Protecting Your Patients and Your Practice

Subscribe | Advertise | About Us | Contact Us | Home

November 2001

By Corrine Parver, JD, PT, and Lynne DeSarbo, JD

Corrine Parver, JD, PT

Protecting Your Patients and Your Practice

Legal guidelines for ensuring the protection of your patients' health information

The Office of Civil Rights (OCR) of the Department of Health and Human Services (HHS) recently provided specific guidance to clarify the meaning of the Standards for Privacy of Individually Identifiable Health Information (Standards), promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These guidelines are particularly important to private practice owners where liability can be particularly damaging.

Obtain Patient Consent
HIPAA mandates that PTs, physicians, hospitals, and other health care professionals, all of which are considered "covered entities" under HIPAA, must obtain a patient's signed consent prior to using or disclosing the patient's protected health information to implement treatment, payment, or health care operations. Health care providers need obtain such consent only one time for multiple visits. Consent may be obtained by electronic means. State laws also may impose additional requirements on covered entities for consent forms. Although patients may revoke their consent in writing, providers may bill for services rendered in reliance on the consent.

An authorization, which is described in the Standards as a more detailed, tailored form than a consent, enables the disclosure of protected health information for specified purposes, usually other than for treatment, payment, or health care operations, or for the release of protected health information (PHI) to a third party named by the patient. In some instances, providers must obtain an authorization to use or disclose, such as for the release of psychotherapy notes.

HIPAA's consent requirement does not impede the ability of PTs to consult with other providers about a patient's medical condition. Likewise, pharmacists may give advice about over-the-counter medications or enable a patient's friend or family member to pick up a prescription without the patient's signed consent. Generally, in the absence of a "joint consent," one covered entity is not obligated to comply with a consent obtained by another covered entity.

Minimum Necessary Requirement For Disclosure
HIPAA mandates that all covered entities, including PTs, take reasonable steps to limit the use or disclosure of and requests for protected health information to the "minimum necessary" amount for a particular purpose. Notable exceptions include disclosures to or requests by a health care provider for treatment purposes or disclosures authorized by a patient. Thus, PTs must have policies and procedures in their practice locations that set forth the persons or classes of persons who need access to the information to fulfill their job functions, the categories or kinds of information needed (even an entire medical record in some cases), and requirements to enable such access. HIPAA allows flexibility in evaluating particular circumstances, mandating only that reasonable precautions are taken to prevent inadvertent or unnecessary disclosures.

Clinic redesigns are not necessary to achieve compliance with HIPAA, but PTs may have to make some adjustments to their practice locations to limit access to protected health information. Such adjustments may include isolating or locking file cabinets or records rooms, and providing additional security such as computer passwords. PTs should also assess the feasibility and practicality of reconfiguring their record systems to allow access to only certain fields of information. The "minimum necessary" requirement does not prohibit health care professionals from keeping patients' medical charts at bedside, nor does it require extreme measures such as shredding empty prescription vials or total isolation of, for example, x-ray light boards. HHS plans to propose modifications to the Standards to make clear that sign-in sheets in waiting rooms and other similar practices do not violate HIPAA.

Privacy of Oral Communications
HIPAA applies to protected health information in all forms, whether electronic, written, oral, or any other form. Given that, PTs must "reasonably safeguard" PHI communicated verbally (eg, oral coordination of services by staff at hospital nursing stations) from intentional or unintentional uses or disclosures that violate the Standards. However, because overheard communications inevitably will occur, even when proper precautions are taken to limit the chance of inadvertent disclosures, HHS plans in the future to publish regulatory language underscoring that HIPAA does not prohibit appropriate oral communications.

Furthermore, HIPAA does not require that PTs make structural or system changes to their offices, clinics, or other facilities (eg, private rooms, soundproof walls, encryption of wireless or other emergency medical radio communications, or telephone systems). PTs also need not provide patients with access to oral information or document all oral communications, unless the information has already been recorded in some way.

Business Associate Obligations
HIPAA allows all covered entities, including PTs, to disclose protected health information to various contractors and other businesses that provide them with certain functions, activities, or services (collectively called business associates, ie, claims processing or administration; data analysis, processing, or administration; utilization review; quality assurance; billing; benefit management; practice management; and repricing), so long as they receive satisfactory assurances from their business associates, through a contract or other agreement, that the business associate will do the following:

Use the protected health information for the limited purposes for which it was hired;
Protect the information from misuse; and
Assist the covered entity in providing patients with access to their medical information and an accounting of its disclosures.

Business associates may perform services where that performance involves the disclosure of information by the covered entity to the business associate. The business associate requirements are not applicable, however, to covered entities that disclose it to other providers for treatment purposes (eg, exchanges of information between a hospital and physicians with admitting privileges at the hospital). Software vendors and Internet companies are considered business associates if they perform functions or activities on behalf of, or provide specific services to, a covered entity. If such companies require access to the covered entity's protected health information to help with data management or to perform functions or activities on the covered entity's behalf, they would then be business associates. Likewise, a medical device manufacturer that does not directly provide health care may be viewed as a business associate of a covered entity if it receives or creates protected health information in the performance of functions or activities on behalf of, or in the provision of specific services to, a covered entity.

