|
A: No. Covered Entities
are not required to use electronic signatures. However, if your
organization chooses to use an electronic signature in a HIPAA-specified
transaction, the electronic signature standard must be adopted.
According to the proposed Security Rule,
if electronic signatures are used they must:
| · |
be cryptographically based |
| · |
assure the integrity of the
message content; |
| · |
make it difficult to claim
that a signed document was not actually signed by the signer;
and |
| · |
guarantee the identity of the
signer |
Q: Does the Privacy
Office position have to be a full-time job?
A: No. All covered entities must designate a
privacy official who is responsible for the development and implementation
of privacy policies and procedures, as well as a contact person
who is responsible for receiving privacy-related complaints and
providing additional information about privacy practices and procedures.
This position can be a full-time job, or these responsibilities
can be combined with other duties, given to someone who is already
an employee as long as there is one point of accountability for
your organization's policies and procedures and compliance with
the HIPAA Privacy regulation.
Q: Does my organization need to document
every time a chart is accessed in order to comply with the "Accounting
of Disclosures" requirement under the HIPAA Privacy Rule?
A: No. The Accounting of Disclosures
requirement is intended to inform patients about outside entities
to which their information is disclosed. Only disclosures, not
uses, of PHI must be accounted for. To make the requirement simpler,
only disclosures made for purposes other than treatment, payment
or health care operations must be documented.
The Proposed Changes to the Privacy Rule (released
on March 27, 2002) states that only disclosures (made for purposes
other than treatment, payment or health care operations) made
without a written authorization from the patient must be included
in the Accounting of Disclosures. Keep posted to the NM CHILI
Website for the latest news on the status of the Proposed Changes
to the Privacy Rule.
Q: What is the difference
between a consent and an authorization? Do I have to get both
each time I see the patient?
A: Consents are written permission from patients to use
and/or disclose their PHI for purposes of treatment, payment and
health care operations. The consent should be written in general
terms and must refer the patient to your organization's Notice
of Privacy Practices (which explains how your organization uses
and discloses PHI). The HIPAA Privacy Rule requires you to obtain
consent for the use and disclosure of information from each of
your patients at the time of first service delivery, and you may
refuse to treat patients who don't agree to sign your consent
form. You only need to receive a consent from each of your patients
once (unless you make changes to your privacy policies, at which
time you would need to get a new consent from each of your patients,
at the time of first service delivery).
The Proposed Changes to
the Privacy Rule (released on March 27, 2002) eliminates the requirement
to obtain patient consent. Keep posted to the NM CHILI Website
for the latest news on the status of the Proposed Changes to the
Privacy Rule.
An authorization allows
for use and disclosure of PHI for purposes other than treatment,
payment and health care operations. Before you can use or disclose
information for purposes that are not covered by the consent and
aren't otherwise permitted by HIPAA or state law, you must obtain
an authorization from the patient. You will need to obtain authorization
from the patient each time your organization intends to use or
disclose PHI for purposes other than treatment, payment or health
care operations.
Authorizations must contain
specific elements, including:
| · |
A description
of the information to be disclosed; |
| · |
An identification
of the person or organization to whom the information will
be disclosed; |
| · |
An expiration
date or event for the authorization; |
| · |
A statement
informing the patient that the authorization can be revoked;
and |
| · |
A
patient signature and date. |
Q: I often consult
with other physicians to discuss difficult cases. Will I have
to ask patients to sign an authorization before I can do this?
A: No. Consulting
with other health care providers falls under the definition of
treatment, and therefore doesn't require an authorization.
Q: Will my organization
be allowed to disclose PHI to public health agencies without obtaining
an authorization from our patients?
A: Yes. HIPAA permits
disclosures to public health authorities without receiving patient
authorization. Your organization will be required to include these
types of disclosures in the Accounting of Disclosures, however.
Q: Many of our
patients participate in Medical Assistant Programs (MAP) or Patient
Assistance Programs (PAP). In addition to having the patient sign
the consent form for the MAP, will I need to have them sign a
HIPAA consent or authorization?
Although many PAPs will
fall within the definition of treatment, each program operates
differently, and the HIPAA doesn't specifically determine what
standards to apply to them.
Because there is uncertainty
about how to treat MAPs, the safest approach would be to obtain
an authorization for disclosure that complies with HIPAA. It is
quite possible that manufacturers will include the required elements
of an appropriate authorization in the PAP enrollment forms after
April 14th,2003.
