HIPAA

The Health Insurance Portability and Accounting Act of 1996

The primary purpose of HIPAA was to enhance health insurance accessibility for people changing employers or leaving the workforce. However, HIPAA also contained a chapter entitled “Administrative Simplification” whose provisions were designed to encourage transmission of confidential health care data electronically. In return for legislating a significant savings for health plans and providers by simplifying claims transactions, Congress imposed a series of privacy and security requirements to assure that electronically transmitted data would remain confidential and secure.

In addition, congress and privacy advocates (including physicians) were concerned that the growing use of electronic means to transmit healthcare data increased the risk to the public that the data would be compromised. Many members of the public have acknowledged that they have withheld information from a physician out of concern for security of their records and many physicians report they have similarity failed to record certain information in the medical record due to the same fear. The lack of standardization for collection and storage of health care information was and is increasing administrative costs and burdens the system.

WHO IS COVERED?

All of the following are covered if they use “electronic means” to transmit and HIPAA covered transaction.

  1. Health care providers or any other persons or organization that furnishes, bills, or is paid for health care in its normal course of business.
  2. Health plans that provide or pay the cost of medical care, including Medicare and Medicaid.
  3. Health care clearing houses that process data elements or transactions from non-standard to standard from.

Thus, all physicians are covered by HIPAA if they use electronic means to transmit any of the following: health claims, remittance or payment advice, claims status inquiries, eligibility inquires, enrollment and disenrollment, referral certification and authorization, coordination of benefits, coordination of benefits or health plan premium payments. The rules take a very broad view of “electronic means” – to includes Internet, leased or dial-up phone lines, extranet and virtual and private networks. This is true even when data is physically moved, e.g., on tapes, CD’s or diskettes.

Once you are covered, the Privacy Rule applies to ALL “protected health information” (“PHI”) whether on paper, oral or electronic form. As health plans begin to require physicians to submit claims electronically, few will be able to escape the grasp of HIPAA. Use of telephone and faxback systems are explicitly excluded; mere use of a fax machine alone to submit a claim is not considered an “electronic means” so faxing claims to a payer would not required a physician to use the standard transaction forms. However, if you fax to a clearinghouse or billing service that bills electronically, you are covered by HIPAA.

WHAT IS COVERED?

The administrative Simplifications rules include four main provisions:

  1. Uniform electronic transaction standards for health care data.
  2. Privacy and confidentiality provisions for individually identifiable health care data.
  3. Security procedures to protect electronically maintained health information.
  4. Unique health identifiers for providers, employers, and plans to be used in connection with the Uniform Electronic Transactions Standards.

Background on Authorizations Provisions:

* Individually identifiable health information may not be used or disclosed unless specifically approved by the patient of explicitly permitted under HIPAA.

* The privacy rule generally requires patient authorization to disclose information for non-treatment purposes (such as employers, underwriters, or researchers). One single form of authorization can be used.

* Disclosure of health information for non-treatment purposes must be generally limited to the “minimum necessary”.

* A written agreement must be in place that provides for appropriate safeguarding of health information with all “business associates”.

Patient Rights:

* Physicians must provide a “Notice of Privacy Practices” to each patient no later than the data of the first service after the compliance date of April 14, 2003. At the same time we will five our patients the “Privacy Practice Notice” to sign. If they refuse to sign this, note it on the sheet and put the sheet in the file.

* Patients have the right to inspect and receive a copy of their medical records and to request amendments to their records. Though providers have the right to deny inclusion of an amendment, the patient has the right to file a “Statement of Disagreement”, which becomes part of the record. The provider can file a rebuttal to the Statement, should he/she so choose.

* Patients also have the right to receive an accounting of disclosures of protected information not related to treatment, payment or healthcare operations. Individuals may request restrictions on the use and disclosure of information that go beyond those provided in the rule, but providers are not required to comply with those requests. For a patient to access his/her medical information, they must submit a written request detailing what information they want to access and whether they want to inspect or get a copy of it. We are allowed to charge a reasonable fee allowed by California law.

Security Procedures to be followed by the practice of Robert Park, M.D.:

  1. Patient Charts: Every effort must be made to keep patient charts and medical information paper clipped on the top private. Charts should not be left on the counter where an unauthorized person has access to it. If you have charts in the open and patients are around, turn the charts over. If there is medical information on the top of a chart of a patient to be seen, turn the chart around when putting it in the door. Make it a practice to use common sense regarding patient confidentiality.
  2. Reminder calls: Leave date and time of appointment only. Do not mention any medical condition for which the appointment has been made.
  3. Conversations regarding Patients: We must all try to use our best judgment when talking to patients, scheduling appointments, scheduling surgeries, etc. Providers must use their best professional judgment to reduce risk of such information being shared but do not have to guarantee it cannot occur.
  4. Computer Passwords: Each employee shall have a password to allow them to sign on to any computer. Their password will give them privileges to perform certain functions. Please keep your password confidential. Only the privacy official is to have a copy of your password.
  5. Computer screens: Our computer screens do not face the patient. If a patient tries to look at your screen, please explain that the information is confidential and turn the screen away.
  6. Anti-Virus Program: We all have Anti-virus software installed into our computers and will update software when prompted to.
  7. Faxed Information: Each employee is to be responsible for what they are faxing. Be sure the information you are faxing is pertaining to treatment, payment or related healthcare operations. Always be sure you have a signed release from the patient if you are faxing information pertaining to them.
  8. Subpoenaed records: Properly issued records subpoena will generally be valid and a physician who releases records under such subpoena is in compliance with California law and will be protected.
  9. Business Associate Agreement: Any transcription service, courier, billing service, coding consultant, practice manager, collection agency, computer or copier repairman must sign a Business Associate Agreement which it states that they are HIPAA compliant.
  10. Pharmacies: Each pharmacy that we fax to must sign a form stating that their fax is in a confidential location. We only need one copy for each pharmacy and these will be kept in a binder in the front office.
  11. Termination of Employment: Each employee will return his or her key to the Privacy Official before leaving. Their password will be deleted from our computer system.
  12. Unauthorized Personnel: Unauthorized personnel must never have access to confidential information. This may mean limiting access to certain parts of the office, to certain computers, or certain programs or files in the computer.
  13. Complaints: HIPAA required effective responses to complaints. All complaints should be brought to the Privacy Official at once. She will keep a separate logbook to record each event.

If any employee ever has a question about HIPAA, please see the Privacy Official (Gina Halley). We will have regular meetings at which we will discuss changes and updates. This may all seem very complex but it is really very simple. Protect our patient’s rights as you would protect your own.