Customer Testimonials
View Cart
Order Information
Contact Us
 

Print Additional Information

Additional Information about HIPAA and
The HIPAA Compliance Program: Training Forms and Policies
 

Does My Practice Have to Comply With the HIPAA Privacy Rules?
For the vast majority of health care providers, including doctors and doctors’ offices, the answer to this question is "yes." Only the rare doctor or provider who never uses a computer to transmit health care claims or benefit information through billing programs, emails or computerized faxes, can hope to avoid the Privacy Rule.


When Are Health Care Providers Required to Be in Compliance With the Privacy Rules?
The compliance deadline for the HIPAA Privacy Rules is April 14, 2003. By that date, health care providers should have privacy policies and procedures drafted and in place in their organizations. In addition, certain administrative changes will need to be made in most doctor offices. Physical and security measures may have to be implemented as to office and physical plant conditions, computer systems, medical record storage, fax machines and other physical arrangements. Finally, the Privacy Rules also require that all employees be trained regarding the HIPAA Privacy Rules by the compliance deadline of April 14, 2003. This training program is designed to assist doctor offices in preparing for the HIPAA compliance deadline as well as to assist in ongoing compliance efforts after the deadline arrives.

About the Program
This training program will focus exclusively on the privacy rules issued by the Department of Health and Human Services ("HHS") pursuant to the HIPAA statute. Completion of these materials will satisfy HIPAA’s requirement for the training of all practice personnel. Although each doctor's office is unique, compliance with the HIPAA Privacy Rules raises a common set of issues for all health care providers. For example, the Privacy Rules require that every covered health care provider appoint a privacy officer. The Rules also require the designation of a "contact person" who can respond to patient complaints as well as answer questions regarding the doctor’s privacy practices. These requirements apply regardless of the size or nature of the organization. Thus, a doctor practice with multiple doctors and many employees must appoint a privacy officer and designate a contact person; likewise, a small office with just two or three employees must do the same. The suggested use of these materials is as follows. First, finish reading the next several pages of the "Overview/Introduction" material. Second, take the Pre-Test and review the results. Third, proceed to the section, "Training For All Practice Personnel." Finally, in the Job-Specific Training section, choose the module applicable to you and complete those materials. This is outlined on the "How To Use This Program" page, found at the beginning of this program. If you are the Privacy Officer, you should also complete the Gap Analysis Checklist and all of the Job-Specific Training. There is another CD-ROM that you will utilize, that contains forms and practice policies. This training program is designed to assist you in understanding the complex Privacy Rules and to help you learn how to implement these rules in a simple, practical and effective manner. Complicated policies and procedures are of little value if they simply remain in a book sitting on the shelf in your Practice. Doctors and staff must be trained to understand the Rules and know how to apply them in the day-to-day situations that arise in every medical practice. The careful completion of this training program will make this possible. Now is the time to draft your privacy practice forms, prepare and implement privacy policies, and train your staff.

A Brief History of HIPAA
The Health Insurance Portability and Accountability Act of 1996, now universally known as HIPAA, represents Congress’ efforts to make health insurance for individuals portable anywhere across this country, to make patient information private and secure, and to reduce health care fraud and abuse. To accomplish these goals, HIPAA first prohibited health insurers from limiting coverage for an individual because of pre-existing health conditions, so long as the individual could demonstrate prior continuous health care coverage. These people were now free to move about the country to seek new jobs, relocate with their family or just follow their wanderlust without concern that any existing health condition would keep them from finding health care insurance when they reached their new home. To make health care claims and benefit issues easier to administer as people changed their jobs, geography and even their names, HIPAA also included a section entitled "Administrative Simplification." One provision of the Administrative Simplification Section required establishment of national standards for most of the common health care claims and benefit transactions that were transmitted electronically. The Department of Health and Human Services ("HHS") was mandated to adopt standardized electronic data sets for these basic claims and benefit transactions, and health care plans and insurers were required to accept electronic transactions using the standard electronic data sets. HHS published its rule and established standards for Electronic Transaction and Code Sets (the Electronic Transaction Rule) effective August 17, 2000. This rule originally required compliance by October 16, 2002. Another provision of the Administrative Simplification Section of HIPAA also required HHS to develop national identifier numbers for all health care providers, employers, health plans and individual patients. However, creating all this standardized electronic health care information also meant that across the country, patients and providers, identified by their national identification numbers, could have their entire medical care histories instantly available to any one given access to any computer where the information was stored. In response to concerns about the potential loss of anonymity and privacy that could result from having everyone’s medical information instantly available in digitized form, Congress also included another provision in the Administrative Simplification Section mandating the development of privacy standards for all health care information that can, in any way, be related to specific individuals. HHS was required under HIPAA to develop these privacy standards.

