Site hosted by Angelfire.com: Build your free website today!

asi 

 apache systems       HIPAA  2 Page Apache Systems Inc

     Home  Contact
Hipaa 3
Security

Computers

Networking

IDS

Firewalls

SOHO Firewall

Switches

Routers

Web Design

Storage

Printing

PC sale

PC network parts

Consulting

Cable & DSL

HIPAA

Browser tune

Microtel

Health

Tiny Firewall

Downloads

Links

Amazon Sale

 

                                          HIPAA New Rules

Among the changes to the final  HIPAA rule are.

Elimination of the requirement that a health-care provider obtain prior written consent for treatment, payment, and health-care operations


Modifications to the authorization form requirements that will ease the release of data to permanent databases or data registries

Changes in the standards for release of data for marketing activities and in the definition of marketing activities

Simplification of the evaluation criteria for waiver of authorization for research disclosures

Creation of a limited data set to be used for research and public health activities in conjunction with a data use agreement

 
HIPAA Gov.      
All official HIPAA guidelines. Click link to download.
Who needs
Your practice is covered by the Privacy Rule if you conduct electronic transactions, including health claims, encounter information, and health-care payments. If your practice uses only paper claims and submits payment forms by fax, your activities are not subject to the Privacy Rule. However, if you use a billing service or health-care clearinghouse that submits claims electronically on your behalf, you are subject to the Privacy Rule.

If you use email to communicate about your patients you need to be covered.
Warning
What are the basic administrative requirements of HIPAA?
  1. Designate a privacy official to be responsible for implementing the Rule's requirements in the practice;
  2. Establish appropriate administrative, technical, and physical safeguards to reasonably protect the privacy of medical records;
  3. Create and implement policies and procedures to conform with the Privacy Rule. A Notice of Privacy Practices, explaining the practice's policies for use and disclosures of health information, must be provided to each patient;
  4. Document certain disclosures of health-care information and make this accounting available to patients who request it;
  5. Provide a process for individuals to make complaints concerning the practice's privacy policies and procedures;
  6. Create and document appropriate sanctions for employees of the practice who violate privacy policies or procedures;
  7. Mitigate the harmful effect of any known violation of the privacy policies or procedures;
  8. Refrain from intimidation or retaliatory acts against individuals who access their rights under the Privacy Rule or file complaints against the practice for violations of the Rule;
  9. Do not condition treatment, payment, or eligibility for benefits on an individual's waiver of their rights to file a complaint with HHS
    To implement  the Privacy Rule, Clinic must have policies and procedures for following.
  1. Identifying employee or position of employee on your staff that require access to protected health information.
  2. Identifying the categories of information for which those people need access.
  3. How will the clinic preventing access to protected health information by unauthorized people.
  4. Will insuring that the "minimum necessary" amount of information is released for routine disclosures.
  5. Reviewing requests for other disclosures and determining the appropriate amount of information to release.
  6. Verifying the identity of the requestor of information.
  7. Providing individuals with access to their records, the opportunity to amend or request correction of the records, and to receive an accounting of disclosures.
August 2002 changes eliminate the requirement that providers obtain written consent for treatment, payment, and health-care operations prior to using a patient's protected health information. Health-care providers MAY obtain prior consent if they wish, but they are not required to do so.

Rather than obtaining prior consent, the Privacy Rule now requires that health-care providers who have a direct treatment relationship with a patient make a good faith effort to obtain an individual's written acknowledgment of receipt of the provider's Notice of Privacy Practices.Other than requiring that the acknowledgment be in writing, the Rules does not prescribe other details of what must be included in the acknowledgment or limit the manner in which a covered health-care provider could obtain the acknowledgment.

If a health-care provider is not able to obtain an acknowledgment, he or she is not required to delay providing care. The provider should document in the patient's medical record that a good faith effort was made but the acknowledgment was not obtained, and the reason why.

