HIPAA Compliance: Do You Make The Grade?
The clock is ticking. In another step of a process which began in 1996, the Centers for Medicare and Medicaid Services have set a deadline of April 21, 2005 for compliance with the security standards of the Health Insurance Portability and Accountability Act (HIPAA). Is your practice ready to meet the deadline? The voluminous data on HIPAA compliance lays out broad guidelines for maintaining security. As the final rule from the Federal Register states, healthcare organizations must “ensure the confidentiality, integrity and availability of all electronically protected health information,” and protect such information against security threats or uses that the act does not permit. HIPAA allows DPMs to use any security measures that allow them to implement standards reasonably. About 70 percent of healthcare institutions are complying with the standards, according to the American Medical Association (AMA), and American Podiatric Medical Association President Lloyd Smith, DPM, said recently he believes podiatrists are complying at a similar rate (see page 12, “News And Trends,” May issue). However, although large institutions are complying with the act, the AMA estimates compliance among small practices is about 15 percent. Although the information available on HIPAA can seem overwhelming, the act does give practices latitude to safeguard their healthcare information in a manner deemed reasonable. The key, according to those in the know, is educating yourself and your staff on what is required. “When your staff is properly educated with respect to the various compliance issues, they become well positioned to win the game while carrying out their duties more efficiently and with reduced stress,” says Barry Mullen, DPM. Educating Yourself And Your Staff On HIPAA’s ‘Reasonable Standards’ As noted above, the act requires adherence to “reasonable standards” of privacy and the government lists various mandates. HIPAA requires you to assess the risk of violation of patient privacy, implement a process to safeguard data and devise sanctions for employees who violate security. The act also advises limiting physical access to records, having a contingency plan to store data in case of emergency, and backing up data. Even before the act took effect, state laws required healthcare providers to adhere to reasonable standards of patient confidentiality, according to Dr. Mullen, the Healthcare Compliance Advisor for the American Association of Podiatric Practice Management (AAPPM). “HIPAA basically forced health care practitioners to streamline compliance protocols, which ultimately is a good thing,” says Dr. Mullen. “In the long run, compliance plans will become to healthcare compliance issues as office policy manuals are to the overall concept of practice administration.” Dr. Mullen says compliance plans are invaluable reference sources for physicians and staff to work together in achieving ultimate compliance outcomes in the most efficient manner possible. Establishing a compliance plan is an important step and a vital part of educating staff on the changes, concurs Lynn Homisak, PRT. She says her office created its own compliance manual, which was modeled on the APMA HIPAA Manual. Homisak, a Trustee of the AAPPM, adds that attending HIPAA lectures at different meetings also facilitated a better understanding of HIPAA compliance. “It was beneficial to attend meetings that offered HIPAA presentations, which allowed us to better align ourselves in terms of compliance to ongoing education,” notes Homisak. Dr. Mullen agrees, noting that seminars, Web sites and compliance newsletters are valuable tools for educating yourself and your staff on HIPAA compliance. He emphasizes the importance of investing time and money to stay abreast of compliance issues. What You Should Cover And Address When Meeting With Your Staff Meeting with your staff can further enhance the education process, according to Steven Peltz, CHBC, the president of Peltz Practice Management and Consulting Services. In the first meeting, Peltz says you should summarize the significance of the HIPAA rules. He recommends discussing the following provisions: • when you can and cannot give out information on the telephone; • what is required of “business associates” and who they are; • what is required when a payer asks for charts for an audit; and • how to reduce or eliminate talking about a patient in a public setting.