APAC: A subsidiary of FPIC Insurance Group, Inc.
Committed to bringing exceptional education, service, and peace of mind























Many physicians have fears regarding implementation of the HIPAA’s Standards for Privacy of Individually Identifiable Health Information (the “Privacy Rule”). The Privacy Rule is intended to protect a patient’s Protected Health Information (PHI) without interfering with the access to or quality of care. The following is a brief overview of the impact of the Privacy Rule on the physician’s practice.

WHAT IS HIPAA?
The Health Insurance Portability and Accountability Act of 1996 has several components, including insurance portability, fraud and abuse, health revenue issues, tax issues related to health, group health plans, and administrative simplification. Under the Administrative Simplification component of HIPAA, there are three subparts including electronic data interchange, the Privacy Rule, and Security. In 2000, Health and Human Services (HHS) issued final regulations concerning the Privacy Rule that were later amended in August of 2002. The deadline for compliance with the Privacy Rule is April 14, 2003.

PRIVACY RULE
The Privacy Rule controls the use and disclosure of PHI and applies to healthcare providers, health plans, and healthcare clearinghouses, referred to as “covered entities.” Protected health information includes any information, oral, recorded, written, or electronic which relates to the past, present, or future physical or mental health or condition of an individual, the provision of healthcare to an individual, or billing and payments made for the provision of healthcare to an individual. It includes any personal health information that may connect the patient to the information, such as the patient’s name, address or social security number.

The Privacy Rule allows covered entities, such as physician’s practices, to use and disclose protected health information for three general purposes without first obtaining the patient’s authorization: treatment, payment, and healthcare operations. There are a few other permitted uses of PHI that do not require the patient’s authorization, including reporting for public health, law enforcement, tissue and organ procurement, to medical examiners and coroners, and for oversight activities, such as audits.

PRIVACY NOTICE
The Privacy Rule requires practices to provide patients with a Privacy Notice detailing the rights and responsibilities of the patient and the practice in protecting the privacy and confidentiality of PHI.

The Privacy Notice should be shared with patients upon delivery of service, or as soon as feasible in an emergency. It must be available to patients in print, written in clear, understandable language, and be posted at each service site. The notice should contain the patient’s rights, the practice’s duties, and a description of the types of uses and disclosures of PHI. The practice must attempt to obtain the patient’s written acknowledgement that the privacy notice was provided. Each time the practice’s privacy policies change, the privacy notice should be revised. Written acknowledgement must be obtained with each privacy notice revision. The patient acknowledgement(s) and a copy of the privacy notice and each revision must be maintained for at least six years. A written acknowledgement may serve for the entire length of treatment unless the privacy notice is revised.

MINIMUM NECESSARY
Each practice must make reasonable effort to limit use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request. This means that disclosures of PHI by staff should be limited to the minimum necessary to accomplish their specific job function. Job descriptions for staff members should identify the types of information an employee may access and disclose.

AUTHORIZATION
In most situations, the patient’s authorization must be obtained when PHI is used or disclosed to any third party for purposes other than treatment, payment, and operations. For instance, if a product representative requests the names of patients for marketing, the patient’s authorization must be obtained and must be specific for the use or disclosure. It is only used for that purpose and is time limited.

The Privacy Rule distinguishes between uses and disclosures for payment, treatment, and healthcare operations for which no consent or authorization is required and authorizations where consent is needed, such as marketing, fundraising, and employment determinations. Unless disclosure is for payment, treatment, or healthcare operations or unless an exception applies, PHI cannot be disclosed absent an authorization. Where an authorization is needed, in order to be valid, several defined provisions must be included in the form and particular procedures must be followed in accordance with the Privacy Rule.

MINORS
In general, the scope of the personal representative’s authority to act for a minor patient under the Privacy Rule derives from his or her authority under applicable law to make healthcare decisions for such patient. Therefore, the Privacy Rule allows parents, as personal representatives, to access patient information for their minor children. However, there are a few exceptions when parents are not permitted access to minor’s health information, such as healthcare treatment that a minor may consent to without parental consent, in cases of abuse or neglect, or if the court authorizes someone other than the parent to make treatment decisions.

BUSINESS ASSOCIATES
The HIPAA Privacy Rule applies only to covered entities – health plans, healthcare clearinghouses, and certain healthcare providers. Most physicians do not carry out all of their healthcare activities and functions by themselves. Instead, they often use the services of a variety of other persons or businesses. The Privacy Rule allows physicians to disclose PHI to these “business associates” if the providers obtain satisfactory assurances that the business associate will use the information only for the purposes for which it was engaged by the covered entity, will safeguard the information from misuse, and will help the covered entity comply with some of the covered entity’s duties under the Privacy Rule. Typical business associate functions include: answering services, independent contractors for transcription, billing and collections, claims processing, and accounting.

INTERACTION OF PRIVACY RULE WITH FLORIDA LAW
The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected information. The Privacy Rule does not replace Federal, State, or other law that grants individuals even greater privacy protections, and physician practices are free to maintain or adopt more protective policies or practices.

COMPLIANCE EFFORTS
The Privacy Rule generally requires physician compliance as follows: • Notify patients about their privacy rights and how their information can be used.
• Adopt and implement privacy procedures for the practice.
• Train employees so that they understand the privacy procedures.
• Designate an individual to be responsible for seeing that privacy procedures are adopted and followed.
• Secure patient records containing PHI so that they are not readily available to those who do not need them.


Failure to comply with the provisions of the Privacy Rule may result in civil penalties of $100 per violation up to a maximum $25,000 per year for the same violation and criminal penalties of up to $250,000, imprisonment, or both for intentional violations.

The HIPAA Privacy Rules are the first federal guidelines aimed at regulating the privacy of health information. Most practices are sensitive to their patient’s rights for privacy and already take effective measures to protect patient privacy. However, in light of the requirements set forth by the Privacy Rule, the policies and procedures of your practice should be reviewed to ensure proper compliance.

APAC offers a one-hour training program on Privacy Rule Compliance. If you are interested in scheduling this inservice or need further assistance, please e-mail rm@fpic.com or call APAC’s Risk Management Department at 866-294-6014 extension 3100.

Sample compliance tools, such as Privacy Notices and additional reference material, may be obtained by visiting the APAC risk management website at www.apacinsurance.com. Other helpful websites include:

www.ahima.org
www.ama-assn.org
www.hhs.gov/ocr/hipaa
www.hipaadvisory.com
www.himss.org
www.mgma.com

Disclaimer
NOTE: APAC provides HIPAA guidance as a benefit to its policyholders for educational and informational purposes only. Any representations or written reports rendered in conjunction with this benefit should not be considered a certification of HIPAA compliance nor should it be interpreted as offering legal, financial, or other professional services. Policyholders that are developing policies and procedures to comply with HIPAA’s Privacy Rule should seek legal and/or professional assistance to be sure that an appropriate compliance plan is implemented for their particular practice.

BACK TO HIPAA