HIPAA 101
PRIVACY Please!
The new HIPAA privacy regulations won't take effect until 2003, but we have some tips to help you better understand them and make sure you're in compliance.

BY ED GOERGES, San Marcos, Texas
DIGITAL IMAGERY BY ANTHONY CERICOLA

Surely you've heard about the new HIPAA regulations slated for 2003. So if this news has you worried, I have some information that I hope will help put your minds at ease. Knowledge is a great weapon. Arm yourselves with what I have to offer in this article, and you'll find the transition manageable.

It's going to happen

I've been reading, researching, and, together with my legal advisors, devising a strategy to help my company and the optometrists I work with on a daily basis comply with the Health Insurance Portability and Accountability Act (HIPAA). Each HIPAA presentation that I make around the country results in what has been called "The Deer in the Headlights" look. The general feeling is one of, "It'll never happen," or, "I'll just retire before April 14, 2003." The former has maybe a 50/50 chance and you shouldn't even consider the latter an option.

Coping with this mountain of regulations must first begin with a basic understanding of the components of HIPAA -- what is it, and who does it cover?

HIPAA components

HIPAA regulations are comprised of three basic components:

1. Health Care Transactions and Code Sets (HCTCS)

2. data security

3. privacy.

These three components apply to all "covered entities." And in case you're wondering what a covered entity is, it's:

• a health plan
• a healthcare clearinghouse
• a healthcare provider who transmits any health information in electronic form.

Are you a "covered entity?" Every optometrist I've met is.

The privacy rules will probably impact your practice the most, but first a word about the other components.

Health care transactions and code sets

The HCTCS regulations were scheduled to take effect October 2002 and were designed to standardize the formats used for transmission of electronic health data. In late 2001, President Bush signed into law a 1-year extension for the HCTCS requirements of HIPAA for any covered entity that submits to the Secretary of Health and Human Services a plan for how the entity will comply with the requirements by October 16, 2003.

The covered entity must submit the plan by October 15, 2002 and must include the following:

• an analysis of and the reasons why the covered entity isn't in compliance
• a budget, schedule, work plan and strategy for gaining compliance
• (if applicable) the entity's intention to use a vendor to assist in compliance
• a time frame for testing that will commence no later than October 16, 2003.

The law also requires that as of this date, all covered entities only submit claims electronically to Medicare.

Data security

This regulation proposes standards for the security of individual health information and electronic signatures that covered entities use. The initial draft of the security standard was published in the summer of 1998. A final draft has been promised by the fall of 2002.

Learning about privacy

The HIPAA privacy rules became binding on April 14, 2001 and all covered entities must comply with them not later than April 14, 2003. The rules take up 500 pages of HIPAA regulations and are quite complex. Here are some cost-effective procedures.

Compliance concerns. How you must comply with the HIPAA privacy rules will depend on how you practice optometry.

Necessary legal documents. Find a law firm that already understands HIPAA and spend between 2 and 4 hours with them. Have the lawyer prepare two documents: a Notice of Privacy Practices and a Patient Consent Form. These are the foundation upon which the privacy rules are built.

Notice of Privacy Practices. This document provides patients with the required notice of the uses and disclosures you'll make of protected health information (PHI), or individually identifiable health information.

The Notice of Privacy Practices spells out the patient's rights and the provider's legal duties with respect to PHI. To satisfy this requirement, you must make a copy of the Notice available to every patient. This Notice will be different for every healthcare provider because each will use the PHI differently. Also, a provider who maintains a Web site that provides information about his customer services or benefits must prominently post his Notice of Privacy Practices on the Web site and make the Notice available electronically through the Web site. Every covered entity must at least include the following in its HIPAA Notice of Privacy Practices:

• plain language
• a header or otherwise prominently displayed statement in the Notice: "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."
• a description, including at least one example of the types of uses and disclosures of PHI that you might make for each of the following purposes: treatment, payment and healthcare operations.
• a description of each of the other purposes for which you're permitted or required by HIPAA privacy regulations to use or disclose PHI without the patient's written consent or authorization.
• if a use or disclosure for any purpose described above is prohibited or limited by a law other than HIPAA (e.g., your state's privacy laws), the description of such use or disclosure must reflect the more stringent law.
• a statement that other uses and disclosures of PHI will be made only with the patient's written authorization and that the patient may revoke such authorization.
• send patient appointment or recall reminders through your office staff or a business associate (a person or organization that's not a member of your staff and who has access to PHI). The Notice must include the following statement:

