HIPAA is here to stay. It is amazing to see the varied responses from doctors to the question: Are you HIPAA-compliant? Many say, "I do not produce electronic billing, and I do not need to comply." Others insist the deadline will be postponed, as most federal program deadlines are. Still others are convinced that reading an article in their state or national journals makes them compliant. HIPAA is serious stuff, and when dealing with patient privacy and confidentiality, the stakes are high.
Some doctors only think in the most abstract fashion, and pose questions far removed from reality. For example:
Hypothetical question: Will I have to remove my name from my office, so people will not be able to tell what type of office patients are entering?
Realistic response: The Department of Health and Human Services (HHS) does not consider the office name to be disclosure of protected health information. It might be somewhat revealing if the sign stated: "Smithville HIV Clinic" or "Jonestown Psychiatric Clinic," but the name on the building is not something about which many DCs will have to be concerned.
Hypothetical question: Will I have to do away with sign-in sheets, and instruct my staff not to call out the names of patients in the reception room?
Realistic response: No. HHS has issued extremely specific guidelines for sign-in sheets and calling patients in the reception room, and these are permitted activities.
There are some patient-management challenges defined by HIPAA, and these challenges deserve creative solutions. In chiropractic offices, the challenges are not nearly as significant as other areas of health care, where health concerns rise to a higher level of sensitivity and should be noted by the doctor and staff, particularly where concerns by patients may be an issue.
Creative and innovative solutions to the sign-in sheet can be resolved easily by incorporating new merchant-processing equipment that has an electronic signature, which could, at the end of the day, be printed and saved as the daily sign-in sheet. Some facilities that have sensitive health-care concerns, such as mental health providers, have incorporated the same paging devices used in restaurants and many one-hour vision centers. When it is time for the patient to be seen, the pager is activated, and the patient is brought into a more private area for discussion and confirmation of his or her name and personal information.
These kinds of creative solutions demonstrate a heightened level of sensitivity on the part of the health care facility toward the patient; facilities that incorporate these "value-added" patient-centered procedures will reap the rewards.
What exactly will be mandatory, and what will be discretionary, under HIPAA? The answer is not yet clear. The word the government uses to determine if a procedure is mandatory or not is "reasonableness." That term is about as helpful as asking if you have met the "standard of care" in a malpractice action. One must continue to ask the question: "What does reasonableness mean?" It will not only mean different things to different facilities, but also will mean different things at different times as information, knowledge and research continue to evolve. Additionally, as litigation regarding HIPAA begins to develop, there will perhaps be some "clarity" within the gray areas of the legislation.
There have already been several lawsuits related to the act. A federal court in Louisiana decided a recent case, even though the HIPAA privacy regulations do not become enforceable until April 15. The details of the suit are not as relevant to this article as the fact the federal court felt compelled to intervene. The court noted that there is no federal physician-patient privilege, but decided to review the case in light of the act's privacy regulations, even though the regulations were not yet enforceable. The logic of the court in this case was based upon the fact that HIPAA shows there is a strong federal policy protecting medical records, and this case would, in all probability, be in litigation beyond the deadline for compliance. The court compared Louisiana law to the federal HIPAA law, and determined that Louisiana was not as stringent as HIPAA; therefore, state law was preempted by HIPAA. The court expanded its decision to include comments about the U.S. Department of Justice being entitled to use a medical records disclosure in this case for its health oversight purposes, as permitted by the act's regulations (Stewart vs. Louisiana Clinic).
In another case, a patient was awarded $250,000 for disclosure of HIV status. In this case, a patient visited with a hospital's receptionist, who also happened to be a co-worker of the patient. When the patient returned to work, co-workers ridiculed him about the fact that he had AIDS. The patient confronted the co-worker, who denied telling others about his condition. The patient reported the incident to the hospital, then sued the hospital and the employee for violation of a confidential relationship and invasion of privacy. A jury found the hospital negligent in permitting its employee access to confidential information, and awarded the patient $250,000. (Doe vs. Midatlantic Health Care Corp.)
Will this kind of breach of confidentiality be of great concern in a chiropractic clinic? The number and variety of patients seeking the services of complementary and alternative practitioners, and the movement toward fully integrated facilities, certainly raises new and different issues in patient relationships that only a few decades ago did not exist. This only points out that the dynamics of chiropractic awareness, and the need to be compliant, are more significant now than ever.
In another case, a $2.3 million award was given to three patients for an employee's disclosure of records. Three patients charged the company's former records clerk, who was fired, with disclosure of mental health records. The allegations by the patients also charged the company with negligent hiring and retaining of the employee. The lawsuit claimed the company "knew or should have known" the employee was incompetent and posed a threat to the privacy of others. Additional punitive damages were awarded to punish the company for failure to monitor the actions of its employees. Thus, the duty imposed on organizations will become increasingly more complex, as new and creative litigation continues to focus on areas of noncompliance with HIPAA regulations.
