Health care providers are aware that they must now comply with HIPAA’s privacy regulations. HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a sweeping federal law that addresses a number of issues relating to individuals’ health insurance.
The so-called ‘privacy regulations’ are among a number of regulations, promulgated as a result of HIPAA, that address the standardization of electronic communications for health insurance transactions. The privacy regulations, which took effect in April, create national standards aimed at protecting the privacy of patients’ health information. Most doctors, dentists, nurse practitioners, mental health providers, and other individual and institutional health care providers need to comply.
Health care providers already have an obligation to protect patient privacy under state law and professional codes of ethics. Thus, most health care providers already had office procedures that maintain patient confidentiality, and may generally have been in compliance with many provisions of the privacy regulations. However, be aware that the privacy regulations have specific new compliance requirements. For example, there are three essential documents that form the foundation of compliance with the privacy regulations.
1. Notice of Privacy Practices
As of April 14, every patient coming into a health care provider’s office must be presented with the provider’s Notice of Privacy Practices, a copy of which must also be posted.
The Notice of Privacy Practices must contain certain required language and must inform patients:
(1) how the health care provider may use or disclose a patient’s health information;
(2) when a patient must specifically authorize, or have an opportunity to object to, the use or disclosure of protected health information;
(3) what a patient’s legal rights are with respect to restricting the use of, inspecting, amending, and accounting for the uses and disclosures of protected health information; and
(4) how and to whom a patient may complain about the provider’s privacy practices.
Health care providers must document their good-faith efforts to provide the Notice of Privacy Practices to each patient.
2. Authorization Form
The privacy regulations require that health care providers obtain written patient authorization before they disclose patient health information under certain circumstances.
he Authorization Form, which must be signed by the patient, must specifically state: (1) who may receive the information; (2) who may use the information once it has been disclosed; (3) the purpose of the disclosure; and (4) an expiration date for the authorization. Health care providers should be mindful of state laws that mandate additional requirements for disclosure of AIDS/HIV testing or other protected information.
3. Business Associate Agreement
Anyone who receives from a health care provider a patient’s health information in order to perform a service for or on behalf of the health care provider must sign a contract agreeing to properly protect that health information.
Thus, billing companies, management services, accreditation agencies, software maintenance companies, accountants, lawyers, or any other entity receiving health information from, and performing a function for, a health care provider must sign a Business Associate Agreement, in most cases by April 14, 2003, but in some cases by April 14, 2004.
The Business Associate Agreement must outline the business associate’s obligations with respect to the health information, which include: (1) maintaining its confidentiality; (2) obligating others to whom it is disclosed to keep it confidential; (3) keeping track of the persons to whom it is properly disclosed; (4) making it available to the provider if the patient seeks accountings of disclosures, amendment, or inspection; and (5) ret-urning or destroying the information once the business associate no longer needs it to perform the services for the health care provider.
With these three documents in place, a health care provider will be on its way toward compliance with the HIPAA privacy regulations.
Liz Sillin is an associate in the Health Law Practice Group with Bulkley, Richardson and Gelinas, LLP in Spring-field; (413) 272-6296.