HIPAA: Beware the "Ides of April"
By Louis Sportelli, DCApril 15 will be a demanding day, not only because of Uncle Sam and the taxman, but also because it will be the first day the Federal Guidelines for the Health Insurance Privacy and Accountability Act (HIPAA) will be compulsory. Some doctors continue to ignore the act's notifications, deluding themselves into thinking it does not pertain to them; others are using the never-successful procrastination technique of waiting until tomorrow (April 14, in this case). Others still are just downright confused by all the information; misinformation; confusion; contradiction; complication; and misdirection concerning HIPAA. Whatever your situation or inclination, the date when most doctors of chiropractic should get serious about this act is fast approaching.
HIPAA is here to stay. It is amazing to see the varied responses from doctors to the question: Are you HIPAA-compliant? Many say, "I do not produce electronic billing, and I do not need to comply." Others insist the deadline will be postponed, as most federal program deadlines are. Still others are convinced that reading an article in their state or national journals makes them compliant. HIPAA is serious stuff, and when dealing with patient privacy and confidentiality, the stakes are high.
Some doctors only think in the most abstract fashion, and pose questions far removed from reality. For example:
Hypothetical question: Will I have to remove my name from my office, so people will not be able to tell what type of office patients are entering?
Realistic response: The Department of Health and Human Services (HHS) does not consider the office name to be disclosure of protected health information. It might be somewhat revealing if the sign stated: "Smithville HIV Clinic" or "Jonestown Psychiatric Clinic," but the name on the building is not something about which many DCs will have to be concerned.
Hypothetical question: Will I have to do away with sign-in sheets, and instruct my staff not to call out the names of patients in the reception room?
Realistic response: No. HHS has issued extremely specific guidelines for sign-in sheets and calling patients in the reception room, and these are permitted activities.
There are some patient-management challenges defined by HIPAA, and these challenges deserve creative solutions. In chiropractic offices, the challenges are not nearly as significant as other areas of health care, where health concerns rise to a higher level of sensitivity and should be noted by the doctor and staff, particularly where concerns by patients may be an issue.
Creative and innovative solutions to the sign-in sheet can be resolved easily by incorporating new merchant-processing equipment that has an electronic signature, which could, at the end of the day, be printed and saved as the daily sign-in sheet. Some facilities that have sensitive health-care concerns, such as mental health providers, have incorporated the same paging devices used in restaurants and many one-hour vision centers. When it is time for the patient to be seen, the pager is activated, and the patient is brought into a more private area for discussion and confirmation of his or her name and personal information.
These kinds of creative solutions demonstrate a heightened level of sensitivity on the part of the health care facility toward the patient; facilities that incorporate these "value-added" patient-centered procedures will reap the rewards.
What exactly will be mandatory, and what will be discretionary, under HIPAA? The answer is not yet clear. The word the government uses to determine if a procedure is mandatory or not is "reasonableness." That term is about as helpful as asking if you have met the "standard of care" in a malpractice action. One must continue to ask the question: "What does reasonableness mean?" It will not only mean different things to different facilities, but also will mean different things at different times as information, knowledge and research continue to evolve. Additionally, as litigation regarding HIPAA begins to develop, there will perhaps be some "clarity" within the gray areas of the legislation.
There have already been several lawsuits related to the act. A federal court in Louisiana decided a recent case, even though the HIPAA privacy regulations do not become enforceable until April 15. The details of the suit are not as relevant to this article as the fact the federal court felt compelled to intervene. The court noted that there is no federal physician-patient privilege, but decided to review the case in light of the act's privacy regulations, even though the regulations were not yet enforceable. The logic of the court in this case was based upon the fact that HIPAA shows there is a strong federal policy protecting medical records, and this case would, in all probability, be in litigation beyond the deadline for compliance. The court compared Louisiana law to the federal HIPAA law, and determined that Louisiana was not as stringent as HIPAA; therefore, state law was preempted by HIPAA. The court expanded its decision to include comments about the U.S. Department of Justice being entitled to use a medical records disclosure in this case for its health oversight purposes, as permitted by the act's regulations (Stewart vs. Louisiana Clinic).