"Dr. _____ may contact you, either directly or through a business associate, to remind you to schedule an appointment with him. The appointment reminder contact may include marketing materials from various manufacturers or suppliers for products or services that are of interest to you. In addition, Dr. ___ may contact you, either directly or through a business associate, to provide information about treatment alternatives or other health-related benefits and services that may be of interest to you."

• a statement that the patient has the right to request restrictions on certain uses and disclosure of PHI. (You're not required to agree to the requested restriction.)
• a statement asserting that the patient has the right to receive confidential communications of PHI.
• a statement that the patient has the right to inspect, copy and amend his PHI.
• a statement that the patient has the right to receive an accounting of disclosures of his PHI.
• a statement that the patient, including one who has received the Notice electronically, has the right to receive a paper copy of the Notice upon request.
• a statement that you're required by law to maintain the privacy of PHI and to provide a patient with notice of your legal duties and privacy practices with respect to his PHI.
• a statement that you're required to abide by the terms of the Notice currently in effect.
• if you plan to make changes to your privacy practices in the future, then the original Notice must indicate that you reserve the right to change the terms of your Notice and explain how you'll make the changes available to your patients.
• a statement that the patient may complain to you or to the Secretary of the U.S. Department of Health and Human Services if he believes his privacy rights have been violated.
• the name, or title, and telephone number of the individual to contact for further information.
• the date on which the Notice is first in effect, which may not be earlier than the date on which the Notice is printed or otherwise published.

Patient Consent Form

You're required to obtain a patient's consent before using or disclosing PHI to carry out treatment, payment or healthcare operations. Give the Patient Consent Form to the patient along with access to your Notice of Privacy Practices. If the patient doesn't sign the Patient Consent Form, you're not required to treat her. The following are some of the items that you must include in your Patient Consent Form:

• plain language.
• notice to the patient that you may use or disclose her PHI to carry out treatment, payment or healthcare operations.
• a statement referring the patient to your Notice of Privacy Practices for a description of such possible uses and disclosures. It must state that the patient has the right to review the Notice before signing the Patient Consent Form.
• a statement that the patient has the right to request that you restrict how you use or disclose PHI to carry out treatment, payment or healthcare operations. You won't be required to agree requested restrictions but if you do, it will be binding on you.
• The Patient Consent Form must state that the patient has the right to revoke the consent in writing, except to the extent that you have taken action in reliance upon the consent.
• The Patient Consent Form must be signed by the patient and dated.

Begin preparations. Have the Patient Consent Form printed on the back side of your new Welcome to the Office form and begin acquiring those signatures as soon as possible. Indicate in your optometric software whether a patient has signed the Consent Form.

You must keep the signed Patient Consent Form on file for at least 6 years. The privacy rule doesn't indicate in what format you must retain the Patient Consent Form. After April 14, 2003 you can't schedule or treat a patient without this signature. Place a copy of the Notice of Privacy Practices at your front desk so patients can read it before signing the Patient Consent Form.

Assign someone to field questions. Select and train a person on staff to handle the public relations aspect of these two documents so that she can easily and consistently answer questions. In addition, select someone, perhaps your "privacy officer" (this is a HIPAA requirement) to oversee your compliance with the law.

Get it in writing. Make sure that each business associate whom you allow to access your patient's PHI has signed a Business Associate Agreement concerning the proper handling of PHI. You must have an agreement with every business associate, or you'll violate the privacy rules. Your HIPAA lawyer can help you with this document.

Learn more. Attend a seminar on HIPAA.

Keep informed

There's no one simple answer to HIPAA compliance. There's so much dis-information floating around in the world today that you must know and understand HIPAA to make the same wise judgements that have allowed you to become the optometric professional that you are.

Ed Goerges is president and co-founder of information, etc. He and his company have, for the past 7 years, provided Patient Recall Services and Web site design hosting to the optometric profession. Visit www.informationetc.com.