|
RM Services
Frequently Asked Questions
Office Practice Risk Evaluations
Arbitration
Self-Evaluation Toolkit
RM Articles
CAPsules Editions
CME Program/Schedule
RM Questions
RM Materials / Forms
RM Alerts
Case Of The Month - Past Issues
|
NEW HIPAA PRIVACY
REGULATIONS:
Protecting Patient
Privacy in the
Electronic Age
by Dan Groszkruger, JD, MPH
Consulting Editor
The new HIPAA Privacy regulations will change the way physicians handle patient information. Electronic storage and transfer of confidential information has multiplied the number of opportunities for privacy violations. A new "floor" of protection, to be implemented uniformly, nationwide, is intended to mitigate the increased threat to patient privacy. After April 14, 2003, a physician will obtain his or her patient's permission, based on a written description of each intended use or disclosure, before sharing information. Every type of medical practice, small or large, will play an important role in protecting privacy.
A federal law, called The Health Insurance Portability and Accountability Act of 1996, authorized the Department of Health and Human Services to adopt new rules to protect patient privacy. HHS published the regulations early in 2001, and compliance will be expected within two years, i.e., by April 14, 2003.
To comply with the new rules, physicians will need to adopt new policies for obtaining patients' permission to use and disclose confidential information. The HIPAA Privacy regulations preempt existing California laws covering confidential medical records, unless state law is more stringent. Thus, current procedures governing consents and authorizations need to be revamped by April 14, 2003.
The new rules create several new patients' rights, including:
- The right to give consent for use or disclosure of demographic (i.e., name, address, Social Security number, etc.) as well as confidential information. State laws do not currently require use of such a separate consent.
- The right to receive a description of all the intended uses and disclosures of patient information, with examples, before signing the consent form. This notice of privacy practices is specified in the regulations, and will be written in "plain language," easily understood by patients and families.
- The right to authorize (or not) uses and disclosures other than for normal purposes (i.e., treatment, payment or operations), such as for fund-raising.
- The right to receive an accounting of all disclosures, specifying when, what, to whom and why disclosures were made.
- The right to request limitations or restrictions on the use and disclosure of patient information.
The new rules do include several provisions which have provoked controversy. Physicians and medical groups are expected to limit disclosures to the minimum necessary for a specific purpose. Also, they will need to obtain reasonable assurances on maintaining patient privacy from those to whom they disclose patient information. The new rules cover both written and oral communications, as well as electronically stored and transmitted confidential patient information.
Most physicians/medical groups will qualify as "covered entities," subject to the new HIPAA Privacy regulations.1 All staff and employees will need to be trained regarding the new privacy policies and procedures, prior to the compliance deadline.
Although compliance is more than a year away, time is growing short to accomplish all the tasks necessary to implement a HIPAA Privacy compliance plan. To help give CAP members peace of mind as they set up their new privacy policies, the MEDefense insurance program will provide reimbursement for some legal expenses incurred in defending against government allegations of HIPAA privacy violations.
Watch for additional updates in future issues of CAPsules and the Bulletin, as well as recommended outside resources, to assist CAP members to achieve HIPAA Privacy compliance.
|
