| Q: |
Why should I do any of this? This is the first I've heard of
it. Why hasn't my state association or the government told me about it?
|
| A: |
HIPAA was originally signed into law in 1996, and now we are
approaching the dates by which the Administrative Simplification, Privacy, and Security
aspects of the law will begin to be enforced. HIPAA affects all healthcare providers in
all specialties, including medical, dental, medical, pharmacy, chiropractic, home health,
hospice, etc. It also affects health plans as well as providers. Other specialties (such
as medical) have been aware of HIPAA for the past 18-24 months; however the primary national
conduits for communicating legislative information to the dental market is only now starting
to give visibility to HIPAA.
We've been working on HIPAA for the past few months, and are bringing it to your attention
because it is an issue that you need to be aware of and that you need to take action on. The
government has called HIPAA the new "standard of care" for providers, meaning that all
providers like yourself will need to take the steps necessary to bring yourself into line with
the new "standard".
|
| Q: |
They'll never enforce it anyway; it's just like OSHA.
|
| A: |
HIPAA is not comparable to OSHA from an enforcement perspective.
The Office of Civil Rights (OCR), which is part of the Department of Health and Human Services
(HHS) is responsible for enforcing HIPAA. The government made OCR the designated enforcement
body for HIPAA because it has the resources and ability to enforce it.
Because HIPAA ultimately gives patients "ownership" of their personal health information, and
because providers will be required by law to notify patients of their rights under HIPAA,
patient awareness and concerns will drive enforcement.
|
| Q: |
I've heard that the government is going to abolish HIPAA.
|
| A: |
To the contrary. A June 17, 2002 US District Court ruling
upheld HIPAA, dismissing constitutional and statutory challenges. In its March 21, 2002
Notice of Proposed Rule Making (NPRM), the Department of Health and Human Services proposed
modifications to the privacy rule. While certain rules were relaxed, others were strengthened,
and HHS explicitly reiterated the importance of protecting patient information and its
intention to implement HIPAA.
|
| Q: |
What are the penalties if I am out of compliance with the law?
|
| A: |
Penalties start at $100 per person per infraction. They can run
as high as $250,000 if a provider sold Protected Health Information for marketing purposes.
The $100 fines can add up quickly. For example: If three people are using a process that is
out of compliance five times a day for five weeks, the potential exposure for their practice is
3 x 5 x 5 x $100 = $7,500
|
| Q: |
What are the deadlines for compliance?
|
| A: |
Each section of the regulations has separate enforcement dates. It
is important to remember that HIPAA is the law of the land today. HHS has, however, recognized
that compliance is a significant undertaking and has allowed a transition period. The last dates
for compliance are:
- Transactions - October 16, 2002
- Privacy - April 14, 2003
- Security - Not yet finalized. Final rules are expected Fall 2002, with compliance required
2 years following publication of final rules.
It is also important to remember that some portions of Security are required to effectively
implement Privacy. In general, all three parts of the law are closely linked, so it's important
to have a baseline understanding of all three to effectively implement one portion by itself.
|
| Q: |
I'm not going to do anything until all the changes are done and
we're closer to the compliance deadlines.
|
| A: |
HIPAA will never really be "finalized," and changes will continue
to be made. HHS has repeatedly shown a willingness to modify the rules to reflect actual
implementation issues. As the industry gains additional experience with the practical aspects of
HIPAA implementation, expect a series of small changes to accommodate specific issues.
Although industry pressured Congress to allow an extension of the transaction deadline, there is
no indication the privacy deadline will be extended. It will take several months of calendar time
to become compliant, and an early start is to your advantage.
|
| Q: |
Can we still have sign-in sheets?
|
| A: |
Absolutely. However, in the interest of patient privacy, it is
prudent to put the absolute minimum information on them (patient name, date, etc.). Any
additional information you might need to collect, such as reason for visit, other condition,
or treatment-specific information, could be requested on a separate short form that is put in
the patientÕs record and treated as Protected Health Information.
|
| Q: |
Someone told me we can't even call patients by name when
they're waiting in line.
|
| A: |
Not true. The July 2001 Guidance from HHS indicates "Covered
entities (i.e. providers) must provide reasonable safeguards to avoid prohibited disclosures.
