March 2003

HIPAA Smarts

By Ann M. York, PT, PhD

Ann M. York, PT, PhD

1. Determine your status: Are you a covered entity? Look at the flowchart on the AMA Web site to help you make this determination. Either way, you may reap business benefits by complying with HIPAA as privacy, security, and sophisticated electronic management of data become expectations of both consumers and businesses.
   
   Review state laws, Joint Commission on Accreditation of Healthcare Organizations (JCAHO) regulations, and professional ethics. Many state privacy laws are more restrictive than HIPAA, and thus take precedence. The AHA has a state preemption analysis so you can see how your current practices measure up. Bottom line: You are already protecting patients' privacy but you may have to update policies to meet the HIPAA regulations. Don't create whole new systems. Weave them into your existing structure.



2. Manage flow of PHI: Clinicians tend to think of PHI as the medical chart, but under HIPAA it includes billing, electronic, written, and oral information. Perform a risk analysis by flowcharting how PHI enters, is stored, and moves out of your system. Think of all the angles. Do laptops go on home health visits? Do therapists take charts home to catch up on paperwork? Do you email PHI? Create or adapt policies to address each of your risk areas. Keep notes on this process as evidence of your due diligence in case a problem should arise.



3. Minimum necessary rule: This means don't ask or look for more PHI than you need to do your job, and don't give out more than someone else needs. That can be a tough call and conflicts will arise. The OCR states that this is not an "absolute standard," but a "reasonableness standard" and the covered entity has "substantial discretion" as to implementation. Providers need to balance protection of PHI with the timely delivery of quality health care. The minimum necessary rule does not apply to requests by a health care provider for treatment purposes, disclosures to the patient, disclosures pursuant to an authorization, or disclosures required by law.



4. Incidental disclosures: The recent clarification by the OCR should lay many fears to rest by stating that a covered entity can not guarantee the privacy of PHI from all potential risks, but should use reasonable safeguards depending on the size and need of the organization. Risk and cost should be considered. No structural changes are required. Therefore, the open treatment areas in many rehab facilities pass the reasonableness test, as will calling out a patient's name in a waiting room, talking in a hallway, using sign-in sheets, and sending appointment reminders. Employ simple strategies such as having a private room available if a patient requests it, using lower voices when discussing sensitive information, and leaving only limited information on an answering machine.



5. Protect patients' rights: HIPAA gives patients several rights regarding their PHI. It guarantees patients will be informed of their privacy rights and how their information may be used through the Notice of Privacy Practice. It also guarantees them access to their medical records, to a formal complaint procedure if they believe their privacy has been compromised, and an accounting of disclosures if requested. In addition, they can request changes to their PHI if an error or omission is noted in the record, but providers do not have to grant this request if the record is correct. Note that workers' compensation is not covered by HIPAA but by state laws. Providers will have to construct means of granting patients' rights. Creating a culture of privacy and maintaining good rapport with patients will go a long way to preventing HIPAA complaints as well as other types of legal problems.



6. Release of information: Patient consent or authorization is not required for release of PHI for treatment, payment, and operations (TPO). A signed authorization will be necessary for release other than for TPO such as research, fund-raising, or to a third party specified by the patient. Providers have used release of information authorizations for a long time so make sure your form meets HIPAA requirements. Tip: While HIPAA lays a floor of privacy protection, entities are free to retain or adopt more protective policies. We have seen conflicts where organizations are taking a tough line on release of information thereby slowing down information exchange. The OCR suggests negotiating with the other entity to reach a solution.



7. Marketing: For most rehab practices, usual marketing activities pose no problem. You can send mailings to your patient base to inform them of new services, equipment, providers, or educational programs. Marketing items of nominal value such as notepads are fine, as are face to face marketing and in-office flyers. However, if you plan to contract with a marketing group or to use PHI to target portions of your patient base, get legal counsel before proceeding.



8. Business associates: A business associate is a person or entity that performs functions on behalf of the covered entity that involve PHI. Some examples include billing or transcription services, accountants, legal counsel, even JCAHO. You must have an agreement in place that defines how the business associate will handle PHI. Sample agreements can be found on several Web sites.^1,5 New contracts must have the agreement in place after April 14, 2003, but contacts in place prior to October 15, 2002, have another year to be updated. This reprieve will allow you to develop a system to review and track all contracts. This is one of the more challenging tasks, so be sure to allow enough time and energy to complete the process. Get legal counsel to review final contracts, addendums, and letters.



