In the SearchSecurity.com on-demand webcast HIPAA: Where are we and where are we going, speaker Hal Amens provides insight into where the Health Insurance Portability and Accountability Act is headed and how you can approach compliance in this
- Talk with other local practices to find out what they are doing. There is lot of bad information out there so check everything for "reasonableness." If it doesn't sound reasonable, check with others and see it they are doing it.
- Check to see if other practices have privacy policies and procedures you can tailor to your office. Associations sometimes provide them (the ADA has a checklist but no polices that I could find.) A client of ours got a good set from a law firm that was using them to expand their practice. You will have to have policies and procedures and follow them. They include things you might not think of such as patients' rights of access to information.
- Handle patient information in you office in ways that will not disclose specific information to other patients. A sign-in list is OK as long as you do not have a "reason for visit" column.
- The simplest way to handle insurance billing will probably be to use a clearing house that is HIPAA compliant. There are some small-practice computer systems that may be worth considering.
- Be sure your patient records are secure from accidental disclosure or snooping during office hours and are locked up after hours. If your computer is online, be certain it is secure.
- Particularly with regard to privacy -- the deadline to be compliant is April 14 -- you need to develop a plan and work it so you can demonstrate "good faith" if you encounter any problems. It won't get you off the hook, but will minimize your risks. If you did not file for an extension for transactions by last October, technically you are in violation of that one. We are not attorneys, but we suspect a "good faith" defense will help here as well. If you will use a clear house, move to find one in a "reasonable" timeframe. If you plan to get your own computer system, develop a plan and work your plan.
- Check the Internet. A couple of sites I found quickly are the National Dental EDI Council and Dentrix.
Where do payments processors fit in with HIPAA? Processors may have access to patient information through flex spending or processing for pharmaceuticals promotions.
I am not familiar with payments issues around pharmaceuticals, but I suspect they are similar to payments issues for banks. HIPAA provides some exemptions from the regulations for payments. We understand that these were originally requested by the credit card companies for patient/doctor payments and by banks for the processing of checks. Neither credit cards nor checks contain patient information beyond the "minimum necessary" for payment. Payments by plans to providers require some protected healthcare information (PHI) to assure proper accounting for the payments. The prevailing opinions that we have seen argue that the exemption for payments processing no longer applies once there is PHI. We are not attorneys, but if we were dealing with attorneys, we would suggest they look at what is happening in banking. The Medical Banking Project is a great place to start.
Have you been involved with the Enterprise Resource Planning (ERP) concepts and how they approach handling the HIPAA requirements?
I have dealt with ERP but not in the context of HIPAA. There are special requirements for employers that would have to be supported by an ERP system -- specifically, very strong limitations on access to certain types of information. I would demand specific evidence of HIPAA compliance from any vendor or potential vendor. A place to get familiar with the issues is this article, What's the effect of HIPAA rules on employers?
Have you been involved with university requirements for HIPAA? If so, what are the best methods and approaches being followed to meet the federal requirements for HIPAA?
I have not dealt specifically with any universities, but I am familiar with some of the issues. I assume you are not talking about a university teaching hospital -- that raises even more issues. Most university systems are designed to provide faculty and students with easy access to the maximum amount of information. That creates significant privacy and security issues for information covered by HIPAA. Basically, the question is: How do you have two significantly differently cultures -- very open educational and very restricted healthcare -- resident in the same physical place at the same time.
Depending on the university's specific services, it may be a covered entity -- provider of services or an insurance plan -- or more like an employer or perhaps not even covered. Once you figure out the role for your particular institution, then the rules are -- to the best of our knowledge -- the same as for everyone else, except you have a high turnover of participants and the privacy and security issues noted above.
I would check with other members of some of you university's associations. One of the saving graces of HIPAA is that the issues are essentially the same for everyone. Once you know what needs to be addressed you can tailor the solutions of others to fit your needs. There are no "one size fits all" solutions, but there are solutions that can be tailored with substantially less work than starting from scratch.
For more information, visit these resources:
- On-demand webcast: HIPAA – Where are we and where are we going?
- Featured Topic: HIPAA update
- News & Analysis: Nailing down the basics on HIPAA
This was first published in April 2003