The rule does not require that all risk be eliminated to satisfy this standard." Patients may
be called by name (unless they request not to be) when waiting, but again, discretion and
minimum necessary considerations should be followed. In other words, while it is permissible
to call a patient by name, it would be inappropriate and contrary to HIPAA to call the patient
and the treatment they are to receive.
|
| Q: |
Is it OK to publish treatment schedules in the office?
|
| A: |
It is permissible to publish patient directories and treatment
schedules, but, as with all Protected Health Information (PHI), patients must be protected from
inappropriate disclosure. What this means is that the lists should be posted in a place
inaccessible to casual observers (inside a cabinet door or in a staff-only break room or other
office area to which patients do not have access). Such lists should not be posted in plain view
of patients.
|
| Q: |
I've heard that I need to change my office design and put new
walls or partitions in my open areas so patients cannot overhear other patient/doctor
conversations.
|
| A: |
Not true. In response to a similar question, the July 2001
Guidance from HHS says "Covered entities (providers) must have in place appropriate
administrative, technical, and physical safeguards to protect the privacy of PHIÉ The Department
does not consider facility restructuring to be a requirement under this standard." This means
that HHS has said that providers need to be prudent in how they conduct conversations in open
areas, but they do not need to add partitions or remodel.
|
| Q: |
What about conversations between patient/doctor or any member of our staff in open areas?
|
| A: |
The privacy rule states that Protected Health Information (PHI)
should not be disclosed inappropriately through conversation. Conversations between provider and
patient (or a consulting physician or staff member) should be held in such a manner as to minimize
release of information to casual listeners. The March 21, 2002, NPRM clarified further by proposing
a rule change whereby disclosure of snippets of conversation would not be considered inappropriate
disclosure. Bottom line: Keep your voice down, use common sense, and move sensitive conversations
to an area with less traffic.
|
| Q: |
Can we still send recall cards, thank yous, appointment reminders, etc.?
|
| A: |
Sure. However, any visible information should exclude details
related to specific treatments (past or future) or financial issues. In other words, it is OK
to send an appointment reminder that indicates an upcoming appointment (no description of a
specific treatment). But if specific dates or treatment details need to be communicated, the
reminder should be put in an outer, plain envelope that only has the providerÕs name and address
information. It is equally inappropriate to put "2nd Notice" on the outside of a request for
payment.
|
| Q: |
Will we need to keep our files closed and locked all day so other people can't see them?
|
| A: |
If your file cabinets are in areas where patients are present without
regular and fairly constant staff supervision, the files should be locked. If, however, the files
are inaccessible to patient and passers-by (separate locked room or behind a staffed reception
desk), there is no need to lock the cabinets during the day. If the receptionist leaves, and at
the end of the workday, the cabinets should be secured.
|
| Q: |
How much time will it take me to do this?
|
| A: |
HIPAA is an ongoing issue, requiring a change in workplace culture
to be effectively implemented, as well as numerous regulatory changes over time. For a small
office, expect to spend 20-40 hours over 2-3 months to become compliant; larger offices can
expect to spend significantly longer.
HIPAA is a journey, not a destination; practices must also stay informed on the changing
regulations and reflect these changes in their policies and procedures. HIPAA is here to stay
and represents a new way of thinking about Protected Health Information, as well as a new
Standard of Care for providers.
|
| Q: |
I just went to a free seminar on HIPAA last week. Why should I spend money on your solution?
|
| A: |
Free seminars are a great way to get some background on the law
and a general understanding of how compliance affects you. After the seminar, use HIPAANow!
to give you the detailed step-by-step approach to help make your practice compliant.
|
| Q: |
The ADA has a product that they said gives me all the information I need for $125.
|
| A: |
That's a bit misleading. HIPAANow! provides step-by-step
instructions for all three aspects of the law: Electronic Transactions, Privacy, and Security.
This is critical, because all three are closely linked, and you must have a baseline understanding
of each to effectively implement any one of the three. The ADA solution only covers the privacy
aspect of the law, and has no information on security or electronic transactions. This means
that in order to effectively implement HIPAA you also need to purchase another product for
security and electronic transactions or determine how to make yourself compliant on your own Ñ
no small task. HIPAANow! also includes the opportunity to get training in a variety of ways
(self-paced, in-person seminars, or teleconferences) as well as toll-free dedicated customer
support and monthly updates delivered to your desk. It is designed to give you all the tools
and support you need to make HIPAA compliance, in the words of our customers, "seem like a
cakewalk."
|
| Q: |
How many people can go to the seminar when I buy HIPAANow!?
|
| A: |
A purchase of HIPAANow! gives you one seat in a
seminar. Additional seats are available for $150 per person.
|
| Q: |
How do I buy it and get signed up for a seminar?
|
| A: |
I can help you with that right now - can I get the name of your
practice/pharmacy?
|
| Q: |
What makes HIPAANow! different from other products?
|
| A: |
Ease-of-use, support, and completeness. HIPAANow!Õs
unique, step-by-step approach is at the core of the solution. Our support begins with live
seminars and teleconferences to provide the critical information you need to begin your
compliance efforts. Support continues with a toll-free help line and monthly newsletters to
keep you up to date on the latest changes to the law. HIPAANow! provides a complete solution,
examining all aspects of the law, along with tips on how HIPAA compliance can benefit your
practice. It is the most comprehensive, easy-to-use, and cost-effective product available.
|
