Education + Advocacy = Change

Click a topic below for an index of articles:

 

New-Material

Home

Donate

Alternative-Treatments

Financial or Socio-Economic Issues

Forum

Health Insurance

Hepatitis

HIV/AIDS

Institutional Issues

International Reports

Legal Concerns

Math Models or Methods to Predict Trends

Medical Issues

Our Sponsors

Occupational Concerns

Our Board

Projects

Religion and infectious diseases

State Governments

Stigma or Discrimination Issues

If you would like to submit an article to this website, email us at info@heart-intl.net for a review of this paper
info@heart-intl.net

 
any words all words
Results per page:

“The only thing necessary for these diseases to the triumph is for good people and governments to do nothing.”

  


  

Changes to Final Privacy Rules Welcomed by Most Doctors, Hospitals

from Medscape Money & Medicine
Posted 10/02/2002

Debra C. Cascardo

http://www.medscape.com/viewarticle/442015

Complying with the medical privacy regulations required under the Health Insurance Portability and Accountability Act (HIPAA) has seemed so far in the future that many doctors have put it low on their "to do" list. But when the final rule was published on August 9, 2002 by the Department of Health and Human Services (HHS), the concept of compliance shifted from theory to reality. The deadline is firmly set at April 14, 2003.

HHS included a major change in the final rule that was welcomed by many doctors, hospitals, and health organizations but criticized by privacy advocates. According to the final rule, doctors and hospitals can share a patient's private health information (PHI) with HMOs and insurers for billing and treatment purposes without first obtaining the patient's permission. The draft version of the rule, issued under the Clinton Administration, required that providers always obtain a patient's permission before disclosing such information.

 

But health providers argued that obtaining a patient's written consent before information could be released might stall needed treatments. HHS Secretary Tommy Thompson said the draft version of the rule "would have forced sick or injured patients to run all around town getting signatures before they could get care or medicine." The final rule "strikes a common-sense balance by providing consumers with personal privacy protections and access to high-quality care," he said.

Notify Patients of Your Privacy Policy

The revisions still put a significant obligation on physician practices to inform patients of their privacy policy and to protect the confidentiality of PHI, however. Doctors are required to notify patients of their privacy policies, although HHS does not require that you use a specific form that shows patients have received and approved of your policy. Patients' acknowledgment can be as simple as their initials or signature on a notice your office has prepared. A sample consent form is available from HIPAA Compliance Alert (Vol. 2, No. 8, August 2002).

Doctors must also make a good-faith effort to get written acknowledgement that a patient has been notified of the privacy policy, no later than the date on which the services were first provided. If your patient refuses to acknowledge the privacy policy in writing, the refusal must be noted.

And, make sure you obtain patients' written authorization before using PHI for most marketing purposes. Such a notice must be written in specific terms, making it clear to patients why this information is being sought.

Patients' Rights to Medical Records

For the first time, the final privacy rules give patients the right to inspect and copy their records and ask for corrections when they feel information is in error. Now is the time to implement the policies to handle such a request.

Here are some steps to consider when putting a policy in place:

  • Determine who is in charge of handling requests;
  • Require that the patient's request be in writing; and
  • Require that patients provide reasons to support the change.

You have 60 days to act on the request and an additional 30-day grace period if you notify the patient why the delay has occurred.

If you make a change to your patient's medical record:

Indicate in the patient's record that a change was made and what section was amended;

Inform the patient that the requested change was made; and

Obtain written patient agreement that all relevant parties needing the corrected patient's record be informed of the change.

 

Additional Steps

Although HIPAA has been the target of considerable criticism, you cannot afford to sit on the sidelines and pretend that the regulations won't go into effect. Take a look at the rules, and determine what additional resources, such as books, Web sites, conferences, and consultants, you need.

Some steps are a matter of common sense, and likely ones you have already put into place in your employment practices, such as hiring trustworthy staff for sensitive positions, calling references, and asking employees whether they are willing to be bonded.

But some steps are specific to complying with the new privacy rule, and these you will need to start putting into place now.

For example, make sure all staff understands what is considered PHI, and how it needs to be protected. PHI is any demographic or health information that identifies an individual, including: name, address, employer, date of birth, telephone and fax number, Social Security number, medical record number, fingerprints, and other such identifying information.

Other forms of PHI include:

  • Information that is created or received by a healthcare provider;
  • Information that relates to the past, present, or future physical or mental health or condition of an individual; and
  • Information that describes the past, present, or future payment for the provision of healthcare to an individual.

Changing Office Behavior

Given the sweeping nature of the final privacy rule and its impact on a physician's practice, compliance should be considered an important part of the job responsibilities of at least 1 staff person. In addition, all staff should be trained in the practice's privacy policies. I am particularly impressed by the training program and handbooks offered by Opus Communication.

To ensure that patients' privacy is not inadvertently violated, make sure your office personnel follow these steps:

  • Shred pertinent documents; do not simply discard them;
  • Do not discuss patients within earshot of the waiting room or other exam rooms;
  • Prohibit staff from accessing a patient's medical record to learn a neighbor's birth date or to satisfy a similar form of curiosity;
  • Do not leave messages about a patient's health on an answering machine or with someone other than the patient or doctor;
  • Avoid discussions about patients in elevators, cafeteria, or other public places;
  • Avoid paging patients using identifiable information;
  • Do not fax information without knowing that the person to whom the fax is addressed is ready to receive it; and
  • Do not allow faxes to sit on your office machine where unauthorized people may see them.

Complying with the revised privacy regulations is a complex and important undertaking. Get started now so your practice can thoroughly plan and implement new policies well before the upcoming April 14 deadline.