 |
| Sheila Press, Attorney, MBA |
HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Centers for Medicare and Medicaid Services (CMS) is responsible for implementing and monitoring various unrelated provisions of this law.
At present, the part of HIPAA with which O&P businesses need to be concerned involves the use and disclosure of personal health information. Adopting uniform standards to address the security and privacy of personal health data is a major step by the government to address the public's growing concern regarding violations in the confidentiality of personal health information.
The privacy standards are structured in three sections: (1) restriction on the use and disclosure of certain health information; (2) establishment of individual rights regarding health information; and (3) establishment of administrative requirements to ensure confidentiality and appropriate use of health information.
Information protected by the HIPAA privacy regulations is called "personal health information" or "PHI." The privacy standards apply to any information, whether paper or electronic, that describes an individual's health status or other characteristics that identify or could be used to identify that individual. This information includes not only the patient's name and address and specific treatment information but also sex, ethnicity, and age. "Covered entities," or those to whom the HIPAA privacy regulations apply, include entities which provide direct treatment to patients, including O&P facilities; other "covered entities" include health plans and healthcare clearinghouses.
Forms Needed
You will need the following forms in order to be in compliance with the HIPAA privacy regulations by April 14, 2003:
1. Notice of Privacy Practices: You must give this document to all of your patients and have them sign and date an acknowledgment form which you will then maintain in that patient's file.
2. Consent: This form should be signed and dated by every patient. The form should then be maintained in that patient's file. It gives you permission to use the patient's personal health information for "treatment, payment or other healthcare operations." This consent form generally covers all of the purposes for which you might use the patient's PHI in your business. Once this form is signed, it can only be revoked in writing.
3. Authorization: A patient must sign and date this form for any uses or disclosures of PHI for any purpose other than treatment, billing, and healthcare operations. This would include the use of a photograph or video or the use of PHI for research purposes. Once this form is completed, signed, and dated, it should be maintained in the patient's file. Each authorization is effective for the specific purpose stated until it is revoked in writing.
4. Business Associate Agreement: You are also responsible to ensure that some of your business associates protect the privacy of your patient's individual health information with the same care as you provide. "Business associates" are defined as entities that perform a function or provide services involving PHI on behalf of covered entities; these include lawyers, accountants, billing and collection companies, and central fabrication facilities. You should have all such persons or entities sign this agreement with you. It is a contract, and you should maintain these signed agreements in a separate file. The term "business associates" does not include others who are direct treatment providers, so that you do not need to have an agreement with physicians, physical therapists, or similar direct treatment providers.
The Department of Health and Human Services (DHHS) Office of Civil Rights is responsible for the enforcement of the HIPAA Privacy Rule, and there are both civil and criminal penalties for violations. Your patients will be glad to know that, as part of the high quality of care that they receive from you, their personal privacy is being protected by your compliance with HIPAA.
Sheila M. Press, Attorney, is president of Healthcare Compliance Solutions, a company providing consulting services, including HIPAA and OIG compliance, and customized compliance programs for O&P. She can be contacted at 480.767.9477; e-mail: spress@hccso