  1. To provide the Notice of Privacy Practices, can I post a sign on the wall in the waiting room?

     You may post the Notice of Privacy Practices, but you must also have copies of the notice available for patients to take with them. The notice must be written in plain language and must contain several elements, such as
  • Description of the types of uses and disclosures you are permitted to make for treatment, payment, and health-care operations.
  • Description of other uses and disclosures you are permitted to make without the patient's consent or authorization (e.g., law enforcement, public health).
  • Explanation that you will not use or disclose information for other purposes without the patient's specific authorization.
  • Explanation of the patients' right to inspect and copy their medical records and to receive an accounting of disclosures.
  • Explanation of your duty to maintain confidentiality.
  • Description of how patients can register a complaint about privacy practices and who to contact for further information.
  • Date the notice is effective.
  1. I have attending privileges at our local hospital; when I go to the hospital to see a patient for the first time, will I have to bring copies of my practice's Notice of Privacy Policies to give to the patient and get their signed acknowledgment?
     The HHS clarified in the August 2002 Rule that hospitals can form Organized Health Care Arrangement agreements with physicians who treat patients in their facility but who are not on staff. These agreements will allow physicians to operate under the hospital's Notice of Privacy Practices during the patient's stay in the hospital. The agreement covers only the use and disclosure of health information that occurs in the hospital. Once that patient is discharged and comes to the physician's practice for a visit or treatment, the practice must provide that patient with its own Notice of Privacy Practices and make a good faith effort to obtain that patient's acknowledgment of receipt.
  2. I have heard that the Privacy Rule requires every medical practice to have a "privacy official." Does this mean that we have to have an employee whose only responsibility is privacy?
     All covered entities must designate a privacy official who is responsible for the development and implementation of privacy policies and procedures and a contact person who is responsible for receiving privacy-related complaints and providing additional information about privacy practices and procedures. These responsibilities can be combined with other duties, given to someone who is already an employee, shared among several employees, or assigned to an outside consultant-as long as there is one point of accountability for the covered entity's policies and procedures and compliance with the Privacy Rule.
  3. I am a solo practitioner, but I share an office with several other medical practices. Can we share a privacy official?
     Yes. Several practices can share a privacy official, as long as each practice fulfills the requirements of the regulation.
  4. Is each department of a cancer center required to have its own privacy official?
     Probably not. The cancer center is most likely considered to be one "covered entity" for the purposes of the Privacy Rule, and each covered entity must designate a single privacy contact.
  5. What qualifications should a privacy official have?
     To obtain help in complying with the Privacy Rule, ASCO members can access model forms and policies in the "ASCO Model Forms and Policies for Compliance with the Federal Privacy Rule" section found under the "Medical Records Privacy" link at the top right of this page.
  6. Is it true that each member of my staff will have to be trained on privacy practices? Do I need to send them to a particular training program, or can we develop our own program?
     The Privacy Rule requires you to train all the members of your staff on your policies and procedures for implementing the privacy protections in the regulations. The nature of the training program is left up to you. All staff members must be trained before April 14, 2003, the Privacy Rule's compliance date. New staff members who join after the compliance date must receive training within a reasonable period of time. There are no "retraining" requirements, but additional training should be given to each member of the staff whose responsibilities are affected by a material change in your policies or procedures.
  7. How do I know which standards apply: the federal Privacy Rule's requirements, or state laws? For some issues, my state has really strict protections, but for others, there is no protection at all.
     The Privacy Rule's regulations do not preempt (or override) state laws that impose more stringent privacy protections. Therefore, if your state has a law that establishes more privacy protection in a particular circumstance than the Privacy Rule (e.g., some states have very strict rules to protect information related to HIV and AIDS), you must follow the state law. If your state has no laws or regulations in a particular area (e.g., disclosure of information for research), you must follow the Privacy Rule's standards.

    Although the HHS originally planned to issue advisory opinions on the preemption of various state laws by the Privacy Rule, the Department has abandoned that plan. Instead, states may request a determination from the HHS that the Privacy Rule does not override particular state laws (e.g., laws that are necessary for preventing fraud and abuse or the regulation of health insurance).
  8. The Privacy Rule requires physicians to "account" for disclosures of protected health information. Does this mean I have to document each time I access a chart?
     No. Only disclosures to entities outside your practice, not internal uses, of protected health information must be accounted for. The accounting must also include disclosures that have been made to and by your business associates, such as your billing service. The accounting requirement is intended to inform patients about outside entities to which their information is disclosed.

    Furthermore, providers are not required to account for disclosures that are made pursuant to authorization from the patient. In these situations, the patient's written permission has already been obtained, so they are aware of the disclosure. The HHS has reasoned that disclosures in these situations would be duplicative and unnecessary.

    Is documentation required in the following situations?
  • When I consult the chart to answer a patient's question

     No. This is not a disclosure of information, and the regulation does not require accounting for uses of information. However, you may want to document the conversation for other reasons.
  • When I call another physician to discuss a patient's condition

     No. This disclosure falls within the definition of "treatment", and the Privacy Rule does not require that you account for disclosures for treatment, payment, or health-care operations.
  • When I disclose information to an insurance company to answer a claims question

     No. This disclosure would fall within the definition of "payment", and the Privacy Rule does not require that you account for these kinds of disclosures.
  • When my staff reviews charts to remind patients to schedule follow-up visits

     No. This is a use, not a disclosure, of information. However, your Notice of Privacy Practices must inform patients that you may contact them to provide appointment reminders.
  1. The regulations require me to keep an accounting of disclosures for six years and to allow patients to have a copy of that accounting on request.

    • Should I be keeping track of disclosures now?
       No. You are not required to comply with the rule until April 14, 2003.
    • On the compliance date in April 2003, will patients be able to request an accounting of disclosures for the previous six years (i.e., since 1997)?

       No. Covered entities do not have to account for disclosures that occurred before the compliance date.

     
    Setting up a simple i