncheon on the first day of CCOW, guest speaker Michael R. Pollard, senior advisor to Merck and Medco Health Solutions, provided participants with a brief history of the Health Insurance Portability and Accountability Act (HIPAA) and updated them on what the act’s privacy regulations mean for PAs.
HIPAA was enacted in 1996 to address concerns about individuals who lost their health insurance when they lost their jobs. But also eventually included in the law were a host of regulations concerning privacy and use and transmission of medical information. Medical practices must come into compliance with the new standards by April 14, 2003.
Pollard covered several of HIPAA’s key requirements, including use and disclosure or patient health information (PHI), consent, marketing, and access to records.
He noted that the Department of Health and Human Services (HHS) had taken the approach that all disclosure of PHI is illegal, except as specifically provided in the regulations. The consent requirements have changed considerably from those in the rules proposed by the Clinton administration in December 2000, which, said Pollard, would have required patients to “sign hundreds of consents.” Now consent is not required for treatment, payment, or health care operations, but is required if medical information is to be used for marketing or for research. The changing consent requirements do not affect the provider’s duty to obtain “informed consent” before touching a patient.
HIPAA also requires that disclosure of PHI be the “minimum necessary” for the intended purpose. If a patient’s entire medical record is transmitted or disclosed, the provider must document the justification for doing so.
Practices must notify patients of their privacy procedures no later than the date of the patient’s first visit after April 14, 2003. They must obtain written acknowledgement from the patient or, if they cannot, document the attempt to obtain it.
Further modifications and guidance from HHS are likely over the next few months, said Pollard, but “in the meantime, we should proceed as though it will take place as scheduled.” The law will be enforced by the HHS Office of Civil Rights; penalties will include prison terms of up to 10 years and fines of up to $250,000.
Pollard provided the following brief checklist:
- Prepare notices of privacy practices and make them available to patients.
- Establish procedures for obtaining acknowledgement of patient’s receipt of notice.
- Train employees.
- Identify business associates and execute contracts.
- Establish procedures for access to records.
- Identify marketing communications requiring authorization.
- Establish protocols for restricting uses and disclosures of PHI.
- Establish protocols for tracking non-treatment, payment, operations disclosures of PHI.
Last Revised: 8/7/03
