HIPAA CONSULT

By Margaret M. Davino, JD

Answers to your questions about . . .

A policies and procedures manual

Q Am I required to put HIPAA privacy policies in writing for my staff?

A Yes. Among the areas you need to address in your policies and procedures manual are: release of medical records, patient access to records, patients' right to amend their records, faxing medical information, permitted uses and disclosures of protected information, and complying with the "minimum necessary" standard—which generally limits the information doctors may disclose to the minimum necessary to accomplish a specific purpose.

Employees aren't the only ones who need to see your HIPAA policies in writing. Your policies also should be outlined in a Notice of Privacy Practices, which you probably distributed to all patients last April, and which you should give to all new patients. You should also make a good faith effort to have established patients sign an acknowledgment form, indicating that they've seen the notice. If there's a complaint, be prepared to share your policies with the Office for Civil Rights, US Department of Health and Human Services.

Q Where can I find out more about how to prepare a HIPAA policy manual and a Notice of Privacy Practices?

A Besides the federal government itself ( http://www.hhs.gov/ocr/hipaa ), many state medical societies make this material available on their Web sites or in hard-copy form. In many cases, you can customize these sample manuals and notices to suit your practice. Also consult your hospital (you can adapt its policies to your own practice) and an attorney familiar with HIPAA.

Staff training

Q Does HIPAA require a certain kind of staff training?

A Yes. Any staff member who handles—or comes into contact with—medical information must be trained to understand both the general privacy requirements and the specific ways they're implemented in your practice. How you reach this goal, if you haven't reached it already, is up to you. For example, you could buy a HIPAA compliance guide (many state and county medical societies make these available) and ask your staff to read it, along with your own policies and procedures manual. You could also send staff members to HIPAA seminars. Whatever method you employ, be sure to document all steps you take to train staff members.

Q Once these elements are in place, what other steps do I need to take to be HIPAA compliant?

A The administrative requirements discussed above only address HIPAA's privacy regulations. On October 16, 2003, another set of standards—which regulate the transmission of electronic claims and other transactions—also took effect. Fortunately, the Centers for Medicare and Medicaid Services has devised a temporary contingency plan for accepting noncompliant transactions. If you show you're working toward compliance, you can continue to use existing formats. How long this de facto extension will last is anyone's guess, so you need to move toward compliance. Beginning in 2005, you will also need to comply with HIPAA's Security Standards, which define the administrative, physical, technical, and other steps practices must adopt to maintain patient privacy and confidentiality.

Margaret M. Davino is a health-care attorney with Kaufman Borgeest & Ryan, in New York City. She can be reached at mdavino@kbrny.com. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. This article originally appeared in Medical Economics.

 

HIPAA Consult. Contemporary Ob/Gyn Mar. 1, 2004;49:124.