This information is intended to help you better understand HIPAA and help your office become HIPAA compliant. The information has been obtained from various sources and is not intended as legal advice. If you are having difficulty understanding any portion of the HIPAA requirements, you should consult your legal counsel.
First, there are no HIPAA police. No one will come to your office to inspect you to determine if you are HIPAA compliant. A complaint must be filed for action to be taken.
What is HIPAA?
HIPAA stands for The Health Insurance Portability and Accountability Act. It was adopted by the federal government in 1996 as part of a healthcare reform. HIPAA is designed to ensure the confidentiality of all patient-related health information. It also intends to simplify the administrative processes of healthcare, thereby reducing the cost and administrative burden of healthcare.
One thing to remember is that the HIPAA law uses the word “reasonable” several times. You and your practice staff must do all that is reasonable to protect the privacy of your patients. For example, smaller medical practices do not have to take the same data protection measures as large hospitals. That would not be reasonable.
Also, there is no “privacy police”. Nobody will come in and randomly inspect your office. Someone has to file a complaint first. Complaints are processed by the Office of Civil Rights. If someone makes a complaint, it will be investigated. The fines are very high, so you should be assured that your office has good privacy practices in place and that they are being followed at all times.
Another thing to keep in mind is that the nature of your practice can determine the level of privacy you need to acquire. For example, patients in an ophthalmology office may not be as concerned about people knowing they are there, unlike patients in a psychiatric office.
There are several different components of HIPAA, each with its own implementation date.
Section 2: The Privacy Component: Implementation Date: April 2002
1. You must do everything reasonably possible to protect your patient’s privacy.
2. Patient records and information should be kept in a secure area of your practice, an area that is not accessible to other patients.
3. Diagrams should not be lying around openly where someone can read them.
4. When speaking over the phone or to a patient, you must do so from an area where you cannot be overheard giving out personal information. For example, if you call your insurance company and provide your first and last name, date of birth, ID no. and/or state a patient’s diagnosis, you don’t want to do so where others, perhaps in a waiting room, can hear you.
5. If patient records are ever removed from the practice, you must have a policy. For example, you should have a sign-out sheet that states the patient’s name, admission date, and patient, and then sign back in when the chart is returned.
6. When files are removed, they should be carried in a case marked “Confidential – Medical Records”. If you were ever involved in an accident or got separated from the bag for any reason, either authorities or medical personnel would secure the information for you. Or at least you would have done everything possible to protect this information.
7. If computer screens are in a position where patients can see them, you may want to move them or add a screen cover. A screen cover ensures that the computer screen can only be read directly in front of it.
These are just a few things to consider when becoming HIPAA compliant. Each office has its own areas that need to be checked. The above are many of the common areas.
Section 3: Administrative Simplification: Compliance Date: October 2002
This component requires the standardization of data transfers or EDI and procedural/diagnostic codes.
As far as procedure/diagnostic code standardization goes, it just means you need to use CPT-4 codes for procedure codes and ICD-9 codes for diagnosis codes.
The standardization of EDI relates to your electronic invoicing. To submit your claims electronically, you must do so in a HIPAA-compliant format.
Section 4: Security component: no implementation date set yet
This component requires that healthcare professionals, billing services, and clearinghouses take appropriate security measures to ensure that an individual’s health information remains secure and is not accessible to others.
Things to consider:
Where’s your fax machine? Is it in a location where only office workers can access incoming faxes? Is it on 24 hours a day? Can someone else access your fax machine when you are out of the office (after hours)?
If you are faxing personal information about a patient, you should use a fax cover sheet with a confidentiality statement. The statement should state that the following fax contains personal medical information and that if the fax is received by anyone other than the intended party, the fax should be destroyed and they should inform you that it was received in error.
Do you hire a cleaner/crew? Are they in the office when you’re not? Do they have access to the patient’s personal information? You can ask them to sign a confidentiality agreement.
Do you rent office space? If so, does your landlord have access to your office? Do they ever enter your office without you being there? If so, you might want to ask them to sign a confidentiality agreement.
By asking those who have access to your practice to sign a confidentiality agreement, you are making a reasonable attempt to protect your patient’s privacy. It’s not always sensible not to allow anyone access to areas that contain private information. If these people sign an agreement and then break that agreement, you will not be held responsible.
If you do business via email, you must use an encryption service. This ensures that someone who should be intercepting your emails cannot read them.
Section 5: Data Protection Officer
All offices must appoint a designated “Privacy Officer”. This person would be responsible for ensuring that all employees are HIPAA educated and that privacy policies are typed and followed. You would also be the person that employees or patients could contact with concerns or questions about HIPAA compliance. Even if you are a very small practice, you MUST appoint someone as Data Protection Officer. It can even be the Doctor himself.
Section 6: Disclosure of Patient Information/Consent
You need the patient’s written consent to release their records/information.
(Exception: if the request is due to immediate/urgent patient care.)
You should review your current consent and authorization forms to ensure they are HIPAA compliant. HIPAA requires you to obtain consent for the use and disclosure of information from each of your patients. You can refuse treatment for patients who do not sign the informed consent form.
Section 7: Unique Identifiers: No implementation date set yet
HIPAA mandates the use of unique identifiers. More about this component. Most likely you have a national provider number instead of a different provider number for each insurance company.
Section 8: Policies and Procedures Required by HIPAA
1. Identify individuals in your workforce who need access to protected health information.
2. Prevent unauthorized access to protected health information.
3. Ensure that the “minimum necessary” amount of information is released for routine disclosures (only release information related to the requested information, not the entire patient record.)
4. Verify the identity of the information requester.
5. Grant patients access to their records, the ability to request corrections, and access to disclosures and their billing.
6. Each office must have a written policy on privacy practices.
Assess your physical office for potential privacy and security risks. One of the best things you can do to get “ready” for HIPAA is walk through your practice (even better – let someone else walk through) as if you were a patient. Check out EVERYTHING. What do you see? See personal patient information, charts in full view? Start right at the front door and go through all the rooms in your practice, especially the rooms that patients have access to. Then continue to conduct regular reviews to ensure ongoing compliance.
Make sure you have written policies on all privacy practices, e.g. B. removing charts from the office, faxing patient information, reviewing patient complaints, etc. Also make sure you appoint a “Privacy Officer”.
Ensure all employees are trained on HIPAA guidelines. Remember to educate all new hires on HIPAA guidelines. You should also regularly review your current HIPAA policies.