Sunday, April 12, 2009

HIPAA Privacy Rule: What Does The Average Provider Have To Do?

Although HIPAA has been around for years, there are still questions and fears regarding HIPAA. Just this past week, nearly two dozen employees at Kaiser Permanante Medical Center in Bellflower, California were fired or disciplined for peering into the medical records of octuplet mom Nadya Suleman.

Fifteen employees were fired and eight were disciplined for snooping into Suleman’s records without authorization. Hospital officials discovered Suleman’s medical records had been inappropriately accessed on two different occasions beginning three weeks ago, while security personnel were monitoring Kaiser’s computer network. Kaiser officials notified Suleman about the matter on both occasions, shortly after the employees had either been fired or disciplined.

For the average health care provider , the HIPAA Privacy Rule requires activities, such as:

■ Notifying patients about their privacy rights and how their information can be used.

■ Adopting and implementing privacy procedures for its practice.

■ Training employees so that they understand the privacy procedures.

■ Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.

■ Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.

Responsible health care providers and businesses already take many of the kinds of steps required by HIPAA to protect patients’ privacy. To ease the burden of complying with the new requirements, HIPAA's Privacy Rule gives needed flexibility for providers and plans to create their own privacy procedures, tailored to fit their size and needs. The scalability of the Privacy Rule provides a more efficient and appropriate means of safeguarding protected health information than would any single standard.

For example, the privacy official at a small physician practice may be the office manager, who will have other non-privacy related duties. However, even a small practice needs a designated privacy official. The privacy official at a large practice or health plan, in contrast, may be a full-time position, and may have the regular support and advice of a privacy staff or board.

The training requirement may be satisfied by a small physician practice’s providing each new member of the workforce with a copy of its privacy policies and documenting that new members have reviewed the policies. In addition, a small or large practice may provide training through live instruction, video presentations, or interactive software programs.

The policies and procedures of small providers can be more limited under the HIPAA Privacy Rule than those of a large hospital or health plan. This limitation is justified based on the volume of health information maintained and the number of interactions with those within and outside of the health care system. Nevertheless, there should be policies and procedures as part of a basic compliance plan. HIPAA training and compliance need not be expensive or time consuming but it must be set up. Once it is set up and implemented there is little left to do except ensure that new employees receive the training and sign documentation indicating that they have received the training.

As part of compliance plans, we encourage health care providers to have all employees attend a training overview of HIPAA (which can be conducted in-house), which will prepare them to:

(1) describe what HIPAA is and how it came to be;
(2) identify major components and implementation timeframes of HIPAA (privacy, security, code sets, due diligence, and transactions);
(3) be cognizant of the HIPAA privacy rules, current practice policies and California’s privacy laws regarding medical records;
(4) determine what is considered private vs public information;
(5) identify penalties associated with violations of HIPAA rules;
(6) report suspected violations of HIPAA rules;
(7) identify how to obtain additional assistance or information regarding HIPAA within the practice; and
(8) describe generally how HIPAA could affect them and their work unit.

Upon completion of HIPAA training, employees will sign a form acknowledging receipt of this training. One copy of the acknowledgement form will be given to the employee and another will be placed in their personnel file.

If your practice is not compliant with HIPAA training and having each employee sign a HIPAA form as part of their personnel file, it's not too late to become compliant. Most health care attorneys or other compliance providers can conduct in-office seminars or draft a training manual that can be reviewed at a reasonable cost. Don't wait for a patient to file a complaint or until an employee improperly discloses protected health information (PHI).

Any questions or comments should be directed to: Tracy Green is a principal at Green and Associates in Los Angeles, Califonria. The firm focuses its practice on the representation of licensed professionals and businesses in civil, business, administrative and criminal proceedings, with a specialty in health care providers and HIPAA compliance.



DISCLAIMER: Green & Associates' articles and blog postings are prepared as a service to the public and are not intended to grant rights or impose obligations. Nothing in this website should be construed as legal advice. Green & Associates' articles and blog postings may contain references or links to statutes, regulations, or other policy materials. The information provided is only intended to be a general summary. It is not intended to take the place of either the written law or regulations. We encourage readers to review the specific statutes, regulations, and other interpretive materials for a full and accurate statement of their contents and contact their attorney for legal advice. The primary purpose of this website is not the commercial advertisement or promotion of a commercial product or service and this website is not an advertisement or solicitation. Anyone viewing this web site in a state where the web site fails to comply with all laws and ethical rules of that state, should disregard this web site.

The information provided on this website is for informational purposes only. It is not intended to create, and does not create, a lawyer-client relationship with Green & Associates, Attorneys at Law. Sending an e-mail to Tracy Green does not contractually obligate them to represent you as your lawyer, or create any type of client relationship. No attorney-client relationship will be formed absent a written engagement or retainer letter agreement signed by both Green & Associates and client and which specifies the scope of the engagement.

Please note that e-mail transmission is not secure unless it is encrypted. E-mail messages sent to Ms. Green should not include confidential or sensitive information.