HIPAA One Year Later
What You Need to Know to Comply
By Pamela L. Moore, PhD
Pamela L. Moore is senior editor for Physicians
Practice
 It’s
been a year since the Health Insurance Portability & Accountability
Act (HIPAA) privacy regulations went into effect. How time flies.
As April 2004 loomed (as happened with the much-hyped Y2K), the
industry press forecast bedlam and bankruptcy. Instead, there has
been apathy and minor annoyance.
“There is still a large portion of the health care community
that is not taking HIPAA seriously,” confirms Maria Ruby,
an attorney and HIPAA compliance specialist with HIPAA Complete
in Morristown, N.J.
Most physician practices, especially small and mid-sized clinics,
did what they had to for basic HIPAA compliance with little fuss,
cost or concern. Sure, Notices of Privacy Practices are being handed
out and signed, but many practices have seen little impact otherwise.
“HIPAA hasn’t affected most practices at all because
most of them aren’t really complying,” explains Peter
Caplan, vice president of operations for MediSecurity, a health
information privacy company in Denver. “To the degree that
they are complying, no one is doing it right, really. I don’t
think small practices in general have really been doing anything
that would constitute compliance relative to what the government
would expect.”
Why the lackadaisical attitude? Partly because few physicians really
believe there are consequences if they violate the rules and partly
because some are taking advantage of an escape clause.
Where’s the enforcement?
“You have this portion of the industry that hasn’t seen
[HIPAA] being enforced yet, so they are still kind of sitting on
their heels and saying, ‘Oh, they’re never going to
enforce it so I’m not going to bother learning about it and
getting into compliance,’” Ruby adds.
HIPAA violations probably will be taken seriously some day, but
right now, physicians are counting on leniency.
“Practices feel like they have it under control. Generally
speaking, their impression is that until the government publicly
comes out and starts enforcing this and they see there is pain in
the profession, they are not going to do anything,” Caplan
said.
The government has, to date, taken an educational rather
than a punitive approach, according to Caplan. Physicians and consultants
prefer to believe that HIPAA violations will be met with encouragement
to do better rather than a big fine. Given that, Caplan said a wait-and-see
attitude is “prudent.” Why invest time, money and effort
if there are no consequences for not doing so? Still, it’s
not a fail-safe tactic.
“The government expects that you should be in compliance,
that you should consciously and diligently make some sort of good
faith effort that is documented,” he said.
And the enforcement scene could change any time. Ruby’s favorite
comparison is the Occupational Safety and Health Administration
(OSHA). “It took them years before they started enforcing
that, but it’s something that people now know they need to
be in compliance with or they will see fines,” she observes.
“Even though you might not see [the Office of the Inspector
General] putting its foot down and strictly enforcing [HIPAA] right
now, it doesn’t mean they’re not going to start doing
it tomorrow or a couple of weeks or a couple of months from now.”
‘Country doctor’ escape clause
Some physicians, though, feel quite secure ignoring the regulations
— they believe HIPAA doesn’t apply to them. And they
may be right — for now.
The privacy rule defines “covered entities” —
the physicians who have to comply with the rule — as “health
care providers who conduct certain financial and administrative
transactions electronically.”
Technically speaking, if neither you nor a third-party biller submits
claims, or exchanges other protected health information electronically,
you are not considered a covered entity under HIPAA and do not have
to comply. This Centers for Medicare and Medicaid Services Web site
illustrates this point: www.cms.hhs.gov/
hipaa/hipaa2/support/tools/decisionsupport
“The way the regulation is currently written, if you happen
to be a health care provider [who] is not transmitting health care
information electronically in conjunction with a standard transaction
— one of which would be billing — HIPAA doesn’t
apply to you at this time,” Ruby confirms.
But if you are eligible for the “country doctor exclusion,”
don’t get too comfortable. Ruby doesn’t expect the loophole
to stay open very long.
“The word is that sooner or later, HIPAA is going to apply
to all health care providers — which it should for the regulation
to have its full impact. The real hope is all people’s health
information, no matter what form it is in, is going to be protected.”
Fixing problem areas
If you are ready to ramp up your practice’s HIPAA compliance,
here are some of the key HIPAA requirements that most practices
have not yet addressed:
Give a notice.
Everyone seems to have gotten the message that patients need to
acknowledge receipt of a Notice of Privacy Practices. But many practices
implement this requirement by asking patients to sign acknowledgement
forms, and then pointing to copies of the actual notice posted on
a wall or in folders in the waiting room instead of giving patients
their own copies. Most HIPAA consultants advise physicians to actually
hand patients a copy of the notice.
Develop written guidelines.
Practices need written policies — not just implicit rules
— concerning who in the practice should have access to what
information in order to accomplish their job. In the words of the
final rule, practices have to identify:
- those persons or classes of persons, as appropriate, in its
work force who need access to protected health information to
carry out their duties, and
- for each such person or class of persons, the category or categories
of protected health information to which access is needed.
Make a list of employees, either individually or by
job category, then think through what kind of access each one needs.
Consider what they do on a regular basis — if they handle
billing, do they need access to the full record or just the last
visit? Do you have some way to limit their access or will you just
ask them not to flip through a full record?
Appoint a privacy official.
HIPAA requires every practice to “designate a privacy official
who is responsible for the development and implementation of the
policies and procedures of the entity,” and who can serve
as a contact to handle any HIPAA-related complaints or questions.
Smaller practices might add the privacy official’s duties
to the business manager’s job description. You simply need
to name someone who is willing and able to take the time to understand
the rules.
Train staff.
Whether it’s about the rights of patients to access their
medical records or how to respond to a family member who calls for
help managing a patient’s reaction to therapy, your staff
needs to know what HIPAA requires. It’s not enough to just
assume they have good judgment or to write policies in a manual
no one ever reads. HIPAA requires training — and documentation
of that training. Host a HIPAA training session for your staff.
Put your staff through role-playing exercises. How would they respond
to that call from a family member? Offer realistic examples that
apply to your practice. And be sure to document who took part and
what was done.
While physicians may not feel any immediate urgency to comply fully
with HIPAA, it’s certainly less stressful to work on these
few items now than to wait until the government starts passing out
fines.
Back to top |