In another case, a patient was awarded $250,000 for disclosure of HIV status. In this case, a patient visited with a hospital's receptionist, who also happened to be a co-worker of the patient. When the patient returned to work, co-workers ridiculed him about the fact that he had AIDS. The patient confronted the co-worker, who denied telling others about his condition. The patient reported the incident to the hospital, then sued the hospital and the employee for violation of a confidential relationship and invasion of privacy. A jury found the hospital negligent in permitting its employee access to confidential information, and awarded the patient $250,000. (Doe vs. Midatlantic Health Care Corp.)
Will this kind of breach of confidentiality be of great concern in a chiropractic clinic? The number and variety of patients seeking the services of complementary and alternative practitioners, and the movement toward fully integrated facilities, certainly raises new and different issues in patient relationships that only a few decades ago did not exist. This only points out that the dynamics of chiropractic awareness, and the need to be compliant, are more significant now than ever.
In another case, a $2.3 million award was given to three patients for an employee's disclosure of records. Three patients charged the company's former records clerk, who was fired, with disclosure of mental health records. The allegations by the patients also charged the company with negligent hiring and retaining of the employee. The lawsuit claimed the company "knew or should have known" the employee was incompetent and posed a threat to the privacy of others. Additional punitive damages were awarded to punish the company for failure to monitor the actions of its employees. Thus, the duty imposed on organizations will become increasingly more complex, as new and creative litigation continues to focus on areas of noncompliance with HIPAA regulations.
One often-misunderstood concept regarding the regulations is the fact that there are really two parts to the act: training and implementation of the training. It is not enough to simply take a course and learn what the regulations are, and how they will affect your practice. That is clearly a basic and understood part of any HIPAA compliance program. The second part, dealing with how the "covered entity" will implement the requirements, is a separate process. Each office is not only required to demonstrate that everyone in the office has had HIPAA training, but also is be required to demonstrate what steps have been put into operation to become compliant with HIPAA regulations. Training and familiarity is not enough; specific steps must be taken to demonstrate proof of compliance.
A basic checklist will help avoid the potential problems individual or small-group practices will encounter; many of these problems will become self-evident as the process moves forward. HIPAA will impose regulatory criteria on health care systems, large and small. Information is known about certain aspects of HIPAA compliance, and the following needs that must be met:
A HIPAA Privacy Rule incorporating a "to-do" list should be developed by each facility. Every doctor is encouraged to seriously review the list to become familiar with basic requirements imposed by HIPAA. The practitioner must determine if he or she complies with the state-specific mandates.
A Notice of Patient Privacy Rights must be used by doctors to provide educated, informed consent to patients; however, any state requirement that exceeds HIPAA must be incorporated.
A Business Associate Agreement must be developed between the doctor's facility and vendors who may be covered under the HIPAA regulations.
A Patient Consent Form is required for compliance with informed consent for patients. As with the privacy form, state-specific information must be reviewed to meet the requirements of HIPAA.
A Privacy Notice Form must be used with regard to any patient-disclosure issues.
Eight Tasks to Complete by the April 15 Deadline:
You should also conduct a site walk-through; to check progress on some common potential violations of HIPAA:
One final comment: Doctors who think they do not have to comply with HIPAA because they do not file electronically, or have fewer than 10 employees, are deluding themselves into a false sense of complacency. Eventually, Medicare, Medicaid and private insurance companies will mandate that all payment processes require electronic transmission for reimbursement, or participation in the program will be denied.
Eventually, every provider or facility will be required to comply with HIPAA in one fashion or another. It is best to be proactive and make plans now to incorporate all the elements of compliance into your current office procedures. The questions and concerns regarding HIPAA remain confusing; some mandatory compliance issues are clear; and others will be tested in various court rulings and HHS regulatory bulletins.
The most important thing for doctors of chiropractic to be aware of is that HIPAA is very real, relevant and required for all health care providers to comply with and incorporate into their practice procedures. To do anything less would be a mistake.
Louis Sportelli, DC
Click here for more information about Louis Sportelli, DC.