The HIPAA Privacy Rule in Everyday Life Health care providers around the country are preparing in various ways, and at different paces, to comply with federal Standards for Privacy of Individually Identifiable Patient Information (the “privacy rule”), part of the administrative simplification provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Other components of HIPAA ... On the Pulse
Free
On the Pulse  |   February 01, 2002
The HIPAA Privacy Rule in Everyday Life
Author Notes
  • Becky Sutherland Cornett, is a compliance officer at The Ohio State University Medical Center in Columbus. She is an ASHA Fellow. Contact her by email at Cornett-2@medctr.osu.edu.
    Becky Sutherland Cornett, is a compliance officer at The Ohio State University Medical Center in Columbus. She is an ASHA Fellow. Contact her by email at Cornett-2@medctr.osu.edu.×
Article Information
Practice Management / On the Pulse
On the Pulse   |   February 01, 2002
The HIPAA Privacy Rule in Everyday Life
The ASHA Leader, February 2002, Vol. 7, 2-22. doi:10.1044/leader.OTP.07022002.2
The ASHA Leader, February 2002, Vol. 7, 2-22. doi:10.1044/leader.OTP.07022002.2
Health care providers around the country are preparing in various ways, and at different paces, to comply with federal Standards for Privacy of Individually Identifiable Patient Information (the “privacy rule”), part of the administrative simplification provisions of the 1996 Health Insurance Portability and Accountability Act (HIPAA). Other components of HIPAA include the electronic data interchange rule—for which Congress recently postponed the compliance date to Oct. 16, 2003—and further regulations now under review. The final compliance date for the privacy rule is April 14, 2003, but clinicians in all settings should be preparing for it now.
The U.S. Department of Health and Human Services’ Office for Civil Rights is responsible for implementing and enforcing the HIPAA privacy rule—the first national standards for protecting health information. The rule is the result of increasing public concern about the use and disclosure of health and other information as technology makes access to all types of records much easier. The rule is intended to protect and enhance the rights of consumers regarding their health information, control the inappropriate use of health records, and improve the quality of health care in the United States by restoring trust in the health care system. The five basic principles of the regulation are:
  • Consumer control. Patients have new rights to control the release of their medical information.

  • Boundaries. With few exceptions, a patient’s health information should be used for health purposes only; other uses must be kept to the minimum necessary for a specific purpose.

  • Accountability. There are specific federal penalties for violating the privacy regulations, ranging from a $100 fine per violation for disclosures made in error up to $250,000 and 10 years in prison for malicious use of records.

  • Public Responsibility. Standards are provided regarding how information should be released for public health, research, fraud and abuse investigations, and quality assessment purposes.

  • Security. Health care organizations must establish clear procedures to protect patients’ privacy.

Preparing for the Privacy Rule
All “covered entities” must comply with the privacy rule—as well as with other HIPAA regulations—regardless of size, from the largest hospital to the smallest private practice. However, compliance procedures for speech-language pathologists and audiologists will vary by their setting and its size.
Many administrators and clinicians are overwhelmed by the numerous requirements of the privacy rule, but it is navigable, and even reasonable, when attempted in small steps. The logical progression of preparation activities includes reviewing the regulations, conducting a risk assessment and gap analysis, developing a remediation plan, writing/revising policies and procedures, providing education to all employees, and continuous auditing and monitoring. Essential HIPAA privacy preparation activities include:
  • appointing or hiring a privacy officer to oversee all activities related to implementing and monitoring compliance with the privacy rule

  • defining the organization’s workforce (employees, volunteers, trainees, and others under the direct control of the organization) and business associates (with whom formal agreements will be required to assure appropriate safeguards of transmitted health information)

  • preparing a notice of privacy practices to inform patients about how the organization uses and discloses protected health information (the rule specifies required elements)

  • assessing the organization’s capabilities to comply with a patient’s requested restrictions to access of their records

  • reviewing policies related to patient access to their own records

  • reviewing the process for allowing patients to request amendments to their records

  • establishing “opt out” provisions so that patients may decline to be listed in facility directories (admission lists) and marketing and fundraising communications

  • developing a procedure for addressing patient complaints about the use and disclosure of health information

  • preparing a consent (which can be part of the general consent for treatment, but the language must be visually separated from other portions of the organization’s consent form and must include a separate signature line—the rule specifies required elements) for the health care provider to use and disclose health information for treatment, payment, and health care operations

  • establishing a procedure for securing individual authorizations for all disclosures of health information that do not meet the criteria for treatment, payment, or health care operations

  • establishing an accounting procedure (i.e., a log) to provide to patients upon request that lists all persons or organizations to whom health records have been disclosed other than for treatment, payment, and health care operations

  • determining what protected health information is the minimum necessary needed by all employees (by job category and duties)

  • establishing procedures for meeting requirements for marketing and fundraising activities (internal fundraising personnel can learn only an individual’s demographic information and dates of health services)

  • understanding the rules for uses and disclosures of information for research purposes (In general, individual authorization must be obtained unless a waiver of authorization has been recieved from the Institutional Review Board or a Privacy Board, or patient information has been de-identified according to requirements found at 164.514(b) of the rule.)

For many organizations, success in HIPAA compliance will require a culture change, best taken in small but firm steps. Over the next 15 months, we will all have to “wade” through the technicalities and incorporate required practices into everyday life. If we put ourselves in the role of patient or client, it will be easier to understand why it’s important that we observe an increased level of protecting health information.
0 Comments
Submit a Comment
Submit A Comment
Name
Comment Title
Comment


This feature is available to Subscribers Only
Sign In or Create an Account ×
FROM THIS ISSUE
February 2002
Volume 7, Issue 2