HIPAA Privacy Regulations: A Compliance Challenge

By Sheila Press, Attorney, MBA

Sheila Press, Attorney, MBA

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Centers for Medicare and Medicaid Services (CMS) is responsible for implementing and monitoring various unrelated provisions of this law.

At present, the part of HIPAA with which O&P businesses need to be concerned involves the use and disclosure of personal health information. Adopting uniform standards to address the security and privacy of personal health data is a major step by the government to address the public's growing concern regarding violations in the confidentiality of personal health information.

The privacy standards are structured in three sections: (1) restriction on the use and disclosure of certain health information; (2) establishment of individual rights regarding health information; and (3) establishment of administrative requirements to ensure confidentiality and appropriate use of health information.

Information protected by the HIPAA privacy regulations is called "personal health information" or "PHI." The privacy standards apply to any information, whether paper or electronic, that describes an individual's health status or other characteristics that identify or could be used to identify that individual. This information includes not only the patient's name and address and specific treatment information but also sex, ethnicity, and age. "Covered entities," or those to whom the HIPAA privacy regulations apply, include entities which provide direct treatment to patients, including O&P facilities; other "covered entities" include health plans and healthcare clearinghouses.

Forms Needed

You will need the following forms in order to be in compliance with the HIPAA privacy regulations by April 14, 2003:

1. Notice of Privacy Practices: You must give this document to all of your patients and have them sign and date an acknowledgment form which you will then maintain in that patient's file.

2. Consent: This form should be signed and dated by every patient. The form should then be maintained in that patient's file. It gives you permission to use the patient's personal health information for "treatment, payment or other healthcare operations." This consent form generally covers all of the purposes for which you might use the patient's PHI in your business. Once this form is signed, it can only be revoked in writing.

3. Authorization: A patient must sign and date this form for any uses or disclosures of PHI for any purpose other than treatment, billing, and healthcare operations. This would include the use of a photograph or video or the use of PHI for research purposes. Once this form is completed, signed, and dated, it should be maintained in the patient's file. Each authorization is effective for the specific purpose stated until it is revoked in writing.

4. Business Associate Agreement: You are also responsible to ensure that some of your business associates protect the privacy of your patient's individual health information with the same care as you provide. "Business associates" are defined as entities that perform a function or provide services involving PHI on behalf of covered entities; these include lawyers, accountants, billing and collection companies, and central fabrication facilities. You should have all such persons or entities sign this agreement with you. It is a contract, and you should maintain these signed agreements in a separate file. The term "business associates" does not include others who are direct treatment providers, so that you do not need to have an agreement with physicians, physical therapists, or similar direct treatment providers.

The Department of Health and Human Services (DHHS) Office of Civil Rights is responsible for the enforcement of the HIPAA Privacy Rule, and there are both civil and criminal penalties for violations. Your patients will be glad to know that, as part of the high quality of care that they receive from you, their personal privacy is being protected by your compliance with HIPAA.

Sheila M. Press, Attorney, is president of Healthcare Compliance Solutions, a company providing consulting services, including HIPAA and OIG compliance, and customized compliance programs for O&P. She can be contacted at 480.767.9477; e-mail: spress@hccso

	HIPAA Security and the Organizational Safeguards - April 2004 DC Direct
	HIPAA Security and the Physical Safeguards - November 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 2 - October 2003 DC Direct
	HIPAA Security and the Administrative Safeguards—Part 1 - August 2003
	HIPAA and the Business Associate Puzzle - July 2003 Exclusively Online
	HIPAA Security – Required or Addressable - July 2003 DC Direct
	Here Comes HIPAA Security - May 2003 DC Direct
	HIPAA: How to Handle a Vendor Selling HIPAA Services and Products - April 2003 So what do you say when sales representatives call to sell their company’s HIPAA services and products? DC Direct

Table Of Contents - January 2003

	The State of the Art in Upper-Limb Prosthetics: Reflections from Respected Voices We compiled a list of experienced leaders in the field of upper-limb prosthetics, drafted a list of thought-provoking questions, and collected insightful and illuminating responses in a series of separate interviews. Feature
	Outcomes Measurements in Upper-Limb Prosthetics: Why So Elusive? Feature - Exclusively Online
	HIPAA Privacy Regulations: A Compliance Challenge This article is the first in a two-part series discussing the two most important compliance challenges facing the O&P field. DC Direct
	Amputee Firefighter and Stuntman Goes Full Speed Ahead Today's Consumer
	Triathlon Helps Athletes Achieve Dreams The Sports Page
	Spanish NGO Aids Honduran Youngsters Salute!
	Jerry Cadigan, CPO(c) Profiles
	As We Look Back on 2002—and Ahead to 2003 Perspective
	From the Editor Viewpoints