To get an idea of the real risk HIPAA poses for doctor of chiropractic, take a look at www.hhs.gov/ocr/privacyhowtofile.htm — a Web site that describes how to file a Health Information Privacy Complaint with the Office For Civil Rights — online.
Any patient, or a relative or friend of a patient, can submit this complaint form. And if they do, it can result in a compliance review that could cost you time and money — unless you are prepared.
Because HIPAA regulations went into effect in April, you may think you have done all that is necessary to comply with the law.
But is your practice really ready? Maybe. As I’ve talked with healthcare providers during the last several months, I’ve found that many, if not most, have significant gaps in their HIPAA plans and documentation that could cost them plenty.
Most likely, you’ve taken the basic steps — distributing the newly-required Notice of Privacy Practices and having patients sign authorizations for releasing protected information.
Complying with the basics is important, but that still leaves many of the less-visible (but equally important) HIPAA requirements — particularly in areas involving staff and physician training, dealings with outside vendors, data and record security arrangements and documenting compliance over time.
In the event of a compliance review, the burden of proof of compliance will be on you. How do you prove you are following the rules? Document every step you take.
A compliancy checklist
The following questions serve as a checklist to identify some of the more subtle but common compliance problems. Answering them will give you a pretty good idea of how your practice will look to an HHS inspector.
1 Does your practice have a designated privacy official?
The office manager usually takes this role. Keep in mind, though, that as the proprietor of a healthcare practice or business, you are the one on the hook for non-compliance. Make sure your privacy officer understands the entire scope of your HIPAA obligations.
2 Do you have an assigned person responsible for the security of protected health information (PHI)? Information systems need to be secure and one person should be designated to maintain the security.
The person with that responsibility also is typically someone other than you. It can even be an outside consultant. Once again, though, you are responsible for their mistakes, so make sure you know what they’re doing.
3 Do you have written HIPAA policies and procedures in place? These documents should limit the use and disclosure of protected health information to the minimum necessary information required to accomplish the purpose of the use or disclosure.
This is a basic tenet of HIPAA that many practices fail to document, even though they comply with it in daily operations. Unfortunately, if you don’t commit your policies and procedures to writing, inspectors will assume you haven’t complied.
4 Do you have a policy concerning requests for disclosures of protected health information? Your written policy and procedure should state how to verify the identity and authority of the person requesting PHI. This is another area where many practices comply in practice, but fail to adequately document a policy and process.
5 Do you provide and document HIPAA privacy training? Every member of your staff needs to go through this training. HIPAA is intended to change the way healthcare workers handle information. That happens through training. Don’t forget to include your own training and that of other doctors you may employ, as you are the ones who communicate most with patients.
6 Have you identified all of your business associates? And do you have written business-associate contracts as required by the privacy rule? Billing services, suppliers, transcription services, ancillary service providers — everyone to whom you provide patient information may be a HIPAA business associate. You must develop agreements with all of them on how you will work together to protect patient privacy.
7 Do you have a formal, documented process for privacy complaints? It should address how complaints are received, acted on, documented and resolved. An inspector is going to want to know all the details of how you handled every complaint. A formal process ensures you’ve got the information in one place and that you’ve responded to every complaint.
8 Do you have policies to mitigate harm due to violations? In the event of a violation, you have a responsibility to minimize potential harm, such as asking for the return of records mistakenly sent to the wrong address. Your compliance plan is not complete without policies on limiting damages.
9 Do you have a written plan for policy and procedure change? How will you modify existing privacy policies and procedures, and how will you add new policies and procedures, so you can accommodate changes in the law or changes you make in your privacy practices?
Compliance is a moving target. Your plan needs a review and update process built in to keep it on the mark.
10 Have you identified the risks associated with electronic information transmittal? A risk analysis assesses the potential risks to electronic protected health information created, received, maintained or transmitted by your practice. Using that assessment, you take appropriate steps to reduce risk and maintain it at an acceptable level.
This is an area that many practices have neglected, in part because it requires sophisticated information technology skills. But it is an integral part of protecting patient privacy.
If you answered “no” to any of these questions, you will not be able to generate all the information you’ll need to respond to a HIPAA complaint — and you are not doing everything you should to protect your patients’ privacy. Don’t assume that because you have a small practice and know your patients that you are not vulnerable.
The time to correct these problems is now — before you receive a complaint.
Implementing an effective HIPAA compliance plan does take time and effort, and it will change the way you and your staff operate. But if one of your patients files a complaint, you’ll be ready.
Tom Speers is a consultant with HealthCare Information Solutions, Kalamazoo, Mich., and a developer of HIPAASays, produced by SaysSuite of Lincolnshire, Ill., www.hipaasays.com or 866-447-2279.
What your patients know …
Your patients are savvy healthcare consumers. Chances are great that they are aware of HIPAA’s privacy protections. So, what do they know?
With a quick search on the Web, they know where to go for information on HIPAA. Type in “HIPAA” on Google, and one of the first sites that appears is “HHS — Office of Civil Rights,” www.hhs.gov/ocr/hipaa/.
A click on that link takes you to the OCR home page, where consumers can download a fact sheet on their privacy rights. The fact sheet tells them, in plain language, the key provisions of the privacy rule, as it applies to patients. These provisions include:
• Access to medical records and request corrections of errors and mistakes. Healthcare providers must provide access to records within 30 days (but may charge for copying records). Patients can request corrections of errors and mistakes.
• Notice of privacy practices. Doctors and other providers must provide notice of privacy practices on the patient’s first visit and upon request.
• Limits on the use of personal medical information. Personal health information may not be used for purposes not related to healthcare. And patients must sign a specific authorization before a covered entity can release medical information to a life insurer, a bank, a marketing firm or another outside business.
• Prohibition of marketing. Patients are told that their personal information cannot be used for marketing purposes, but their doctor can communicate freely with them about treatment options and other health-related information, including disease-management programs.
• Confidential communications. Patients can request their doctors to take reasonable steps to ensure that their communications with them are confidential.
• Complaints. Consumers may file a formal complaint regarding the privacy practices of a covered health plan or provider. They can make these complaints directly to the provider or to the HHS’ Office for Civil Rights, which is charged with investigating complaints and enforcing the privacy regulation.
To file a complaint with OCR, the fact sheet alerts consumers to go to www.hhs.gov/ocr/hipaa or to call 866-627-7748. It gives detailed instructions on how to file a HIPAA-related complaint — either online, by mail or by fax.
Consumers know the law. Doctors should, too.
—Source: U.S. Department of Health and Human Services, www.hhs.gov/ocr/hipaa/.
<A href=”http://adtrack.chiroeco.com/cgi-bin/advertpro/blink.pl?name=589&slot=1″ target=”_blank” rel=”nofollow”> <IMG src=”http://adtrack.chiroeco.com/cgi-bin/advertpro/bimg.pl?name=589&slot=1″ alt=”Massage Magazine Subscription Offer http://www.massagemag.com/subscribe” width=”250″ height=”250″ border=”0″ align=”left”></A>