Return to the homepage
October 14, 2008 Brokers Only Links Employment Contact Us Home Insureds Only
Print
 

Help is just a
phone call away

SCPIE’s risk management toll-free hotline is available to policyholders 24 hours a day, 365 days a year. Call 800/585-7799.
HIPAA: The Time to Give Your Office a Compliance Checkup Is Now

Nearly three years after the first compliance deadline set by the Health Insurance Portability and Accountability Act—the sweeping measure enacted by Congress in 1996—some people applaud HIPAA for creating a much-needed framework of patient privacy standards, while others think it has created a morass of meaningless paperwork.

Although the HIPAA Privacy Rule and Security Rule are undeniably complex and confusing, they are the law of the land. Penalties for violating HIPAA start with fines of up to $100 for every infraction of the Privacy Rule or Security Rule, and can be as much as $250,000 and 10 years in prison for improperly using or disclosing Personal Health Information (PHI) for commercial advantage.

Title II of HIPAA is aimed at improving the Medicare and Medicaid programs—and the healthcare industry in general—through the establishment of standards for the handling of certain health information. Title II establishes comprehensive regulations governing the privacy and security of patients’ PHI.

HIPAA’s Privacy Rule impacts healthcare providers and plans (i.e., covered entities) that transmit PHI in electronic form. The rule has been described as a consumer protection statute. Among other things, it gives individuals the right to access their medical records, to request amendments to their records, and to learn where and to whom their records have been disclosed.

Covered entities have been required to comply with the Privacy Rule since April 14, 2003. If you haven’t already analyzed whether your practice is in compliance, now is the time to do so. Some major provisions to consider:

  • Your patients should be able to obtain copies of, and request corrections to, their medical records. Providers generally have 30 days to comply with a patient’s request.
  • Your patients must be provided with, and acknowledge receipt of, a Notice of Privacy Practices. In many cases, patients have to sign a specific authorization before their PHI can be released to an outside business, such as a life insurer.

  • You must be able to provide an accounting of nonroutine disclosures—for example, those unrelated to treatments, payments or healthcare operations—of your patients’ PHI upon request.

  • Your patients must be given information on how to file privacy complaints.
  • You must have written privacy and security policies and procedures.
  • Your employees must be trained on how to comply with HIPAA, and you must designate a privacy officer and a security officer responsible for ensuring that your privacy and security policies and procedures are followed.

One Security System Does Not Fit All

HIPAA’s Security Rule, which had an April 20, 2005, compliance deadline, pertains only to PHI that is stored or transmitted electronically. It defines the administrative, physical and technical safeguards that covered entities must implement to protect electronic PHI.

In part, navigating HIPAA’s requirements can be complex and difficult because many are open to interpretation. For instance, the Security Rule does not stipulate specific technologies or endorse nationally recognized rocedures, but leaves it up to covered entities to ensure that electronic PHI is secure.

Under the Security Rule, a small practice may not have to implement the same safeguards as a larger one. The rule allows for “scalability”—meaning that one size does not have to fit all. Obviously, for example, a small practice with rudimentary technology, limited resources and low risk exposure varies markedly from large systems with developed information technology, broad resources and high-risk exposures. The government allows flexibility depending on such circumstances.

Physical access to computers and software through proper password management is a key area that requires staff to be security-conscious.

It is tempting for staff in small offices to share passwords or to keep them written on a piece of paper tucked into the top drawer next to the computer station. Indeed, many passwords have been found on “sticky notes” attached to computer monitors. All of these actions completely undermine security and should be strongly discouraged.

Since 2003, covered entities have been required to enter into business associate agreements (BAA) with vendor companies that use or disclose PHI. Under HIPAA, you will not be held responsible if one of your vendors inappropriately releases PHI, provided there is an appropriate BAA in place and you were not aware of the unauthorized release. Now that the Security Rule compliance date has passed, your BAA should be updated to reflect the rule’s requirements.