Ready Or Not, Here Comes HIPAA

Is your practice HIPAA compliant? Indeed, the looming deadlines for compliance with the Health Insurance Portability and Accountability Act (HIPAA) will require careful consideration of the patient privacy protections you have in place at your practice. Will this process be time-consuming, expensive and stretch your staff even further than they’re stretched already? Absolutely. By April 14, 2003, your practice must be compliant with HIPAA’s Privacy Rule. If someone knowingly violates HIPAA and obtains individually identifiable health information or discloses it to another, he or she may be subject to a $50,000 fine and one year in prison, according to the American College Of Foot And Ankle Surgeons’ (ACFAS) HIPAA Privacy Manual. Given this, it’s probably a good idea to be as proactive as possible in addressing HIPAA’s Privacy Rule. 1) Be cognizant of the fuzzy, gray areas of HIPAA. For example, HIPAA’s “Minimum Necessary” standard requires you to only disclose the amount of protected health information (PHI) that is necessary for the purpose of the given disclosure. The Privacy Rule seems to recognize that it’s impractical to do case-by-case reviews of medical records for the purpose of releasing them to another practice for continued treatment. (The ACFAS manual suggests doing case-by-case reviews for non-routine disclosures.) Still, given the various exceptions to the rule and the variety of conditions you see in your practice, this standard seems ripe for interpretation, potentially leading to errors and subsequent violations. DPMs have also raised questions about how to address HIPAA in contracts with business associates who may require some degree of PHI disclosure. Apparently, what constitutes a “business associate” may vary from practice to practice. Is a radiologist a business associate (as defined by HIPAA) if he or she never sees your patient face to face? In order to be clear about these gray areas and whether state laws supercede HIPAA, it is probably wise to obtain legal advice. This would also be very prudent in reviewing the barrage of legal forms (ranging from the Patient Consent form to the Workforce Confidentiality form) that are required by HIPAA. 2) How will you handle the “Privacy Officer” issue? While multi-physician practices with lower overhead can probably hire a full-time employee to be the HIPAA-required Privacy Officer, the duties of that officer will likely be absorbed by the office manager in a smaller practice. Among various duties, the Privacy Officer has to oversee the implementation of your privacy policy and periodically monitor compliance. 3) Ensure thorough documentation. Not only should you update internal job descriptions to reflect increased responsibilities (due to HIPAA), but you are required to post a notice of your patient privacy policy and maintain a log that tracks PHI disclosures. 4) Educate yourself and your staff. The aforementioned HIPAA Privacy Manual from the ACFAS is an invaluable resource. For more information on the manual, check out www.acfas.org. Also be sure to attend HIPAA compliance seminars, such as the one being included at “Partnering For Success,” a two-day meeting (June 8-9) co-sponsored by the American Academy of Podiatric Practice Management and the American Society of Podiatric Medical Assistants. For more info, see www.aappm.org. This is just the beginning. HIPAA also requires that all Medicare claims must be submitted electronically by October 2003, and a proposed “Security Rule” is in the works as well. However, while HIPAA compliance may be extremely challenging, a proactive mindset is essential for minimizing headaches and ensuring as smooth a transition as possible.