Heeere's HIPAA

Edition: May 2003 - Vol 11 Number 05
Article#: 1542
Author: Laura Thill

Community Health, a multi-practice clinic in Fremont, Ohio, wants to ensure that it’s fully compliant with HIPAA. The facility recently purchased 12 scales – one for every exam room – from Account Manager Clay Benjamin of Richmond, Va.-based McKesson Medical-Surgical Corp. “At $400 a piece, those scales aren’t cheap,” says Benjamin. “But this is [an example of] what practices are doing to adhere to the HIPAA Privacy Ruling.”

Indeed, HIPAA compliance deadlines are still rolling in. Some of the most recent – the Apr. 14, 2003 Privacy Rule and the Apr. 16, 2003 Transactions and Code Sets – have left more than one physician practice squirming and more than one medical products sales rep scratching his head. After years of hearing about HIPAA, the extensive regulations and revisions are still mind-boggling for many.

The Electronic Health Care Trans-actions and Code Sets require all covered entities to use a common set of Health and Human Services (HHS) codes for all services, tests and billing operations, according to the Health Industry Distributors Association (HIDA) in Alexandria, Va. All claims, insurance enrollment and eligibility information, payments, premiums, referral services and coordination of benefits information must be recorded and handled according to the Transactions and Code Sets in order for practices to get reimbursed. So, for example, when ordering a vaccination for a patient, a physicians office must record and bill for it using a standard code – recognizable by the insurance company – in order to be paid, according to HIDA.

The Privacy Ruling applies to all covered entities except small health plans whose annual receipts total $5 million or less, according to the Centers for Medicare and Medicaid (CMS). Small health plans have another year – until Apr. 14, 2004 – to comply. Under this regulation, healthcare providers and insurance companies must act to protect patient health information. The only individuals who may see patient medical records are those who must do so in order to provide treatment or reimbursement.

The implication of these rulings on physician offices and hospitals may be more than some of your customers have bargained for.

The Vendors’ Role

“Vendors [must develop] an understanding of the basic requirements of HIPAA,” says Jennifer Alfisi, director of government relations at HIDA. “Many offices have become HIPAA compliant over the last few years, but many are still working on their office setup.” Some necessary changes include the way filing systems, sign-in sheets and waiting areas are handled in physician practices, notes Alfisi. Benjamin foresees reps selling more folding desks as well, which will be useful when physicians write out patient notes in privacy. The degree to which such changes will affect physician practices and hospitals may vary from one facility to the next. “The main issue for us is the Privacy Ruling,” says Ann Hansen, director of nursing, Community Health. “It can cause some big space constriction problems.”

“Doctors may need [separate] rooms for private dictation and storing medical records,” Hansen continues. “Medical records [will have] to be kept in secure rooms with limited access to staff.”

Privacy Rights

Despite the vast amount of cyber-information on HIPAA laws permeating the Internet, the Privacy Ruling remains somewhat confusing. Privacy regulations do the following, according to HIDA:

• Give patients control over their health records and the use of their information.

• Restrict the release of patient health records and information.

• Enable patients to see how their information is used.

• Allow patients to obtain a copy of their health records.

If a physician takes appropriate measures to ensure patients’ records, but a sales rep accidentally sees a chart or overhears patient information, this is OK, according to HIDA. No one will be penalized for infrequent mistakes. However, when a rep routinely overhears private conversations or sees charts, it’s time to advise the customer. Fines can reach up to $100 for each patient incident, according to CMS.

The Office for Civil Rights (OCR) has responded to questions from vendors and their customers concerning the privacy issue. Among these questions are the following:

• Can a physician office fax patient medical information to another physician office? Health information may be disclosed to another provider for treatment purposes, as long as privacy safeguards are in place. For instance, the sender may request confirmation of receipt from the receiver.

• Can physician offices use patient sign-in sheets or call out patient names in the waiting room? Yes, these are considered “incidental disclosures” and are permissible as long as appropriate privacy safeguards are implemented. So a sign-in sheet may not display patient information beyond that necessary for signing in.

• Can hospitals continue to display patient names next to the door of their room? Yes. This, too, is considered an incidental disclosure.

• Can a nurse place a patient’s chart in the plastic box outside of an exam room, permitting the physician to review it quickly before entering the exam room? Yes, as long as the purpose of leaving the chart is to provide the physician with patient information prior to treatment.

• Can physician practices or other providers obtain payment from the patient’s spouse or guardians? Yes. But the Privacy Ruling requires the health provider to limit to a minimum the amount of information disclosed for these purposes.

• Must physicians have “business associate” contracts with electricians, plumbers, repair services or janitorial services? No. These individuals and services do not require access to private patient records. Similarly, because distributor reps do not need to view patient health records to do their job, they aren’t considered business associates under HIPAA law. When a rep oversees a customer’s billing, however, he or she becomes an associate and must sign an agreement with the customer stating that he or she has taken steps to protect private health information, according to HIDA. Business associates should have their contracts reviewed by a lawyer to ensure they are HIPAA compliant.

• Must state, county or local health departments comply with the Privacy Ruling? Yes, as long as they are considered covered entities under HIPAA law.

Helping Your Customers

HIDA offers the following suggestions for helping your customers become HIPAA compliant:

• Is the records room locked? If not, suggest that your customer install a lock and restrict who has access to the room.

• Are patient records kept on exam room doors? Advise your customer to flip the charts to prevent people from reading them.

• Is the fax machine visible? Suggest that your customer keep it in a private area.

• Can you easily hear a doctor discussing health issues and treatment options with patients? Advise your customer to carry out such discussions in sound proof or private areas.

HIDA offers an educational tool - The Advance Masters Module, Helping Your Customers with HIPAA - designed to help reps assist their customers in becoming HIPAA compliant. For more information, call HIDA at 703/838-6125.

"Reps can play a pivotal role in providing information to their customers," says Alfisi. "Many [physician] offices - especially the smaller ones - may not understand the behaviors and actions that are acceptable under the new [HIPAA] regulations.

"An educated rep can provide valuable information to a physician's office," Alfisi adds. "This, in turn, should strengthen their relationship."