American College of Physicians: Internal Medicine — Doctors for Adults ®

Advertisement

Practice Tips: The self-pay conundrum and other tricky HIPAA omnibus requirements

From the November/December ACP Internist, copyright © 2013 by the American College of Physicians

By Margo Williams

The deadline for compliance with the Health Insurance Portability and Accountability Act (HIPAA) omnibus rule, which modified requirements relating to privacy, security and breach notification, passed on Sept. 23. Physician practices that haven’t already done so should take the opportunity to revise policies and procedures, review staff training and in general make sure they are meeting requirements to protect personal health information.

While many of the omnibus changes are subtle and may not require a great deal of effort on the part of the practice, the penalties for noncompliance are severe. It would be wise to conduct a gap analysis of how your practice protects the privacy and security of patient information.

The most immediate action that requires attention is to revise the Notice of Privacy Practices and business associate agreements. Under the old rules, business associates were not held directly liable for their actions in terms of protecting patient privacy. However, business associates are now directly liable under the HIPAA rules and are subject to civil and in some cases criminal penalties for making use of and disclosing health information or for failing to safeguard electronic versions of protected health information. Thus, business associate agreements should be modified accordingly.

There are two requirements that might be tricky for practices. The first is that patients who pay in full up front may ask practices to withhold information about that appointment from their health plan. This may be more feasible in some systems (billing or electronic health records) than in others. Not all systems make it easy to flag visits so that notes are separated out or a bill is not automatically generated.

This requirement poses another problem. Any outside testing, prescriptions or other downstream activities resulting from the visit are out of the control of the practice. Patients should be advised that they will have to make the same request of other clinicians and providers separately. If the practice e-prescribes, then a paper prescription may be necessary in order to keep the information from the insurance company; the patient will have to make a similar request at the pharmacy. Practices will need to modify their financial responsibility forms or create a separate form to reflect this change. Patients should also be advised that it may be difficult to exclude certain encounters in the event of an insurance audit or a treatment-related request from another clinician.

The other requirement that may be tricky is how to handle requests for electronic copies of electronically stored patient charts. The new rules require that, upon request, practices that store protected health information electronically must provide the patient with an electronic copy of the records within 30 days for a “reasonable” cost.

Practices will need to work with their vendors to determine how to make a copy of the record in electronic format, including what information would be included and how to make it readable outside the electronic health record. The omnibus rule does not define a particular format, but the practice should determine what is feasible (e.g., CD, thumb drive, etc.) and what an appropriate charge should be. This information should be included in the practice’s records release policy. Patient-supplied media should not be used, so practices should supply whatever is decided to be the best format option.

More information about the new HIPAA rules is online. ACP’s recently revised HIPAA Privacy Manual and HIPAA Security Rule Manual include updated Notice of Privacy Practices and Business Associate agreements, as well as revised practice walk-through/risk assessment and many forms that can be customized to each practice. Remember that many states have rules more stringent than HIPAA rules, so it is important to ensure that your practice complies with all relevant state privacy laws.

Margo Williams is senior associate for practice management in ACP’s Center for Practice Support, a division of ACP that encompasses the College’s primary resources for medical practices.

Top

This is a printer-friendly version of this page

Print this page  |  Close the preview

Share

 
 

Internist Archives Quick Links

ACP JournalWise

Reviews of the World's Top Medical Journals—FREE to ACP Members!

New CME Option: Internal Medicine 2014 RecordingsACP JournalWiseSM is mobile optimized with optional email alerts! Get access to reviews from over 120 of the world’s top medical journals alerting you to the highest quality, most clinically relevant new articles based on your preferred areas of specialty. ACP Members register your FREE account now!

New CME Option: Internal Medicine 2014 Recordings

New CME Package

New CME Option: Internal Medicine 2014 RecordingsIncludes 75 of the most popular sessions in internal medicine and the subspecialties. Stream the sessions, answer brief quizzes and earn CME credit. See details.