Legislative and Administrative Notes:
Privacy Regulations under HIPAA
This Legislative and Administrative Notes is solely dedicated to issues surrounding the standards for privacy of individually identifiable health information, known as privacy rule, under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Provisions in HIPAA for privacy became effective on April 14, 2001, with an April 14, 2003 compliance date. The Bush Administration has just published final rules (August 14, 2002) on privacy. The rules are over 100 pages long.
This brief synopsis of issues under HIPAA only provides a brief overview of some of the issues that you as providers need to understand. It is imperative that you work with experts in the field of Health Information Management. The organization that has the easiest to read and most comprehensive information is the American Health Information Management Association. Their web site is: www.ahima.org.
What is the HIPAA Privacy Rule?
The rules protect medical records and other personal health information maintained by certain health care providers, hospitals, health plans, health insurers and health care clearinghouses.
- The regulations empower patients/individuals by guaranteeing them access to their medical records, giving them more control over how their protected health information is used and disclosed and providing a clear avenue of recourse if their medical privacy is compromised.
- Individuals must give specific authorization before entities covered by this regulation could use or disclose protected information in most “non-routine” circumstances-such as releasing information to an employer or for use in marketing activities. Providers covered by this regulation will have to follow standards for the use and disclosure of personal health information.
- Providers covered by this regulation will need to provide individuals with written notice of their privacy practices and the patients’ rights to privacy. Individuals will be asked to sign or acknowledge receipt of the privacy notices.
- Before marketing materials are sent to an individual, a covered provider must obtain specific authorization.
- Individuals will be able to access their personal medical records and request changes to correct any errors. Individuals may request an accounting of non-routine uses and disclosures of their health information.
Definitions and Applicability
Covered Entity is a health plan, a health care clearinghouse or a health care provider that electronically transmits or maintains protected health information.
Protected Health Information (PHI) is information that is electronically maintained or transmitted that:
is created or received by a covered entity, public health authority, employer, life insurer, school or university;
relates to the past, present or future physical or mental health or condition of an individual; the provision of health care to an individual;
identifies the individual or with respect to which there is a reasonable basis to believe that the information can be used to believe that the information can be used to identify the individual.
Privacy requirements are that a covered entity must tell all recipients how their PHI will be protected, except issues of billing, treatment or operations.
However, ABCD has been told that the New Jersey Attorney General has taken a broad view, so that the entire client record is PHI.
Business Associate (in the proposed rule called business partner) is a person to whom a covered entity discloses PHI so the person can assist or perform a function for the covered entity. According to the regulations, a covered entity must enter into a business partner agreement with others its business partners.
Are you a covered entity or a business partner under HIPAA?
According to Jim Evanchko, Administrative Practice Officer at the Division of Developmental Disabilities (DDD), providers of DDD services are, generally, business partners under HIPAA. All DDD providers will be given a draft Business Partner Agreement by DDD in early September.
The primary reason that most DDD providers are not covered entities is that they do not send information about the individual (PHI) electronically.
However, there are providers that are Medicaid providers on their own, who do billing to Medicaid under Medical Day Care, Home Health or ICF/MR. These providers are covered entities under the HIPAA regulations and will need to understand better the HIPAA regulations.
For those providers who may be covered entities, the primary immediate issue relates to electronic billing. According to HIPAA law, covered entities must use federal formatting and codes when delivering electronic billing by October 16, 2002. You may apply for a one year waiver from this requirement from federal government.
(All of the Divisions of the Department of Human Services are applying for the waiver en mass within the next few weeks.) If you are a business partner with the Department you do not need to send a waiver request. Only covered entities, ie, those that send electronic bills, are required to
ABCD has begun to compile material from American Health Information Management Association. This material delineates checklists to determine what needs to be tracked under the privacy regulations. ABCD also recommends that you go to their web site: www.ahima.org. Some of the material is free of charge. If you need additional information and/or assistance, you might consider membership in AHIMA.
Other Issues and Next Steps
The privacy regulations also delineate between consent (obtaining a consent for uses and disclosures of information for treatment, payment and health care operations) and authorization. ABCD understand the New Jersey Medicaid is in the process of developing procedures for these requirements.
Many providers are already aware and concerned about the impact of HIPAA on their policies and procedures. The New Jersey Association of Community Providers is having an attorney speak at its September membership meeting on HIPAA.
ABCD recommends that you
- Determine whether your organization is a covered entity;
- If so, request a one year waiver from the requirements of electronic billing and begin to develop checklists on what you need to do be in compliance;
- If not, work with DDD and any other Divisions and/or Departments with which you contract to finalize and sign a Business Partner Agreement.
Whether or not you are a covered entity, begin to educate yourself and your staff about the privacy rights of individuals. Some of these issues include ensuring that when a staff person is reviewing a client’s file and is called away, that the file should at least be closed if not put back into the file cabinet.
Written August 15, 2002