Don’t expect another delay. The privacy component of the Health Insurance Portability and Accountability Act (HIPAA) will take effect on April 14, 2003, and by then, your practice should have made a good-faith attempt to be ready. HIPAA requires, among other things, that you safeguard patients’ individually identifiable information (also referred to as protected health information or PHI) by restricting access to it and seeking patient permission to disclose it in certain circumstances. Some (but not all) of the safeguards can be established with the forms that appear on the following pages.
Notice of privacy practices
HIPAA legislation grants patients several new rights, among them greater access to and control over their medical records. (To learn more about HIPAA, see “The HIPAA Privacy Rule: Answers to Frequently Asked Questions,” FPM, November/December 2002, page 35 and the box on page 30.) Organizations considered covered entities under HIPAA are mandated to inform patients of the new privacy rights and their privacy policies and procedures (to determine whether you’re a covered entity, go to www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp).
To comply, you’ll need to develop a Notice of Privacy Practices and provide it to your patients at the first office visit after April 14, 2003 (or earlier, if you have it ready). HIPAA also requires you to obtain patients’ written acknowledgement that notice has been received and file the acknowledgement in the patient record. A patient’s refusal to sign the acknowledgement should be documented and filed in the patient record. A sample Notice of Privacy Practices can be
. It is intended as a guideline only and should be tailored to reflect your practice policies and your state’s privacy laws. State privacy laws should continue to be followed if they are more stringent than the HIPAA regulations.
Fortunately, the HIPAA privacy regulations do not require you to obtain patients’ consent to use their PHI for routine disclosures, such as those related to treatment, payment or health care operations (TPO). However, the regulations do mandate that you obtain written patient consent before releasing their information for any reason other than TPO (e.g., disclosure of psychotherapy notes). To comply, you’ll need to identify situations in your practice where special authorization is needed (see page 31 for a list) and develop an authorization form for patients to sign. The sample authorization form that can be
can be adapted for use in your practice. A signed copy or documentation of the patient’s refusal to sign should be retained in the patient record.
To learn more about HIPAA, visit:
American Academy of Family Physicians (https://www.aafp.org/practice-management/regulatory/compliance/hipaa.html)
American Medical Association (www.ama-assn.org/ama/pub/category/4234.html)
Department of Health and Human Services (www.hhs.gov/ocr/hipaa)
Patient consent form
Although not specifically required by HIPAA, you may also want to consider using a Patient Consent Form in your practice (
). A consent form specifies methods by which a patient agrees to let your practice use his or her protected information for routine TPO purposes. Should a patient complain that his or her privacy rights have been violated, a consent form may afford you an extra measure of protection if your practice is investigated for HIPAA noncompliance.
FPM article series on HIPAA
This article is part of a series designed to educate and prepare family physicians to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Any practice, hospital or health plan in the United States that electronically transmits patient-identifiable health care information must comply with the HIPAA regulations or face civil and criminal penalties.
The forms provided here represent only a few of the new administrative measures HIPAA will require. There are other forms, (e.g., a business associate agreement) and more work to do by April 14, 2003. If you need help, both the AMA and the AAFP offer affordable, step-by-step guides to implementing the privacy rule (see www.ama-assn.org/ama/pub/category/8910.html or https://www.aafp.org/online/en/home/practicemgt/regulatory-compliance/hipaa.html for more information).
Don’t delay, but don’t panic either. The government realizes that full compliance takes time. Perfection isn’t expected, but a reasonable effort to comply is. You still have about 90 days. Granted, it’s not much time, but it’s enough to get you where you need to go.
SITUATIONS REQUIRING PATIENT AUTHORIZATION
Under the HIPAA privacy rule, your practice must obtain patient authorization to use patients’ protected health information (PHI) for reasons other than routine treatment, payment or health care operations, including:
To disclose PHI about a patient to a third party (i.e., a life insurance underwriter);
To market products or services except if the marketing communication is face-to-face with the patient or it involves the provision of services of nominal value;
To raise funds for any entity other than your practice;
To conduct research, unless your practice has signed a waiver approved by the Institutional Review Board for the use and disclosure of PHI or has de-identified PHI;
To disclose psychotherapy notes, unless disclosure is required for law enforcement purposes or legal mandates, oversight of the provider who created the notes, use by a coroner or medical examiner, or avoidance of a serious and imminent threat to health or safety.
Copyright © 2002 Gates, Moore & Company. Used by permission.
Note: You should also consult with advisors (e.g., your state or local medical or specialty society, or legal or other counsel) familiar with your state’s privacy laws.
Editor’s note: The forms provided in this article have been adapted from the AAFP’s Health Insurance Portability and Accountability Act (HIPAA) Privacy Manual: A How-To Guide for Your Medical Practice.