If you would like to download a copy, click here.

You will need Adobe Acrobat Reader.
It is a free download.

Other Issues
	Fall '02
	Summer '02
	Spring '02

Volume 1 : Issue 2 : Summer 2002 HIPAA Will your practice be ready?

What is HIPAA?

The Health Insurance Portability and Accountability Act, Public Law 104-191 or (HIPAA) as it is most commonly known, was passed by Congress in 1996. Its primary function was to enable Americans covered by a group health insurance plan to transfer health insurance coverage from one employer group to another. Other provisions include; limiting health insurance coverage exclusions for preexisting conditions, nondiscrimination status of employees and dependants based on their health status.

Portability is totally separate from and unrelated to the subject matter of this article, which is primarily concerned with Title II, which deals with what the act calls “Administrative Simplification”. It is concerned with governing privacy and security of health data and related subjects involving the transmission and processing of that data. Another purpose of HIPAA is to replace paper-based transactions with a single, uniform set of standards for electronic transactions. All Healthcare providers must be in compliance with the Privacy Rule by April 14, 2003. Similarly, standards for the Transactional Code Sets Rules was October 16, 2002; however, a one year extension has been granted for medical practice submitting a compliance plan to the Centers for Medicare and Medicaid Services (CMS) before that date. This article will take a closer look at the Privacy Rule and how it affects private practitioners.

How does HIPPA affect my practice?

It is important to note that while final standards have been issued, significant changes to the standards have already been approved and the Department of Health and Human Services (HHS) has not made a decision whether to adopt those changes. This article will post any changes, as they occur to keep our clients and interested readers abreast to changes regarding HIPAA implementation.

HIPAA has established four federal standards to be adopted by medical practices.
These standards include:

1. Transaction standards. This applies to transactions that are transmitted electronically. It does not prevent transactions from being submitted on paper. Not only is an electronic form required to conform to standards, it also requires health plans to conduct transactions electronically when asked to do so by a provider. The transaction standards do not apply to information being transmitted within a corporate entity. The deadline for compliance had been set for October 16, 2002, however on November 27, 2001, the Senate passed legislation giving covered entities a one-year extension provided that the entity filed with CMS by the October 16, 2002 deadline.
   
2. Privacy standards. This applies to any information, electronic or not, that describes an individual’s personal health information that could potentially be used to identify an individual. All healthcare providers, insurance companies, and healthcare clearing houses must comply with this privacy rule. Most healthcare providers covered by the rule will have to comply with the new requirements by April 2003.
   
3. Security standards. This rule applies to any information that is collected, stored and transmitted electronically by a healthcare provider, insurance company or healthcare clearing house, intentionally or unintentionally. Policies must be implemented to safeguard the security and integrity of the information it obtains, corrects and amends. Most healthcare providers covered by the rule will have to comply with the new requirements by April 2003.
   
4. Uniform Identifiers. This applies to any information that identifies a health insurance plan, healthcare provider, employer or individual. Compliance with the new requirements must be made by July 30, 2004.

The Privacy Rule

The Privacy Rule creates a uniform standard designed to protect a patient’s personal health information. It gives patients control over data they provide to healthcare providers, insurance companies or healthcare clearing houses. Furthermore, it also limits the way this information can be used and to whom it may be released. It also sets up guidelines to protect the privacy of a patient’s health information. The cost for not complying with HIPAA can vary from fines of $100 for each violation with a cap of $25,000 per year for each provision of the regulations that are violated. In addition, criminal penalties and prison time can result if you are found guilty of knowingly and willfully violating a Rule.

Complying With The Rule

Requirements of the Privacy Rule include the following:

1. Consent – Patients must sign a Consent Form before you release protected health information (PHI), or identifiable health information that is collected, maintained or disseminated by a covered entity, in connection with what the act calls, “treatment, payment and healthcare operations” (TPO).
   
2. Notice – Patients must be informed of their rights and responsibilities with respect to PHI. Office privacy policies must also be disclosed.
   
3. Minimum Necessary and Oral Communications – There must be a limit to any information may only be disclosed. An office must limit what PHI is disclosed and with whom it is shared both inside and outside the organization.
   
4. Business Associates – Written agreements must exist making business associates responsible for PHI to equal degrees.
   
5. Research authorizations – A signed Authorization Form must be signed before using their PHI for research.
   
6. Marketing – A practice may not disclose PHI to market itself unless they have signed Authorization Forms. The Rule lists a number of activities you may engage in that do not constitute marketing and describes the ways you may communicate with your patients in connection with these activities.

Steps toward compliance with HIPAA.

Creating a compliance plan is inevitable. Whether you decide to begin now or wait for the final regulations to go into effect, you need to start to think about some of the core aspects of this legislation. The fact remains that careful planning and implementation will ensure a comprehensive compliance plan for your practice rather than a mad dash to throw a something together under a tight deadline.

If you practice within a group of partners that is not in compliance with HIPAA, the entire practice will ultimately be at risk for non-compliance, potentially incurring fines and penalties. Successful implementation requires that employees comprehend and embrace the principles of HIPAA. A Privacy Officer must be elected to educate himself/herself about the latest changes and to inform others about those changes. Medical Practice Initiatives, LLC highly suggests the following to get your practice ready for this important legislation:

1. Meet with your group to discuss HIPAA and the Privacy Rule. Explain that all partners must be in full compliance with each Rule of HIPAA and that unanimity is required in order to be in compliance.
   
2. Organize an implementation team comprised of physicians, administrators, managers, staff and or consultants to get educated set up a foundation for complying with HIPAA.
   
3. Elect a Privacy Officer who will monitor decisions of CMS and HHS so that this information can be disseminated throughout the practice.
   
4. Develop a compliance budget to estimate the costs of implementing HIPAA. All practice partners should review this budget.
   
5. Seek the advice of counsel with experience in healthcare law and/or a healthcare consultant who may assist your practice in developing and implementing a HIPAA policy and procedure manual.

Developing and implementing a HIPAA policy and procedure manual will invariably cost your practice time and money both initially as well as for ongoing compliance. The Privacy Rule is one of four areas of compliance set forth by the HHS and CMS. The Privacy Rule should be of particular interest to physician practices due to the fact that electronic scheduling, claims authorization and processing, have become the primary method by which information is processed by private practices in an effort to more efficiently and effectively operate.

For more information regarding each of the four requirements of HIPAA, please visit the Center for Medicare and Medicaid (CMS) web page at http:/www.cms.hhs.gov/hipaa/.