HIPAA Compliance in a Small Practice: First Steps

By Ronald L. Scott

This article first appeared in the November 2001 issue of Internal Medicine World Report, Vol. 16, No. 11. Reprinted with permission.

Recently finalized federal medical privacy regulations and upcoming security regulations present particular challenges to physicians practicing alone or in small group practices. This article presents a brief overview of the new privacy regulations and provides suggestions on how a small practice can begin to organize for Health Insurance Portability and Accountability Act (HIPAA) compliance.

The Department of Health and Human Services promulgated privacy regulations pursuant to a requirement in the HIPAA. Physicians and other "covered entities" must comply with these regulations by April 14, 2003. Physicians must also comply with state medical privacy laws that are consistent with the federal regulations unless compliance with both federal and state laws would be impossible. Because state medical privacy laws may be more stringent than federal regulations in this area, physicians’ compliance plans should address both federal and state requirements.

Under the HIPAA regulations, physicians must make reasonable efforts to limit the use or disclosure of individually identifiable health information (protected health information [PHI]). The regulations make a distinction, however, between disclosures of PHI for treatment purposes and disclosures for other purposes. Disclosures of PHI for purposes other than treatment is subject to a "minimum necessary" disclosure standard.

The regulations only apply to "covered entities," which include health care providers, health plans, and health care clearinghouses. Where physicians disclose PHI to an entity not covered by the regulations (e.g., a software vendor), the "business associate" rules apply. Under these rules, covered entities must obtain from their business associates contractual assurances that PHI will be adequately protected, and if the business associate fails to comply with these obligations, the relationship could be terminated.

Covered entities are responsible for safeguarding PHI. A written privacy policy and procedures to protect privacy must be established. Employees must be trained in privacy protection. The regulations require that a privacy officer be designated to ensure that the procedures are followed.

The privacy regulations are part of the Administrative Simplification provisions of HIPAA. Another set of regulations (transaction and code set standards) that has been finalized will facilitate electronic exchange of health information. Regulations addressing the security of electronic data have been proposed, but have not yet been issued in final form.

Preparing for Compliance
What should physicians begin to do today to organize for HIPPA compliance?

First, they should designate a privacy officer, who could survey and assess within the practice existing policies and procedures concerning the maintenance and disclosure of protected health information.

When purchasing computer hardware or software for accounting, billing, or electronic medical records, physicians should consider whether the equipment or software is likely to be HIPAA-compliant. Although no computer software alone can ensure complete compliance with HIPAA, physicians should interview potential vendors and ask them to demonstrate compliance with HIPAA requirements.

Physicians should seek HIPAA compliance training for themselves and their employees. Professional organizations representing physicians and other health care providers should be encouraged to develop training programs and materials.

Physician Aids

Only a few states are making any real effort to help physicians and other health care providers comply with HIPAA. The Maryland Health Care Commission has developed A Guide to Privacy Readiness that other states could and should emulate. The guide includes an overview of the HIPAA privacy regulations, a discussion of the Maryland state law regarding privacy, an assessment guide and work plan, an illustrative business associate contract, a sample notice of privacy practices, and a computer and information usage agreement. Hospitals and health plans may have the financial resources and the need to develop costly HIPAA compliance programs. But HIPAA is intended to be scalable.

New Patients’ Rights Created

The Health Insurance Portability and Accountability Act (HIPAA) creates new and significant patients' rights. Except under emergency circumstances, physicians must obtain patients’ consent prior to using or disclosing patient protected health information (PHI) for treatment, payment, or "health care operations" (e.g., credentialing) purposes. The consent must be in writing using plain language. For other purposes (e.g., research or marketing), authorization must be obtained before disclosing PHI. The authorization requirement is more restrictive than that for consent, and is subject to different rules. For example, physicians may require a patient to sign a consent form as a condition to providing treatment; however, they may not condition treatment on patient failure to sign an authorization.

Written Notice

Physicians must give patients written notice describing how patient PHI will be used and disclosed. The notice must set forth patient rights and physician duties with respect to PHI. The notice must also include a grievance process enabling patients to file a complaint. Patients have the right to restrict the use and disclosure of their PHI. Physicians must accommodate reasonable requests by patients wanting to receive communications containing PHI by alternative means or at alternative locations. For example, a woman may wish to pick up the results of a pregnancy test (and any bill for such a test) at her physician’s office rather than to have the results mailed to her home address.

Access Allowed

Patients have a right to access, inspect, and copy their PHI. Further, patients may request an amendment of their PHI, although physicians may deny the request if the PHI is found to be complete and accurate. Finally, patients are entitled to an accounting or audit trail for certain disclosures of their PHI made by physicians in the 6 years prior to the date of request. No accounting is required when PHI was disclosed to carry out treatment, payment, or health care operations.