Health
 Insurance
 Portability
 Accountability
 Act

 

 
Explained by Raymond F. Posa, MBA
Technology Advisor to the
American Academy of Podiatric
Practice Management,
President, R. Francis Associates 
HIPAA in Black and White
(Volume 16)

In past articles we discussed HIPAA and its shades of gray. In this article I will talk about a very clear-cut piece of HIPAA that will affect all practices on a daily basis.

Beginning April 14, 2003, you must provide a Notice of Privacy Practices to all new patients and to all existing patients on their next visit after April 14, 2003.

The HIPAA regulation requires you to have a Notice of Privacy Practices written specifically for your practice.

The HIPAA regulation requires that you post the Notice of Privacy Practices prominently in the patient waiting area and on your website, if you have one.

The HIPAA regulation requires you to provide a copy of your Notice of Privacy Practices to your patients, both new and old.

The HIPAA regulation requires you to have the patients sign a Patient Acknowledgment form for receipt of the Notice of Privacy Practices. If the patient does not wish to sign the form then your staff must make a notation of that in the patient’s chart. These Patient Acknowledgement forms must be kept on file for six years.

The first part of HIPAA went into effect in October of 2002 and pertained to the electronic billing. This had very little effect on day-to-day operations. This was more a matter for the software companies and the clearinghouses. All the practice had to do was get a written compliance letter from their software company or file for an extension.

The Notice of Privacy Practices, however, will affect your daily workflow by causing a bit more clerical work. What you need to watch out for is that failure to comply with this is a punishable offense under HIPAA. Does anybody remember when HHS said that they are not going to do random audits of practices but rather enforcement will be complaint driven? Well here it is, the first chance to generate complaints against a practice. The Notice of Privacy Practices requires as one of its components the address for HHS, so that patients can file complaints. Just think what kind of havoc this could cause a patient who has a problem with your practice now has an instrument with which to inflict misery upon you. When HHS gets a complaint, that now opens the door for them to come and take a look at your practice and check for your HIPAA compliance manual, your Policy and Procedures manual and any other possible HIPAA violations. With over 3000 newly hired investigative agents in HHS, it would be prudent for every practice to make sure that they have their HIPAA compliance well under way.

 


HIPAA Silver Linings
(Volume 15)

We have probably all heard the expression that every cloud has a silver lining.  I would like to relate to you a HIPAA story with a silver lining.  My company had been working with a doctor’s office on putting together a HIPAA compliance manual.  During the course of the surveys one of the survey questions sparked a discussion.  The question was, “Do you have a practice contingency plan?”   When we delved into it, it created a lot of thought.  What do you do if there is a catastrophe and your office becomes unuseable?  How do you continue to treat your patients?

As fate would have it, this doctor had a fire in his office just before Christmas, rendering the office unusable.  What we discovered is that the key to continuity of service is having relationships with key vendors.  When you have an emergency like this you need vendors who will treat your situation as if it were their own.  Looking through the phone book for companies who can respond immediately can really be an exercise in futility.  Some of the key vendors to have a relationship with are: phone system consultant, computer consultant, office equipment supplier, drug representatives, and insurance agent, among others.  This is an extremely stressful event, and having to go through a phone book to find key contractors will only add to the stress.  By having established relationships, you have companies that already know your needs and can hit the ground running.  In this case, we were able to get the office moved into temporary quarters (in a neighboring doctor’s office) the next day and he was able to see patients, with his own computer system and phones in place.

When a lease was signed on a new temporary office, again all of the vendors came to the rescue and had the new office set up in a week.  It was truly a phenomenal sight and so uplifting to see people really coming to the aid of a friend in need.

Some important things that we saw were:
1)  Having a remote computer server for the office software meant that there was no disruption to the other offices that are part of this practice.
2)  There was no danger in potential loss of data, because the server was safe in a remote location.
3) Continuity of service: employees were able to access patient data from their homes to continue billing activities and to call patients for scheduling.
4) We saw the most serious problem with paper charts.  Had the fire made it to the back file room, the charts would have been lost.  This really highlights the need for Electronic Medical Records (EMR). Also, when temporary operations began, an employee had to be used as a runner to go back and forth to retrieve the charts from a storage area.
5) Phone provider: There are a lot of discount telephone service providers, some of which are just resellers.  In this case, moving the phone lines to a new location was complicated and made much more difficult because we were not dealing with Verizon directly.

This turned out to be an excellent learning experience for all involved.  It also drove home the importance of having a contingency plan.  The plan should be a playbook.  It should have the contact information for key vendors, and phone numbers and account numbers for your utilities.  It should have all of your employees’ home phone numbers, and it should have your insurance agent’s phone number and your policy information.

Having all the key information in one handy book can really remove a huge amount of stress.   Once you have developed your contingency plan, you need to also make sure that it is kept up to date.  Having a contingency plan with out-dated information is probably more frustrating than not having any information at all.