The Privacy Rule Compliance Requirements
Pursuant to HIPAA’s mandate, HHS issued its Privacy Rule on December 28, 2000. This Privacy Rule, as promulgated by HHS, imposes comprehensive limitations on the use and release of individually identifiable health information ("IIHI"). It applies to virtually every health care provider, plan or clearinghouse that transmits any of this information in electronic form in connection with any of the claims and benefit transactions described in the Privacy Rule. The IIHI covered by the Privacy Rule is called "protected health information" ("PHI") and those health care providers, plans and clearinghouses that are subject to the Privacy Rule requirements are termed "covered entities." HIPAA, and related HHS rules, also required providers to use federally standardized data sets for most claims and benefit transactions transmitted electronically and required health care plans and insurers to accept all such electronically submitted transactions. Moreover, most insurers, including Medicare, had or intended to eliminate paper transactions. Thus with few exceptions, all health care providers would have to comply with the requirements of the Privacy Rule with regard to their patients’ information.

The Privacy Rule requires all providers who are covered entities under the Privacy Rule to be in compliance with its requirements by April 14, 2003.
In general, to comply, providers will need to:

  • 1. Develop notices informing patients of their privacy rights and provider practices regarding PHI;
  • 2. Prepare authorization forms for release of PHI;
  • 3. Draft and implement policies to protect patient medical records and provide patient access to these records, and procedures to deal with requested amendments to those records; and
  • 4. Certify that their office and clinical staff have been trained in Privacy Rule standards and their office privacy practices.

Providers will therefore need to have a detailed statement explaining their privacy practices to distribute to their patients. The receipt of this notice of privacy practices is to be acknowledged in writing by every patient. Written and signed authorizations are needed for patients for any non-routine use of PHI by covered entities (i.e. uses other than for treatment, payment or internal operations). Another form of authorization may be needed when patients want to request their own records or have their records sent at their request to their attorney or other persons. Business associate agreements must be developed and executed to ensure that businesses providing services to the health care provider, such as billing companies, accountants, or practice management companies, will keep private any protected health information to which they may have access. Formal policies and procedures also need to be drafted to address patient requests for their own records and patient requests to amend or correct their records. HIPAA initially intended that covered entities, as a first step, would begin using the standardized electronic claims and benefit communications before they would have to begin to comply with the Privacy Rule. The Electronic Transaction Rule was published and effective August 17, 2000, and required that all covered entities comply with the Electronic Transaction Rule by October 16, 2002, which was approximately 6 months prior to the compliance date for the Privacy Rule.

The Simplification Act–Limited Relief for Providers However, as the time drew close for compliance with the Electronic Transaction Rule, it became apparent that neither the providers and other covered entities nor the companies developing the data sets and related computer programs could have the systems in place in time for full compliance. To deal with this and other problems, Congress took action and passed the Administrative Simplification Compliance Act (the "Simplification Act"), which was signed by the President on December 27, 2001. The Simplification Act permits a covered entity to obtain a one-year extension for compliance with the electronic data set standards, but only if it has submitted a Plan of Compliance to HHS by October 15, 2002. HHS has made submitting a Plan of Compliance under the Electronic Transaction Rule as easy as possible. All a provider needed to do was to go to the HHS website, complete a simple Compliance Plan form, and click submit. Covered entities that submitted this Compliance Plan on or before October 15, 2002, are given until October 16, 2003, to begin using the federally standardized electronic transaction data sets when transmitting claims and benefit information.

The Simplification Act also requires submission of all Medicare claims electronically and ends processing of all paper claims by October 16, 2003. However, the Simplification Act provides an exception to the "no paper" rule for those doctors and other health care practitioners with fewer than 10 full time equivalent employees. These providers, unless the law is again changed, may now be able to avoid complying with the Electronic Transaction Rule and the Privacy Rule if they only submit paper claims and benefit information to Medicare and to all other health care carriers and covered entities. This situation is perhaps not easy or realistic, but possible.

Who must be trained about HIPAA?
The Privacy Rules specifically state that all of the covered entity’s affected personnel must be trained. In a doctor’s office, that would mean training everyone. In the author’s view, all medical staff should have general HIPAA training (“HIPAA 101”); further training should be directed to the specific job (i.e. billing staff, receptionist, back office, etc…) The training prepared in the HIPAA Compliance Program is designed to accomplish both the general and job specific training.

If a medical office already has a HIPAA policy and procedures manual, why is a training program needed?
A policy is no more than a statement of a rule. A complex set of rules, as is required with HIPAA, cannot be understood in a vacuum- explanations, examples, illustrations, scenarios, are necessary to enable medical personnel to understand and properly apply the complex set of rules. Interestingly, the HIPAA regulations themselves are accompanied by approximately 400 pages of governmental “preamble” which is the government’s attempt to explain the rules. The government itself did not feel the privacy rules were understandable without extensive explanations.

However, these extension and exception provisions in the Simplification Act should not confuse health care providers, plans and clearinghouses. There has been no extension for complying with the Privacy Rule. If a health care provider transmits any health information in electronic form using either the mandated data sets or non-standard electronic formats, such as emails or other billing programs, that provider becomes a covered entity under the Privacy Rule and must be in full compliance with the Privacy Rule on April 14, 2003.

 

Copyright © 1995-2010 Data Trace Publishing Company. All Rights Reserved.
Use of this Web site constitutes acceptance of the Data Trace Privacy Policy .