One often-misunderstood concept regarding the regulations is the fact that there are really two parts to the act: training and implementation of the training. It is not enough to simply take a course and learn what the regulations are, and how they will affect your practice. That is clearly a basic and understood part of any HIPAA compliance program. The second part, dealing with how the "covered entity" will implement the requirements, is a separate process. Each office is not only required to demonstrate that everyone in the office has had HIPAA training, but also is be required to demonstrate what steps have been put into operation to become compliant with HIPAA regulations. Training and familiarity is not enough; specific steps must be taken to demonstrate proof of compliance.
A basic checklist will help avoid the potential problems individual or small-group practices will encounter; many of these problems will become self-evident as the process moves forward. HIPAA will impose regulatory criteria on health care systems, large and small. Information is known about certain aspects of HIPAA compliance, and the following needs that must be met:
- Train staff comphrensively on practice ethics, policies and procedures. This requirement can be done in a variety of ways, from Web-based, in-office training, to self-study manuals and classroom attendance. The Web-based programs provide a cost-effective, innovative solution for doctors and staff to meet the requirements and keep current on the law.
- Incorporate written consents into your office procedures to ensure compliance monitoring, by establishing a designated compliance officer or a particular contact person in the office.
- Extend contract requirements to all business associates and vendors with appropriately drafted contracts.
- Evaluate office data storage and disposal practices. Shredders and designated secure areas in each office, where patient files can be locked and secure, will become more commonplace as compliance with HIPAA is more fully understood. In some offices, this may require rearranging of office design and incorporating soundproofing and designated areas for discussion of Protected Health Information (PHI).
- Upgrade equipment and software for electronic security. Many vendors will introduce innovative technology to meet the needs of the marketplace, and doctors/staff should keep current in these areas.
- Re-evaluate office facilities to ensure privacy by conducting internal monitoring and periodic auditing, focusing on high-risk billing and coding issues.
- Ensure compliance training for all individuals involved in the practice by developing a code of conduct and written policies and procedures, ensuring and enforcing disciplinary standards through consistent and uniform standards. Grievance procedures; office personnel policy; how privacy and security measures are conducted; how training was obtained and documented; and designated individuals who are responsible for HIPAA implementation, should all be clearly outlined in this manual. Having the manual in place and utilizing it to develop, review, assess and evaluate (and ultimately document implementation of a process) will greatly enhance the ability of the facility to demonstrate steps taken to ensure compliance with the program.
A HIPAA Privacy Rule incorporating a "to-do" list should be developed by each facility. Every doctor is encouraged to seriously review the list to become familiar with basic requirements imposed by HIPAA. The practitioner must determine if he or she complies with the state-specific mandates.
A Notice of Patient Privacy Rights must be used by doctors to provide educated, informed consent to patients; however, any state requirement that exceeds HIPAA must be incorporated.
A Business Associate Agreement must be developed between the doctor's facility and vendors who may be covered under the HIPAA regulations.
A Patient Consent Form is required for compliance with informed consent for patients. As with the privacy form, state-specific information must be reviewed to meet the requirements of HIPAA.
A Privacy Notice Form must be used with regard to any patient-disclosure issues.
Eight Tasks to Complete by the April 15 Deadline:
- Appoint a privacy officer: Failure to do something as basic as this will demonstrate to any agency a lack of concern, and will be significant in the event of any inquiry.
- Develop and implement required privacy policies: Developing and implementing all the policies and procedures required is key to showing HIPAA compliance.
- Complete a pre-emption analysis: Check with your attorney to determine if your state privacy laws conflict with HIPAA.
- Develop, distribute and post notices of privacy: The notice of privacy practices is a high-visibility HIPAA requirement that will be obvious if missing.
- Provide initial training to staff: If a patient sues for invasion of privacy, there will be no defense for the disregard of training.
- Develop and use authorization form: Implement a release of information form that your patients must sign. Disclosure of PHI must be included.
- Identify and contract with business associates: Business Associate agreements should be taken seriously.
- Know patients' rights under HIPAA: Develop a brief list summarizing these rights, and be certain your staff knows them.
You should also conduct a site walk-through; to check progress on some common potential violations of HIPAA:
- Check placement and operation of fax machines.
- Secure areas for patient privacy.
- Soundproof areas for discussion.
- Make sure chart identification is secure in hallways.
- Check placement of areas for telephone conversation.
- Make your staff thoroughly aware of confidentiality and privacy policies.1
One final comment: Doctors who think they do not have to comply with HIPAA because they do not file electronically, or have fewer than 10 employees, are deluding themselves into a false sense of complacency. Eventually, Medicare, Medicaid and private insurance companies will mandate that all payment processes require electronic transmission for reimbursement, or participation in the program will be denied.
Eventually, every provider or facility will be required to comply with HIPAA in one fashion or another. It is best to be proactive and make plans now to incorporate all the elements of compliance into your current office procedures. The questions and concerns regarding HIPAA remain confusing; some mandatory compliance issues are clear; and others will be tested in various court rulings and HHS regulatory bulletins.
The most important thing for doctors of chiropractic to be aware of is that HIPAA is very real, relevant and required for all health care providers to comply with and incorporate into their practice procedures. To do anything less would be a mistake.
- PracticeMakers Products. The Form & Sample Letter Book. The Foundation for Chiropractic Education and Research, Norwalk, Iowa.
Louis Sportelli, DC
Click here for previous articles by Louis Sportelli, DC.