Q:
If I want to de-identify patient information, what specific information
do I have to remove?
A:
| · |
Names |
| · |
All geographic
subdivisions smaller than a state (except for the first 3
digits of the zip code in some cases) |
| · |
All elements
of dates (except year) for dates directly related to an individual
(such as birth date, admission date, discharge date, date
of death) and all ages over age 89 and dates indicative of
that age |
| · |
Telephone
numbers |
| · |
Fax
numbers |
| · |
E-mail
addresses |
| · |
Social
security numbers |
| · |
Medical
record numbers |
| · |
Health
plan beneficiary numbers |
| · |
Account
numbers |
| · |
Certificate/license
numbers |
| · |
Vehicle
identifiers and serial numbers, including license plate numbers
|
| · |
Device
identifiers and serial numbers |
| · |
Web
Universal Resource Locators (URL) |
| · |
Internet
Protocol (IP) addresses |
| · |
Biometric
identifiers, including finger and voice prints |
| · |
Full
face photos and any comparable images |
| · |
Any
other unique identifying number, characteristic, or code |
Q: Can I
allow the sales representatives from drug companies to review
patient charts to find candidates for new medications?
A: No, unless you
receive written authorization from each patient.
Q: Does
HIPAA require me to disclose PHI to law enforcement authorities?
A: The Privacy
Rule allows you to disclose PHI to law enforcement authorities
without authorization only in response to court orders, warrants,
subpoenas, summons or administrative requests. You may also disclose
PHI for law enforcement purposes such as locating suspects, witnesses
and missing persons.
Q:
Can I disclose PHI about deceased patients?
A: HIPAA treats
the PHI of deceased individuals the same as living patients. You
must receive authorization from the deceased patient's executor
or personal representative to use or disclose his/her PHI for
purposes other than treatment, payment or health care operations.
However, there are a few exceptions, as follows:
| · |
Your
organization may disclose PHI about deceased patients to coroners,
medical examiners, funeral directors and law enforcement officials
as necessary to carry out their duties; and |
| · |
You may
use or disclose PHI about deceased individuals for research
purposes as long as you obtain a representation from the researcher
that the information will be used solely for research. |
Transactions and Code Sets
Posted 11/22/02
Q: What is the purpose of the
Transactions and Code Sets Rule?
A: The Transactions and Code Sets Rule is intended to streamline
the data that is currently shared between providers and payors in
the health care industry. It will require that all covered entities
begin using standardized formats for transactions, and that all
pieces of data be conveyed using consistent code sets. This will
dramatically reduce the difficulties in filing claims. For example,
there are currently over 400 different formats in which transactions
are filed. The Transactions and Code Sets Rule reduces that number
to eleven. What does this mean for your organization? You can expect
fewer mistakes on both the sending and receiving ends, fewer kickbacks
from the payor, quicker turnaround times on payment, and less headache
for your billing staff.
Q: How can my organization
comply with the Transactions and Code Sets Rule? What are the compliance
options?
A: There are three options for implementing the Transactions
and Code Sets Rule.
| 1.
|
Continue
using paper forms. Contrary to popular belief, HIPAA does
not require that providers switch to electronic submissions.
After October 16, 2003, however, Medicare will require that
all providers with more than 25 full-time employees submit
claims electronically. If your organization will be affected
by this requirement, you can continue using paper forms, but
you'll need to enlist the help of a clearinghouse to make
your transactions compliant. (See #3 below for additional
information on clearinghouses.) You'll also need to be aware
that required fields on paper forms may change as payors streamline
their incoming and outgoing data. If you plan to continue
working with paper forms, find out from your billing service
whether there will be changes and when they will take place.
Get that information IN WRITING, and add it to your HIPAA
file.
|
| 2. |
Submit
electronically. Your software vendor should already have
plans for dealing with the new requirements. Get in contact
with your vendor as soon as possible to find out what it will
require from you.
| •
|
Contact
your billing software vendor and find out what its plans
are for Transactions and Code Sets implementation. Get
written documentation including a timeline-when will
you begin using the new formats? When and how will testing
take place? Make sure you get the vendor's plan IN WRITING,
and add it to your HIPAA file. |
| •
|
If
you're shopping for a new vendor, ask the same questions.
Use the answers to help you make a decision. |
|
| 3.
|
Submit
through a clearinghouse. Essentially, clearinghouses provide
translation services for outgoing and incoming transactions.
