Rehab

Home
- » Rehab Main Page
  - » e-Newsletters
    - » Rehab Regs

Don't let HIPAA privacy take a back seat in your facility

Rehab Regs, March 1, 2005

Follow these tips to keep privacy compliance fresh

The Health Insurance Portability and Accountability Act of 1996's (HIPAA) privacy deadline has come and gone, but that doesn't mean you can become lax about privacy regulations.

HIPAA pointers

Following are five tips for HIPAA privacy maintenance, courtesy of three compliance experts, to determine whether you need a refresher course in compliance:

1. Make sure your notice of privacy is still posted. Covered entities (CE) must prominently post the entire privacy notice at their facilities. Although you have the freedom to design the notice as you see fit, many CEs simply post a copy of the notice pages. If you decide to do this, post it in a prominent place.

"It isn't appropriate to post the notice in a back room where employee notices are placed," says John Coolong, senior manager of information technology consulting for Baker Newman & Noyes in Portland, ME. "Instead, put it in the admissions window or the waiting area."

Posting the notice is probably the simplest HIPAA rule with which to comply, he adds. "Therefore, not seeing a notice posted suggests that the [CE] is likely not compliant with many other aspects of the privacy rule," says Coolong.

2. Always give new patients a copy of the privacy notice. Provide this notice to your patients no later than the first date of service delivery, according to HIPAA regulations. CEs must make a good-faith effort to obtain patients' written acknowledgements of notice receipt.

You don't have to read the privacy notice to new patients-you just have to present it, says Coolong. If someone refuses to sign it, make a note that he or she didn't feel comfortable signing it but that you did make an attempt. Signing the privacy notice is not a HIPAA requirement for a patient to receive care at your facility.

However, as a result of all the hype surrounding the privacy regulations, many patients know they should receive a notice when they begin receiving care at a new facility. Any individual who believes his or her privacy rights under HIPAA were violated can file a report with the Office for Civil Rights (OCR) in the Department of Health and Human Services.

When Coolong visits a new healthcare provider, he expects to see that notice of privacy practice. If he doesn't, it's a telltale sign that the facility isn't compliant, he says.

Despite the publicity, the notice is still vital to those patients who don't understand how HIPAA affects them.

"Medicare mentions privacy, but caregivers are always talking about HIPAA," says Nancy J. Beckley, MS, MBA, president of Bloomingdale Consulting Group in Brandon, FL. "Patients may be confused, so it's important to say, 'Under HIPAA regulations, we are required to safeguard your privacy.' "

At Orthopaedic Therapy, Inc., in Jackson, MI, patients receive a copy of the privacy notice when they begin therapy, as well as every year thereafter.

"It's a good idea to remind patients that this is still something that your facility needs to comply with," says Sandra Maes, MBA, president of Orthopaedic Therapy, Inc. HIPAA both protects you and lets patients know that they shouldn't ask about other patients.

3. Train new employees about the HIPAA privacy regulations. HIPAA required CEs to provide privacy training to employees prior to the compliance deadline. Chances are, you've hired new therapists or other staff since then, so remember that HIPAA requires all employees hired after the deadline also to undergo training.

And don't forget training for volunteers and temporary employees, notes Coolong.

Use examples when possible to help employees understand what type of information they can share, says Maes. For example, if a physician's office staff member tells one of your therapists that shared patient is being sent to a collections agency by the physician's office, the staffer has divulged too much information.

If information doesn't pertain to direct patient care, it's inappropriate to share, says Maes.

Hold privacy rule training on an ongoing basis by conducting refresher courses on a quarterly, biannual, or annual schedule.

"It's especially important in rehab because [the environment] is often very casual," says Maes. "People are on a first-name basis with each other, and it's easy to slip."

Additionally, if therapists or other staff terminate their employment at your facility, remind them that the patient information they had access to is privileged, even after their departure.

4. Ask new business associates (BA) to sign BA agreements. BAs perform a function or activity on behalf of a CE and require access to confidential patient information to do so, according to HIPAA. Examples include lawyers, auditors, consultants, third-party payers, administrators, data processing firm employees, and billing firm staff.

"It's your responsibility to safeguard your patient information," says Coolong. "And you should be sure that [BA] agreements are in place." Your facility should only provide BAs with access to the information that is essential to their job duties-nothing more.

5. Use common sense. Be sure your employees understand why the HIPAA privacy regulations continue to be so important. Stress that employees should discuss patient care in private and only share the minimum amount of information necessary to provide appropriate care.

"Sometimes the only time medical staff get to communicate is in the elevator," says Coolong. "But if the conversation is about a specific patient, they should postpone it until they can find a private conference room or office."

However, employees should avoid letting their desire to comply with HIPAA impede their delivery of adequate services. HIPAA is intended to protect privacy, but not at the expense of proper care.

"In specific cases [e.g., when police investigate a crime], it's okay to provide basic information," says Coolong. "Some providers are afraid of breaking the rules, but you should first think about patient care."

Remember that CEs can communicate freely with one another about patient information, Coolong says. For example, if a physician requests patient records from your office, authorized patient permission is not necessary, according to HIPAA.

Enforcement implications

Currently, there are no federal authorities that specifically check on HIPAA compliance, Coolong says. But that doesn't mean the government won't implement oversight rules, or that a patient or employee can't report a privacy regulation.

"If you don't comply with HIPAA, there is not a policy in place where [the government] routinely shows up and audits providers' practices, but patients and employees can turn you in," says Maes.

"So far, the only way a [CE] could be hit with a violation is if an employee or a patient filed a complaint with the [OCR]," says Coolong. "Maybe the lack of HIPAA police is why the healthcare community has been a little relaxed [regarding HIPAA]."

Coolong suggests you visit the OCR's Web site at www.hhs.gov/ocr/hipaa for further guidance on HIPAA compliance. Also visit www.cms.hhs.gov/hipaa to learn more about the regulations from CMS.

"If you don't comply with HIPAA, there is not a policy in place where [the government] routinely shows up and audits providers' practices, but patients and employees can turn you in," says Maes.

To protect yourself and your facility, record your efforts to comply with the privacy regulations on an ongoing basis. "Document staff training," says Beckley . "Interpret the regulations in place and rely on the fact that you had a plan in place because that shows intent [to comply]."