Answers to questions about the HIPAA privacy rule
From the February ACP-ASIM Observer, copyright © 2003 by the American College of Physicians-American Society of Internal Medicine.
By Margo Williams
When new federal rules about patient privacy take effect on April 14, many physicians will likely be expecting the worst. Some practice consultants and news media have scared physicians by predicting that doctors will have to overhaul their entire practice to comply with the new privacy regulations, which are part of the Health Insurance Portability and Accountability Act (HIPAA).
The truth is that physicians and hospitals have always been very sensitive to patient confidentiality. While the HIPAA privacy rule has raised that consciousness to a new level with new patient rights and provider requirements, the rule merely formalizes many of the privacy measures you probably already have in place.
Final modifications to the rule that were set on Aug. 14, 2002, mean that patients don't have to sign a consent form before any service is provided. Other changes have similarly made compliance with the rule much easier for physicians.
Late last year, the HHS Office of Civil Rights, which will enforce the privacy rule, issued guidance outlining how it will interpret the rule and "police" its provisions. The document provides nitty-gritty details on questions about workers' compensation, research, marketing, business associates, personal representatives and public health disclosures. (The document is available online.)
To help prepare your practice for the April deadline, here are answers to some commonly asked questions about what groups need to do to comply with the new regulation.
Q: Do patients need to sign consent forms?
A: Not to meet HIPAA regulations, although you have the option of obtaining consent before you use and disclose patient health information. While HIPAA leaves consent to physicians' discretion, ACP- ASIM believes that physicians have an ethical obligation to obtain consent before using or disclosing protected health information. In addition, state laws may require prior consent.
The final rule released in August allows providers to share information regarding treatment, payment and operation as long as they notify the patient—and receive written acknowledgment that they have done so—about their privacy rights as soon as is reasonably practical. That can be the next time the patient comes for an office visit or to pick up something. An authorization, however, is required for any nonroutine, nontreatment use or disclosure, such as for marketing, research, life insurance underwriting or release of psychotherapy notes. Authorizations are specific and time-limited.
Q: How will the privacy rule limit how I use or discuss patient information in my office?
A: If you or your staff inadvertently disclose "protected" patient information, it will not be considered a violation of the rule, as long as you have taken reasonable measures to meet the "minimum necessary" requirements for protecting patient information. You may continue to use waiting room sign-in sheets, keep patient charts on the doors of exam rooms, leave messages on patients' answering machines, talk to patients in semi-private rooms and confer at a nurse's station or in your office hallway without fear of violating the rule if a passerby accidentally overhears.
However, you need to make sure that computer screens with patient information are not visible to other patients, sign-in sheets list name and appointment time only, patient charts are closed with no clinical information on the cover and your computers are password protected. You also need to keep your voice down when discussing patient information.
Tell your staff to limit the amount of information disclosed when they leave voice mail messages for patients. They should include only routine information like the patient's name, a return phone number and enough information to confirm an appointment.
The privacy rule also requires that you limit how much protected health information you use, disclose or request for specific purposes like reimbursement. Instead of giving your billing company an entire patient chart, for example, give only the information it needs to bill the current visit.
Q: Will the privacy rule hinder medical research by making it harder to share clinical information?
A: Recent modifications to the rule have made it much easier for researchers to continue to access the medical information necessary to do their work. Researchers may now use a single combined form to obtain informed consent for the research and authorization to use or disclose protected health information for such research. Alternately, you may obtain an authorization waiver from an internal review board or a privacy board.
The HIPAA privacy rule streamlines the process to more closely follow the requirements that govern federally funded research. The privacy rule also allows researchers to create and disseminate a limited data set for research, public health and health care operations. (Those data sets cannot include directly identifiable patient information.) Researchers must create a "data use agreement" that limits who can access those data and how the data will be used.
For more compliance help, see "Tips to comply with HIPAA's new privacy regulations," in the May 2002 ACP-ASIM Observer.
Margo Williams is a Practice Management Associate in the College's Washington office.
If you have questions about new federal rules on privacy and transaction standards that are part of the Health Information Portability and Accountability Act (HIPAA), the College can help.
ACP-ASIM's Practice Management Center will hold an audioconference to help internists comply with HIPAA regulations Thursday, March 20, from 3-4:00 p.m. EST. "Are You Ready For HIPAA?" will cover all aspects of HIPAA and focus on the regulations that will take effect in the coming months.
The audioconference will cost $30 per phone line for College members and $129 per phone line for nonmembers. The first 25 members to call will receive free registration.
To sign up, call ACP-ASIM Customer Service at 800-523-1546, ext. 2600, or 215-351-2600 (9 a.m. to 5 p.m., EST).
The following resources are available from the Practice Management Center's Web site.
- HIPAA Privacy Manual
- HIPAA Electronic Transactions Manual
- Answers to frequently asked questions on all HIPAA rules
- Compliance calendar
- Links to commercial, nonprofit, and government sites that provide answers to frequently asked questions, information about state laws and the full text of the rules themselves.
Internist Archives Quick Links
New Leadership Webinars
The ACP Leadership Academy is offering FREE webinars covering the core tenets of leadership, leadership in hospital medicine, finance, and more.
Join ACP Today!
ACP membership connects you with like-minded colleagues and provides access to a variety of clinical resources, practice tools, and ways to earn MOC and CME.