Importantly, PTs and other health care providers are not required to monitor the activities of their business associates for compliance with the HIPAA Standards. However, if a PT learns of a pattern or practice of a business associate that constitutes a material breach or violation of the terms of the agreement, then the PT would be required to take reasonable steps under the particular circumstances to remedy the breach or put a stop to the violation. If these measures fail, the PT would be required to terminate the contract if feasible; otherwise, the PT is obligated to report the problem to HHS. Only when covered entities do not take these steps are they liable for a business associate's violation of HIPAA. Given that, PT/business associate agreements and contracts must be carefully drafted to encompass these and other important obligations under the Standards that will help assure compliance and reduce liability.

Health-Related Communications and Marketing
The Standards limit rather than expand the ability of health care providers, plans, marketers, and others to use a patient's protected health information to market goods and services. Marketing communications are permitted pursuant to a patient's consent only in specified circumstances, for example, in face-to-face communications with the patient or communication involving products or services of nominal value. Communications concerning health-related products and services of a PT or a third party are also allowed pursuant to a consent if the communication:

Identifies the PT who is making the communication and states that the PT is being compensated for making the communication;
Offers patients the opportunity to opt out of future communications; and
Explains why individuals with specific conditions or characteristics (eg, diabetics, smokers) have been targeted, if that is the case, and how the product or service is related to the individual's health.

All other marketing communications must be made according to a patient's authorization. The Standards limit disclosure of PHI for marketing purposes to disclosure to a business associate (eg, a telemarketer) that contracts with a covered entity to provide marketing services on its behalf; however, patients must be given the chance to opt out of future marketing. A PT may not sell information to third parties for their use and reuse, or disclose it to other third parties for their independent marketing use.

Importantly, the following activities are considered outside the definition of marketing: a covered entity's description of the participating providers or plans in a network; and the services offered by a provider or the benefits covered by a health plan.

HIPAA also permits a PT to use a patient's protected health information to tailor health-related communications, where they are made in connection with the patient's treatment (eg, reminder notices for appointments, annual examinations, or prescription refills).

Obligations Regarding Research
HIPAA permits health care providers to use or disclose for research purposes medical information from which certain identifying health information has been removed, as specified in the Standards. PTs may also use and disclose PHI for research if they obtain the patient's authorization. An authorization is not needed in very limited instances, such as the following: approval and documentation are obtained from an Institutional Review Board (IRB) or a Privacy Board for a waiver of authorization; when the information is used or disclosed solely in preparation for research; or the information is that of decedents.

The Standards do not prevent researchers from requiring that a patient authorize the use or disclosure of his or her protected health information in order to participate in the study. While patients have the right to inspect and obtain a copy of their own information, this right may be suspended during a clinical trial. Where HIPAA (ie, authorization for use and disclosure of information for research purposes), the common law, and/or FDA's human subjects regulations (ie, informed consent laws) are applicable, compliance with each of these rules is required.

Restrictions On Government Access
HIPAA subjects government health care programs (eg, Medicaid and Medicare) essentially to the same requirements as private providers and health plans. As well, federal agencies also must comply with the mandates of the Privacy Act of 1974, which limits the sharing of information about patients with other government agencies and the public. Although HIPAA authorizes OCR to investigate complaints and ensure compliance, the Standards do not demand that a PT or any other health care provider send protected health information to the government, except to the extent that such medical information is relevant to compliance efforts.

The Standards do not increase the access of police and law enforcement agencies to information; instead, they limit their access by setting forth new procedures and safeguards, and provide that covered entities have discretion in permitting such access. HIPAA also permits any disclosure required by law (eg, notification of public health authorities of occurrence of reportable disease).

Payment Provisions
HIPAA allows the use and disclosure of protected health information for payment purposes (eg, activities of health care providers to obtain payment or be reimbursed for their services). Other examples of permissible payment activities include, but are not limited to, the following: determining eligibility or coverage under a plan and adjudicating claims; making risk adjustments; reviewing health care services for medical necessity, coverage, and justification of charges; and conducting utilization review. HIPAA does not conflict with the Fair Credit Report Act or the Debt Collection Practices Act, and permits billing and debt collection activities and disclosures to consumer reporting agencies (limited to certain information about the patient and his or her payment history, and identifying information about the health care provider).

The Standards require covered entities to have a Notice of Privacy Practice for Protected Health Information that is written in plain language and that contains the following elements:

"This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."

Finally, PTs should include in their notice a description of at least one example of the types of uses and disclosures that they are permitted to make for each of the following purposes: treatment, payment, and health care operations.

Corrine Parver, JD, PT, is a partner in the Health Law Services Practice, and Lynne DeSarbo, JD, is an associate attorney for Dickstein Shapiro Morin & Oshinsky LLP, Washington, DC. Parver is also an editorial advisory board member for Rehab Management. She can be reached via email: parverc@dsmo.com.

LOOKING FOR EXPERT ADVICE?

Experts here are available to answer all your questions!

Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER

Interactive Media

Resources

	Calendar
	Consumer Resources
	Media Kit
	Advertiser Index EAB Reprints Submit an Article

ADDITIONAL ONLINE RESOURCES

Allied Media
24X7mag Clinical Lab Products (CLP) Orthodontic Products The Hearing Review Hearing Review Products Rehab Management		Physical Therapy Products Plastic Surgery Practice Imaging Economics RT Magazine Sleep Review

Subscribe | Advertise | About Us | Contact Us | Home

November 2001