Whether you plan to continue using paper forms or non-compliant
electronic forms, a clearinghouse can convert your current
transmissions to HIPAA-compliant formats. If you use a clearinghouse,
you're essentially paying for compliance on a per-transaction
basis. For some providers, this may be a better solution than
investing in software for direct electronic submissions.
| • |
If
you currently use a clearinghouse, find out what its
new policies will be and what associated timelines you'll
need to be aware of. Get this information IN WRITING. |
| • |
If using a
clearinghouse is a new strategy for you, do some shopping
before you make a decision. Compare implementation plans,
timelines, and prices. Once again, get it IN WRITING.
|
|
Q: What code sets will be allowable?
A: After the compliance deadline of October 16, 2003, only
the following code sets will be accepted:
| •
|
ICD-9-CM
(International Classification of Diseases, 9th Ed., Clinical
Modification, Volumes 1, 2, 3.) |
| •
|
CPT-4
(Current Procedural Terminology, 4th Ed.) |
| •
|
HCPCS
(Health Care Financing Administration Common Procedure
Coding System) |
| •
|
NDC
(National Drug Codes) (NOTE: The proposed modification to
this rule eliminates the usage of NDC for providers and payors
and replaces it with HCPCS J-Codes.) |
| •
|
CDT-2
(Codes on Dental Procedures and Nomenclature) |
HIPAA will require that
the most recent editions of these codes be used, so when the ICD-10
codes are released, they will be the new standard code sets. All
other codes will be retired, including state Medicaid and local
codes, DSM-4, behavioral health and anesthesia codes.
Identifiers
Posted 11/22/02
Q: What is the
Identifiers Rule?
A: The Identifiers Rule will require that all providers,
health plans, and employers be assigned one unique identifying
number. This identifying number will be used on all communications
and transactions between entities.
| The proposed
Rule lists four categories for unique identifiers. They are: |
| • |
Health
plans |
| • |
Employers |
| • |
Providers |
| • |
Patients |
Q: Which parts of the Rule have
been finalized?
A: Based on the feedback the HHS received after releasing
the proposed rule, it is highly unlikely that the patient identifier
will be finalized. The localization of a patient's entire medical
history under one identifying number presents vast problems for
security and privacy measures. However, the three remaining will
almost certainly be finalized. The employer identifier is the
only portion of the Rule that has been finalized to date.
Q: When is the Identifiers compliance
deadline?
A: The only portion of the Rule that currently has a compliance
deadline is the Employer Identifier. Implementation must occur
by July 30, 2004 (or July 30, 2005 for small providers). Additional
deadlines will be determined as other portions of the rule are
finalized.
Q: What number will be used for
the Employer Identifier?
A: Employers will use their FEIN (tax ID) as their identifier.
Q: What does my organization need
to do to become compliant with the Employer Identifier Rule?
A: An employer not currently in possession of an EIN can
obtain one by submitting an IRS Form SS-4 (Application for Employer
Identification Number) to the Internal Revenue Service.
Privacy
Posted 11/22/02
Q: Who is the
best choice for my organization's Privacy Officer?
A: HIPAA doesn't expressly dictate who a privacy officer
should be. If your organization is very small, the natural choice
may be your office manager. Larger organizations may wish to designate
a medical records specialist or patient advocate as a privacy
officer. Ideally, you should choose someone who has a sound knowledge
of information flows and practice policies and procedures.
Q: What's the definition of "reasonable?"
A: That's one of the mysteries of HIPAA-we can expect this
to be better defined later on down the road, but for now, it's
up to your organization to decide what is and what is not "reasonable."
Common sense can help to determine most issues-for example, if
your training policies indicate that new employees should be trained
on privacy procedures within 30-60 days from date of hire, that's
probably reasonable. Two years is probably not.
Q: Do the Notice of Privacy Practice
and Authorization forms have to be provided in other languages?
A: The law recommends that translated copies of the forms
be made available to those who do not speak English. However,
this is not a requirement. According to HIPAAdvisory.com, "As
stated in the preamble to the Privacy Rule, the Department encourages
covered entities to consider alternative means of communicating
with certain populations, such as with individuals who cannot
read or who have limited English proficiency." It would be
practical to offer forms in Spanish if your facility serves a
large Spanish-speaking population, but you cannot be penalized
for offering English forms only.