 

The HIPAA Top Ten List  -  The Top Ten False Assumptions About HIPAA
(Volume 14)

1) HIPAA requires me to lock my medical records in a vault or behind iron bars.
2) HIPAA requires total patient anonymity; we should never utter a patient’s name in public
3) HIPAA is set to expire in February 2003
4) HIPAA doesn’t apply to my office because we don’t do electronic billing
5) HIPAA doesn’t apply to us because we are a single doctor practice with less than 15 employees
6) HIPAA doesn’t apply to Podiatrists
7) HIPAA requires me to spend tens of thousands of dollars to comply with its mandates
8) HIPAA compliance is easy to do with an off-the-shelf manual
9) HIPAA is a one-time effort and then we are done
10)HIPAA is the big brother of the African pigmy Hippo

It is amazing the number of rumors that exist about HIPAA.  There has been a multi-year effort undertaken by the government to disseminate information about HIPAA, yet the rumors persist.  Some of the rumors are based in wishful thinking, others are a “doom and gloom” scenario, and some are just self-serving rumors put out by companies looking to cash in.

I recommend that every doctor and HIPAA compliance officer spend an hour at the government HIPAA web site (http://www.cms.hhs.gov/hipaa/) .  This will give you answers right from the horse’s mouth.  We also encourage the use of open forums such as FootZine to get answers to your questions from qualified experts.   Remember, your questions are probably the same questions on the minds of your colleagues, so please ask.  The single biggest thing to remember about HIPAA is that it is real, and enforcement and penalties begin April 14, 2003.

 
HIPAA in All of its Shades of Grey
 (Volume 12)

 Whenever you bring together independent committees of bureaucrats to write rules and regulations to cover an industry as diverse as the medical field and have one set of rules apply to all, you end up with laws that are shades of grey at best, and everything is open to interpretation.

By its very nature, in order to apply to all fields of medicine, HIPAA is very general.  There are very few items in the regulation that state specifics and that is causing so much confusion and frustration for doctors.

One item that comes up time and again is that of the patient sign-in sheet. Can we use it, should we use it, is it banned by HIPAA?  I had opportunity to speak to Kevin West, Esq. (Kevin West wrote the HIPAA Privacy Manual for the APMA) about sign-in sheets.  He agreed that HIPAA does not say you cannot have a sign in sheet; he suggests that if you do use a sign-in sheet you only have minimal information on it (name and time). The other thing that you have to take into consideration is the nature of your practice.  If you are a Podiatrist and you have Mrs. Jones sign in and then call her in for treatment from the waiting room, do you really divulge any sensitive patient information?  Of course the answer is no.  Now take the same set of circumstances and instead of a Podiatrist, say you are a drug rehab center.  That same innocuous information can now cause huge problems for the patient.

The key thing to remember about HIPAA is that there is no “one solution fits all”. The APMA contracted with Kevin West’s law firm to put together a HIPAA Privacy Manual for its members.  It is an excellent reference source, but as Kevin points out in his lectures, it is only a starting point.  There is no HIPAA “compliance in a can”.  You will be inundated with HIPAA solutions from companies offering HIPAA products.  The most important thing to remember is that there is nothing you can purchase by mail or over the Internet that will make you HIPAA compliant. The best you can do is buy pieces of the HIPAA compliance puzzles and assemble them into a coordinated compliance effort for your practice. The key in any compliance effort is that it has to be specifically tailored to your practice. Buying an off-the-shelf solution can actually do more harm then good, by lulling you into a false sense of security. Your compliance manual and your policy and procedures manuals must be written for your practice.  Off- the-shelf manuals can be used as a starting point but you still have to tailor it for your practice.

One of the best ways to get a good start on your compliance effort is to use an outside consulting firm.  They can set up all of your base-year manuals and establish a good foundation for you to work from, help train your compliance officer, and get you started on the road to HIPAA self- sufficiency. Once the first year compliance manual and policy and procedures are set up, then it’s just a matter of maintenance thereafter.

HIPAA Horror Stories
(Volume 8)

This article probably should have come out around October 31, because these stories are not only scary but true.

The first story involves the billing staff of a surgeon’s office. During the course of billing for a surgical procedure, this billing office proceeds to not only mail an invoice for the amount due them, not covered by insurance, but also a copy of the Insurance EOB that they receive showing them how much they are getting from the insurance company. This would have been all well and good except for the other eight patients whose information was also on the EOB. This violation of patients’ privacy is obvious, I would hope.

The second story involves a family practice group, who in the course of trying to collect money due for treatment, called and left a very detailed message on an answering machine, describing the date of service, treatment, social security number, patient’s name and amount due. This is also a serious violation, to leave a detailed  message on an answering machine, and was also compounded by the fact that they called the wrong number and left the message on the wrong answering machine.

The final story involves a dentist’s office. The ladies in the office were so proud of their office’s computer system. They were showing their patient check-in system. It was a beautiful 17” LCD touch-screen monitor on the front counter. There it proudly displayed all of the patients for the day, with their name and picture. The patients come in and touch their picture and then the month of their birth and it checks them in. Very nice technology, but have they ever heard of HIPAA or patient privacy?

I would hope that everyone sees these incidents as gross violations. The real problem, however, is that none of these three were even aware of HIPAA or its requirements.  One of the office workers even thought that HIPAA had been postponed and probably would not pass into law.

