|
|
HIPAA Clock Ticking for PAs
Providers Must Comply by April 14
from September 15, 2002, issue of AAPA News
By Christopher Doscher
The Department of Health and Human Services’ (HHS) recent announcement that it would move forward with modifications to the Health Insurance Portability and Accountability Act (HIPAA) privacy rule comes as the clock moves swiftly toward the April 14, 2003, deadline by which PAs and other health care providers must comply with the new regulations.
While confusion about the privacy rule may tempt you to delay compliance, the rule isn’t going away. In fact, practices and providers who don’t take steps to comply leave themselves and their practices exposed to civil and criminal penalties, including fines and prison time.
HIPAA is actually made up of three different sets of rules. In addition to the privacy rule, HIPAA includes a security rule requiring secure electronic transmission of data and other physical security measures to protect patient data, and standards on electronic transactions and code sets. But the privacy rule is expected to have the most effect on the way providers conduct day-to-day patient care.
“Providers are going to have to be well-versed in the rules, but they’re also going to have to think about things like faxing, talking about protected health information on the phone or in public, and how secure records are,” says Peter Mancino, a health care attorney with Garfunkel, Wild & Travis, Great Neck, New York.
Essentially, the privacy rule prohibits health care providers from disclosing protected health information (PHI) except what is necessary for treatment or coverage of a procedure. PAs and other providers must take steps to ensure that patient information is protected.
HHS has already addressed some major points of concern. A requirement that providers obtain written consent from patients for use of information in payment, treatment, and health care operations was removed after many providers expressed concern that the provision would hinder patient care. Providers were fearful that, if consent could not be obtained, they could be hit with penalties when providing care without consent.
AAPA joined a coalition of provider groups in a successful effort to modify the consent requirement and other requirements related to patient de-identification for research in an effort to improve patient access to care.
After the release of the privacy rule, some providers said they were concerned about being overheard talking with patients or other providers. In a set of modifications to the privacy rule released in March, HHS made clear that providers will not be penalized as long as the information exchange is the minimum amount necessary and reasonable steps are taken to protect privacy.
“Reasonable steps” are relatively simple to carry out, said Gary Herschman, a health care attorney with Sills Cummis, Newark, New Jersey, who specializes in HIPAA compliance. “It makes sense that when you’re communicating with a patient, the door should be closed,” he said. “You shouldn’t be [talking about patient care] out in an open area. The rules aren’t intended to impede patient care, so long as reasonable safeguards are put in place.”
In lieu of consent, there is now an “acknowledgement” requirement, meaning that providers have to make a reasonable, good faith effort to inform patients of the company’s privacy policies. “In a non-emergency situation, you should give patients a notice and have them sign it,” Herschman said. “If you’re unable to obtain it, you have to document why.”
Parental access to information was another area that HHS says may have been unintentionally limited by the privacy rule. State law is given priority in determining to what degree parents should have access to children’s records. When state law is unclear, providers are given discretion to grant or deny parental access to records.
HHS also made clear that providers will not be punished for inadvertent disclosures, such as if verbal communication with a patient is overheard. The exchange of information between providers is also allowed, so long as only the minimum necessary amount of information is exchanged.
It is important to distinguish between the definitions of consent and authorization. Consent is a broad requirement that deals with general use of PHI for treatment and health care operations. Authorization would be necessary for research or use of information for purposes beyond the normal course of treatment. Authorization is still required if PHI is going to be used outside the course of normal care.
Practices must take steps to show that they are in compliance. Every covered provider is required to have privacy standards in writing, defining who has access to PHI. Health care organizations must designate a privacy officer to oversee the policies, and employees who will come into contact with PHI must be trained in the policies. The training will likely vary in scope, depending on the size of the provider, HHS said in a fact sheet released with the privacy rule. For example, training in a small physician practice could consist of distributing privacy policies to employees for review, and then documenting that employees have reviewed the policy. Training in a hospital or other large organization will likely be more extensive, with live instruction or computer or video-based training.
Last Revised: 8/7/03