Q: Where should documentation of
patient receipt of our Notice of Privacy Practices go? Does it
have to go into a patient's medical record?
A: HIPAA doesn't state precisely where or how this documentation
must be stored. However, it must be secure-if you have taken proper
security measures in storing your patient records, it may be logical
to store documentation of disclosures there as well. An example
of how to comply with this requirement would be to include blank
fields in your patient records where uses and disclosures can
be recorded, and a box that can be checked once a Notice of Privacy
Practices has been received and signed by the patient.
Q: Do my employees need to sign
the Notice of Privacy Practices?
A: The Notice is only intended for patient signatures.
An employee's understanding of her organization's privacy practices
is implied in the documentation of her participation in privacy
training.
Q: If I give a patient a copy of
his or her own information and he leaves it somewhere unattended,
is my organization responsible for the violation?
A: No. Once a copy of medical records has been disclosed to
a patient (following proper privacy procedures), responsibility
for safeguarding the information falls to the patient. You can't
be held accountable if a patient misplaces that information.
Q: Can mental/behavioral
health patients request modifications to their records?
A: Generally, yes. A patient has the right to access and
request amendments to his or her health records. However, the
Rule puts specific conditions on the disclosure of "psychotherapy
notes." The Regulation's definition is as follows:
| "Psychotherapy
notes means notes recorded (in any medium) by a health care
provider who is a mental health professional documenting or
analyzing the contents of conversation during a private counseling
session or a group, joint, or family counseling session and
that are separated from the rest of the individual's medical
record. Psychotherapy notes exclude medication prescription
and monitoring, counseling session start and stop times, the
modalities and frequencies of treatment furnished, results
of clinical tests, and any summary of the following items:
diagnosis, functional status, the treatment plan, symptoms,
prognosis, and progress to date." |
A mental health patient
may have access and request amendments to other portions of his
mental health records.
Q: Are there specific guidelines
that apply to the use and disclosure of mental health records?
A: Yes. There are special requirements
for the use and disclosure of psychotherapy notes. Unlike other
portions of a patient's record, psychotherapy notes may only be
disclosed with patient authorization. Exceptions are as follows:
| • |
The creator
of the notes does not require authorization to use psychotherapy
notes for treatment. |
| • |
Psychotherapy
notes may be used by the covered entity without authorization
in training programs in which students, trainees, or practitioners
in mental health learn under supervision to practice or improve
their skills in group, joint, family or individual counseling.
|
| • |
Authorization
is not required if the covered entity uses psychotherapy notes
to defend a legal action brought by the individual. |
| • |
No authorization
is required if psychotherapy notes are disclosed by requirement
of law; for the purposes of health oversight activities; to
coroners, medical examiners, and funeral directors as necessary;
or in cases where the covered entity believes a disclosure
is necessary to ensure the safety of a person or the public.
(For clarification of these exceptions, see sections 164.502a.2.ii;
164.512a; 164.512d; 164.512g.1; and 164.512j.1.i.) |
Q: What should I do about mailings
that contain PHI? Do I need an authorization to send them?
A: It is allowable to send mailings to a patient regarding
his or her condition or treatment without receiving prior authorization.
Using PHI for marketing, however, generally requires a patient
authorization. (There are some exceptions; for more information,
see the Office of Civil Rights' page "Health-Related Communications
and Marketing" at http://www.os.dhhs.gov/ocr/hipaa/marketing.html.)
Q: Can you market new services to
groups of patients who might need them?
A: If your organization contacts patients to let them know
about certain services you provide, HIPAA doesn't classify that
as marketing.
Specifically, you will
not need to receive patient authorization before conducting the
following types of "marketing" activities:
| • |
The marketing
occurs during an in-person meeting with the patient (e.g.,
during a medical appointment). |
| • |
The marketing
concerns products or services of nominal value. |
| • |
The covered
entity is marketing health-related products and services (of
either the covered entity or a third party), the marketing
identifies the covered entity that is responsible for the
marketing, and the individual is offered an opportunity to
opt-out of further marketing. In addition, the marketing must
tell people if they have been targeted based on their health
status, and must also tell people when the covered entity
is compensated (directly or indirectly) for making the communication.
|
Q: Can my organization solicit
donations from patients?