9. Education: This is the key to HIPAA success. Education needs to be appropriate to the job so combine written, verbal, online, interactive, games, role-playing, case studies, whatever it takes to get the job done. A foolproof way to educate is to include a HIPAA line item on monthly meeting agendas to cover the basics plus updates. Include HIPAA education during orientation for employees, volunteers, students, and contract employees. Have them sign a confidentiality agreement initially, then annually. Document all activities.



10. Security safeguards: You cannot have privacy without security. Even though security rules are not yet finalized, do not wait. Implement reasonable safeguards for your current systems. We found that putting in "reasonable and necessary" security measures not only made good business sense, but helped to bring home the privacy message. We implemented strong passwords, access to PHI based on job description, automatic computer log-off, computer use and email protocols, virus protection and disaster backup procedures, fax machine and shredder protocol, and privacy screens around computers. These were not high cost changes, but leveraged a heightened awareness of privacy and security.

1. Office for Civil Rights. Medical Privacy-National Standards to Protect the Privacy of Personal Health Information. Available at: http://www.hhs.gov. Accessed December 31, 2002.
2. Office for Civil Rights. Guidance Explaining Significant Aspects of the Privacy Rule-December 4, 2002 Available at: www.hhs.gov Accessed December 31, 2002
3. HIPAAdvisory. Steps for Providers: HIPAA Gap Assessment/Risk Analysis. Available at: www.hipaadvisory.com Accessed December 31, 2002.
4. Comprehensive Solution Affiliates. HIPAA Readiness Checklist. Available at: www.csahipaa.com Accessed December 31, 2002.
5. Joint Commission on Accreditation of Healthcare Organizations. Sample Business Associate Agreement. Available at: www.jcaho.org. Accessed December 31, 2002.

LOOKING FOR EXPERT ADVICE? Experts here are available to answer all your questions! Please contact us for more information about this feature, or to become an expert.

MEDIA CENTER Interactive Media  Archives  · January/February 2012  · November/December 2011  · October 2011  · 2011 Product Directory  · August / September 2011  · Best of 2011 Rehab Facilities  · July 2011  · June 2011  · May 2011 Buyer's Guide  · April 2011  · All Archives  Newsletter  · Rehab Today  · Monthly Top Ten   Podcast Series  · Pre-Hire Functional Screening  · Compliance Update for Rehab Clinics and Practitioners  · The Benefits of Therapeutic Wheelchair Cushions  · Active Innovations  · Compliance in Rehab Practice: Risk and Rewards  · Job Function Matching: Far beyond job descriptions or FCE's  · The Benefits of Customized Mobility  · An Interdisciplinary Approach to Seating and Positioning  · Benefits of an Electronic Medical Record & Practice Management System  · Maximizing Workouts with Recumbent Cross Trainers  · Compliance in Rehab  · Working within a Network  · Managing Change in Today’s Billing, Reimbursement, and HER Environment  · Functional Testing and Job Analysis Innovations  · Fall Prevention & Balance Assessment  · Lifts & Transfers Technology Update  · Trends in Practice Management Software  · CSM Podcast  · Long-Term Rehabilitation  · Increase Your Business’ Competitive Potential  · Exercise Programs Don't End in the Clinic  · Trends in Therapeutic Taping   Webcasts  · Accounts Receivable Management and Review: Performance Benchmarks  · Unleashing the Revenue Driven Practice  · Saunders Cervical Traction  · Optimal Ergonomics for Wheelchairs  · Implementing the Mini-FCE  · Innovations in Upper Body Exercise: Making Exercise as Addictive as Gaming  · Considerations for Adding Technology to Your Practice  · Benefits of an Electronic Medical Record & Practice Management System  · Trends in Therapeutic Taping  · Solutions in Long-Term Rehabilitation Resources Calendar Consumer Resources Media Kit Advertiser Index EAB Reprints Submit an Article