It is really amazing that with all of the news about HIPAA  there is so much misinformation.
HIPAA is real and it is here to stay. I would hope everyone has met his or her October 16 deadline for EDI compliance or filed for the extension. The next portion of HIPAA, enforcement of the Privacy Rule creating national standards to protect individuals’ medical records and other personal health information begins April 14, 2003. There are no extensions and compliance is mandatory. Penalties for noncompliance include not only fines but also expulsion from the Medicare program.

Best advice is to begin work on your compliance manual now; also start working on new policy and procedures manuals and train your staff on the new regulations and requirements. 

 

HIPAA Policies and Procedures Manual
(Volume 5)

In the last few articles we looked at the history of HIPAA and the "why"s of HIPAA. Now I’d like to cover some of the substantive issues in HIPAA. The most critical aspect to complying with HIPAA is to have in place a good policy and procedures manual. The manual should coincide with the HIPAA regulations and all employees must be trained on the new office policies and procedures (required by HIPAA).

Most practices have in place an employee handbook. The handbooks tend to spell out to employees their rights and responsibilities. The policy and procedure manual will describe the plan for day-to-day operations with an eye on HIPAA compliance. By integrating compliance into all of your day-to-day functions you then make compliance a habit.

Having done several HIPAA audits for practices, I have found that many practices already have good policies and procedures in place but just don’t have them written into a formal plan book.

The best way to integrate your current methods of operations into a policy and procedures manual is to have your compliance officer (yes, you do need to appoint someone within your organization as the compliance officer and it must be on record) do a HIPAA compliance survey. The responses to the survey will be the foundation for your policy and procedure manual. Your HIPAA survey can be from one of the off-the-shelf handbooks being put out by many organizations or it can be from a HIPAA compliance software tool.

Your policy and procedures manual can be organized by HIPAA categories, i.e. contingency plan, (section 380(a)(3) of the regulation). Some of the requirements under this section are do your perform data back ups; do you test and verify your back-ups; do you store back-ups off-site. Most of you probably already do this, but just don’t have it in writing. The other thing to remember is that even though there are hundreds of items to comply with in the HIPAA regulations, one policy, i.e. on your data back and recovery procedures can address a dozen or so specific regulation items. In truth, if your policy and procedures manual is well written, it will serve to not only fulfill your obligation under HIPAA for this manual, but it will serve to make HIPAA simpler to understand for your employees and make compliance a less formidable task.

 
How Does My Practice Comply with HIPAA? 
(Volume 1)
I just bought this great HIPAA Compliance manual off the Web. Now I am covered, right?
Well, no. Any off-the-shelf HIPAA manual is going to be generic; your compliance manual needs to be specific to your practice. The ready-made manuals are a starting point; they will help guide you and make you aware of the aspects of HIPAA that you will need to address in your practice. Some of the compliance manuals are logbooks for you to record incidents and events and may get you by in the short term. 

Some manuals are a type of checklist, asking yes and no questions. Don't be fooled into thinking that an answer of yes to a question is enough. Have a full explanation of why you are compliant or why you are not. Then for every question with which you are not compliant, have a written response as to how you will address the shortcoming. Keep a log for each issue to document the progress you are making on it.

One of the critical aspects of HIPAA compliance is to document everything and provide audit trails. Compliance is going to involve quite a bit of up-front labor to get everything in place, but after the initial implementation is done the ongoing maintenance will not be too onerous.
This seems like a lot of work, but think of it as a parachute. You may never need it, but when you do, nothing else will do. The same applies to your HIPAA compliance: if you ever run afoul of the regulations, there is nothing short of outstanding documentation that will do.

In this age of electronic automation, there is no reason to keep your compliance information in a ledger or notebook. There are several good HIPAA software tools that make the compliance procedure easy. Some of the things to look for are complete gap analysis surveys. These will lead you through the HIPAA regulations and make sure you address all of the regulations that apply to your practice. Second, it should have mitigation tracking. In the areas where you are not compliant you want to be able to state your remedies and be able to track their progress until you reach compliance on those issues. Third, you will want to have an incident-tracking log. You want to be proactive and be able to show that when incidents do occur you are on top of it and have addressed the issue in a timely manner. Finally, it should have full report capabilities. You will be collecting a large amount of data; you want to be able to extract the information in a meaningful way. This will also make reporting and documenting for Government agencies a snap. 

Finally, many of these regulations are broad in their scope and the key to limiting your liability is to be able to document a good faith effort to comply with the regulations. There will be no one solution to any of these compliance issues. As long as you can justify your approach and document it, you will significantly reduce your risk.

By: Raymond F. Posa, MBA
Technology Advisor to the American Academy of Podiatric Practice Management
President, R. Francis Associates

 

FAQ Archive

 

Any questions or comments can be addressed to Mr. Posa by E-mail Rposa@Rfrancis.com

Or you can go to WWW.NJHIPAA.COM for detailed information on HIPAA

 

Copyright 2002-2006 FootZine.com, Gayle S. Johnson.
All Rights Reserved