A: Yes. HIPAA makes allowances for healthcare fundraising,
understanding that a good deal of medical funding comes from individual
philanthropic donations. However, there are some definite restrictions:
a covered entity is not allowed to market based on medical records,
but only on demographic information. This means that certain condition-specific
solicitations will have to be discarded. For example, an organization
requesting donations for a renovated oncology center cannot market
only to its former and current cancer patients-instead it will
have to market to all its patients, or to those living within
a certain vicinity, etc.
Q: Who are my Business Associates?
A: HHS provides a clear summary:
| • |
A business
associate is a person or entity who provides certain functions,
activities or services for or to a covered entity, involving
the use and/or disclosure of PHI. |
| • |
A business
associate is not a member of the health care provider, health
plan or other covered entity's workforce. |
| • |
A health
care provider, health plan or other covered entity can also
be a business associate to another covered entity. |
| • |
The rule
includes exceptions. The business associate requirements do
not apply to covered entities who disclose PHI to providers
for treatment purposes - for example, information exchanges
between a hospital and physicians with admitting privileges
at the hospital. |
| (Information
from http://www.hhs.gov/ocr/hipaa/busassoc.html) |
Q:
Do I have to put a Business Associate Agreement in place with
my cleaning staff?
A: If you contract with an outside janitorial service,
yes. An outside janitorial staff performs a function (unrelated
to treatment) on behalf of your facility, and may have access
to a covered entity's PHI. Initiating a Business Associate Agreement
with anyone who may come in contact with PHI is always a good
safeguard measure to take.
Q: If I submit aggregate data to
another entity, do I need a Business Associate Agreement?
A: No. Aggregate data does not contain individually identifiable
health information. If all that your accountant sees in processing
your records is aggregate data, there's no way any of the information
he comes in contact with can be used to identify an individual.
Security
Posted 03/28/03
Q:
What is the Security Rule?
A: The Security Rule is designed to provide standard safeguards-both
physical and technical-for protecting PHI. It is intended to ensure
that PHI cannot be changed, misused or destroyed in electronic
transmission or storage, and that workforce behavior and administrative
procedures reinforce the priority of patient information security.
Q:
When is the Security compliance deadline?
A: The Security Rule was finalized on February 20th, 2003,
giving it a compliance deadline of April 21st, 2005.
Q:
What does my organization need to do to become compliant?
A: The Security Rule requires organizations to assess their
security needs and risks and to devise and implement strategies
to address those concerns. The requirements will fall into the
following categories:
| · |
Administrative
Safeguards. Documented, formal practices to manage the
selection and execution of security measures. |
| · |
Physical
Safeguards. Protection of computer systems, buildings
and equipment that store or transmit PHI from hazards and
intrusion. |
| · |
Technical
Safeguards. Processes that protect and monitor information
access, and prevent unauthorized access to data that is transmitted
over a network. |
Q:
What is entailed in performing a gap/risk analysis?
A: The HIPAA Security Rule wants you to look closely at what
your organization is doing and compare your practices with the
ones the Rule requires. Assessing your current approaches to security
is the best way to determine your next course of action.
When you perform a gap analysis, you'll want to look very closely
at the way information flows through your organization. Who has
access to what information? Is that access limited in any way?
How is that information stored and transmitted between individuals
and organizations? Pretend you're a curious patient-sign in, wait
in the waiting room, wander through the halls, and make note of
the information you can easily come in contact with. Interview
your IT and billing staff. Find out what practices and habits
are occurring with respect to computer workstations, password
use, logins, etc. Collect your findings, compare them to the Security
Rule's proposed requirements, and determine where the areas of
exposure are. What presents the highest risk to your organization?
Once you've identified the areas that pose the largest risk, you
can begin to create a prioritized checklist for implementation
and change. Remember to document each step of the assessment process-keep
all your notes from walk-throughs and interviews as records of
your internal audit, and maintain a copy of your prioritized risk
assessment in your records, as well.
Q:
Since the Security Rule isn't finalized yet, is it necessary to
begin work on implementation now?
A: While you may want to wait until guidance about the final
Security Rule from the HHS is released before spending time and
money on security implementation, there are many things you can
start doing now with in-house resources. For example, you'll have
to examine your current privacy policies and procedures in order
to meet the April 14th, 2003 privacy compliance deadline. It makes
sense to review your security policies and procedures at the same
time. Make notes of security policies that will need to be changed.
Get started on your gap assessment-you can start analyzing your
current information flows now. You can also begin corresponding
with your IT and software vendors now, to see if they are planning
on updating their products to help your organization reach Security
compliance.
Back
to the Top
|
