- an office privacy manual;
- business associate contracts;
- electronic claims verification, submission and authorization;
- a "chain of trust";
- an April 14, 2003 "privacy deadline"; and
- an April 16, 2003 "payer testing deadline for electronic filing standards."
Confused by all this? You're not alone!
First of all, it is important to note that I, too, am not a HIPAA expert.This is why DC interviewed Howard Ross, and not me.
Secondly, it is important to note that the vast majority of all health care providers did not file for extensions by the October 16, 2002 HIPAA "compliance" deadline for electronic filing. (Medicare did file for an extension for all of its carriers, along with most other carriers. Look for more on this in another article.)
Thirdly, the October 16, 2002 extension does not affect the privacy and security requirements by which you must practice after April 14, 2003.
There is almost no way around adhering to the privacy guidelines by the April 14, 2003 deadline. The concept of "chain of trust" mandates that every organization you share patient information with is HIPAA-compliant in the area of privacy. (This includes ChiroWeb for those that utilize our patient newsletter and practice website services.) Chain of trust also mandates that every organization (particularly payers) that shares patient information with your office is HIPAA-compliant regarding privacy.
In addition to privacy, there are security requirements that are being drafted that your office may have to adhere to in the next year or so. You can expect some changes in the privacy and security requirements throughout the next four years.
This may sound like a real pain (and one more thing to make practicing more difficult) but it is required. We can whine about it all we want, but the best thing we can do is get on with it. From what we have been told, much of the HIPAA requires procedures and safeguards that are already required on a state level or already happening in most offices. The tough part of the process is demonstrating that you are doing it and are therefore "compliant."
Because we (Dynamic Chiropractic/ChiroWeb) have to go through the process just like you do, I thought I should list a few things to consider regarding becoming compliant with the HIPAA privacy laws:
- Do what applies. A lot of what HIPAA addresses applies to hospitals and large clinics. Most of the HIPAA requirements are scalable. What a major hospital will be expected to do will be far beyond what your office is required to do. Make certain that what you are doing is realistic and applicable to your office environment.
- Don't use "boiler-plate" manuals. You can't just buy a privacy compliance manual off the shelf, put your name on the front and call yourself "HIPAA-compliant." Your manual should be specific to your office, with your practice information on each page. You can use a consultant or a computer program to help you walk through the process of insuring that your office is privacy-compliant.
- Choose a consultant carefully. If you go the "consultant" route (over the "computer-program" route) make certain that the person you're talking to at least:
- understands the needs of small volume practices;
- understands the nuances of a chiropractic practice (and is familiar with its specific needs);
- doesn't charge a ridiculous amount (in my opinion, anything over $700 for a single-doctor chiropractic office is too much.); and
- provides ongoing updates that you can purchase as part of the program.
HIPAA is just another aspect of the changing health care environment. It will cost us (and our staff) 20-30 hours, but once we get it handled, we can all go on doing what we do best.
Chiropractic fought hard for inclusion on all levels. Taking responsibility for HIPAA compliance is respecting the fact that we have been included.
Donald M. Petersen Jr.,BS,HCD(hc),FICC(h)
Editor/Publisher of Dynamic Chirorpractic
Click here for more information about Donald M. Petersen Jr., BS, HCD(hc), FICC(h), Publisher.