• E-mail
• Print
• RSS

* Working with schools in the HIPAA era
* Sorting out the duties of mid-level providers
* Pay-per-view article: Don't mistake security rule "addressable" requirements for "optional"

Compliance Monitor, April 18, 2003

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

Working with schools in the HIPAA era

Q: We treat pediatric patients and we often transfer protected health information (PHI) to schools. We contacted a school nurse recently and asked whether she was aware of the Health Insurance Portability and Accountability Act (HIPAA), or whether the school had held any HIPAA training. The nurse knew nothing about the law. How should we handle this situation?

A: There is an explanation why the school nurse may not have been familiar with HIPAA. Educational institutions are governed by the Family Educational Rights & Privacy Act (FERPA), and not HIPAA.

Under the definition of protected health information (PHI) in section 164.501 of the privacy rule, "PHI excludes individually identifiable health information in education records covered by FERPA as amended, 20 U.S.C. 1232g." In other words, schools don't have to comply with HIPAA requirements; they follow the FERPA law.

According to FERPA, educational records are defined as "records, files, documents and other materials which contain information directly related to a student and are maintained by an educational agency or institution, or by a person acting for such agency or institution." In most cases, the school nurse is employed by the school district and is acting on behalf of the school.

However, before a student's personal physician shares information with an educational institution, the physician, as a covered entity, must follow all applicable rules under HIPAA for disclosing PHI. That means the child's parent or guardian must give your doctor authorization to disclose the information. Once you receive authorization and share PHI with a school, the information becomes protected under FERPA. After that, anytime a school discloses the information, it must do so in accordance with FERPA provisions.

Note: FERPA education records do not include records of students who are 18 years or older, or under certain circumstances, such as students attending post-secondary educational institutions.

Click here and here for more information about FERPA.

AThis question was answered by Stacie Buck, RHIA, LHRM, president, Health Information Management Associates, Inc.

Don't mistake security rule "addressable" requirements for "optional"

Some health care organizations may think they can choose not to implement the final security rule's addressable specifications to save time and money. Not true, says John R. Christiansen, JD, attorney at Preston, Gates, and Ellis, LLP, in Seattle...

Go to "Don't mistake security rule 'addressable' requirements for 'optional'" for the rest of this article. The cost is $10. Subscribers to the online version of Briefings on HIPAA have free access to this article. Subscribers to the print edition can find it in their April issues.

A $30 steal!

You can read this article-and much more-in the entire April issue of Briefings on HIPAA. Your cost: Six stories for only $30! You'll learn why your staff needs to review and sign off on your sanctions policy, and tips for training your staff to give out your HIPAA notice. Choose between a PDF or HTML version for just $30. Online subscribers have free access to this issue. Print newsletter subscribers can find it in their mailboxes.

Q:We've been using our nurse practitioners and physician assistants for tasks that are traditionally taken care of by physicians, such as writing or signing orders. How do we know where to draw the lines regarding what these staff members can and can't do?

A: The answer depends on your particular type of facility. Mid-level providers-physician assistants (PA) and nurse practitioners (NP)-are becoming more common in physician practices. While some states and regions have used them for years, many communities are just beginning to.

Federally funded health programs, including Medicare and Medicaid, have different rules for midlevel providers. The rules vary, depending on whether the services are performed in a hospital, a skilled nursing facility, or a medical group. For hospitals, you need to revise your medical staff bylaws to reflect the credentialing of mid-level providers, and then define what they're allowed to do, according to the hospital's operational, financial, and quality guidelines. You also must find out whether the midlevel PA or NP has his or her own Medicare Provider Identification Number (PIN), or is operating "incident to" a physician's professional service.

Every state regulates what mid-level providers can and can't perform, so it is important to check with your state medical society to see what is allowed. For example, some states allow midlevel providers to write prescriptions, while others do not. Some states require the mid-level provider to file a Collaborative Agreement with the state demonstrating the relationship between the midlevel worker and a physician.

Usually, physicians employ mid-level providers to work under their direction. An NPs or PAs work is integral to the physician's service. In general, physicians are available to assist and direct mid-level providers while they perform a particular service. For hospital patients, for example, Medicare does not cover mid-level provider services that are incident to the physician.

Visit the following Web sites for more information:

American Academy of Nurse Practitioners
American Academy of Physician Assistants

This question was answered by Michael O'Connell, MHA, CMPE, CHE, senior director of the Cleveland Health Network MSO, LLC, in Independence, OH.

Want to receive articles like this one in your inbox? Subscribe to Compliance Monitor!

• E-mail to a Colleague
• Print
• RSS
• Archive