HIPAA is the farthest-reaching law to be passed since ERISA and OSHA, and will impact all of us in some way. Under HIPAA, Protected Health Information (PHI) belongs to the patient, not to the caregiver. HIPAA offers a guarantee to patients that their health care providers— and the people those providers do business with— will protect their medical information. “Compliant” and “complaint” are two very different words made with the same exact letters. Just as you take care to put the "I" before the "A", make sure you are HIPAA compliant before you get a HIPAA complaint!

The Privacy and Security aspects of the Health Information Privacy and Accountability Act, or HIPAA, became the law on April 14, 2001. Understanding that complying with the regulations would not be simple, the government granted a two-year grace period ending April 14, 2003 before starting to enforce sanctions against those who are non-compliant.

What does it mean for your practice/business if you haven’t yet started the process of becoming compliant? Answer: It’s time. Compliance with the HIPAA Privacy and Security regulations is not optional. It is a legal requirement, and the penalties for non-compliance are intended to make health care providers take action. The law sets forth possible civil penalties for offices not in compliance with the regulations: namely, a $100 fine per compliance violation per client per year, with a maximum fine of $25,000 per year per client. Theoretically, even one violation per client in a 3,000-patient office can result in a $300,000 fine. The criminal penalties for cases of gross malfeasance vary depending on the severity of the violation, and range from $50,000 and 1 year of jail to $250,000 and 10 years of jail. It is important to recognize that, in almost every situation relating to HIPAA, it is the principals of the firm who are considered responsible for the violations. Clearly, HIPAA compliance needs to be taken seriously.

Who will be policing and enforcing HIPAA? The Office of Civil Rights (OCR), an office within the US Department of Health and Human Services (HHS), has been given the task of enforcing this law. With literally millions of covered entities in the country, the odds of a random audit are slim. However, anyone—and this needs to be stressed—anyone can turn in your firm for non-compliance. An ex-employee, an upset client, a vendor, or a salesperson; anyone can contact the OCR to register a complaint.

In short, it would be extremely foolhardy to disregard HIPAA requirements.

What Does Compliance Entail?
HIPAA imposes a number of new rules that must be implemented, but the biggest change requires your firm to evaluate the flow of the Protected Health Information (PHI) in and out of your office, and make any changes necessary to guard the privacy of your clients. You also need to document your policies and procedures, and your employees need to complete training on those policies and the HIPAA Privacy and Security regulations.

In general, the suggested requirements for a smaller business/practice include:

Privacy and General Guidelines
1. Familiarize yourself with the privacy rule.
2. Appoint a HIPAA point person and/or a Privacy Officer.
3. Perform an assessment to compare current privacy practices against the
    HIPAA requirements.
4. Create and distribute a “Notice of Privacy Practices” to clients:
    • Use a “Patient Acknowledgement of Receipt of the Notice of
       Privacy Practices” to provide proof that you are complying with the
        requirement of notifying your patients.
5. Implement policies, procedures, and forms for:
    • Clients requesting access to copies of their information.
    • Clients requesting to amend their records.
    • Denying clients access to or amending their records
6. Establish procedures to track access to protected health information.
    • Allow only qualified individuals or patients to review and/or receive a
       report on all such activities.
    • Create and implement an “Authorization Form” for release of information
       for any use other than Treatment, Payment, and Operations (TPO) and
       non-routine disclosures.
    • Decide whether to use a Consent form for TPO.
7. Develop “minimum necessary” policies for:
    • Uses of protected health information by each employee job classification.
    • Routine disclosures.
    • Non-routine disclosures.
    • Limit disclosures to those that are authorized by the client, or that are
       required or allowed by the privacy regulations.
8. Create and implement “Patient Grievance Procedures.”
9. Employee HIPAA requirements:
    • Train all employees on HIPAA and your firm’s policies & procedures.
    • Implement sanctions for non-compliance.
    • Implement policies and procedures for ensuring patient/PHI privacy
       in the event of an employee termination.
    • Develop a procedure for ongoing privacy awareness and updates
       within the firm, as well as re-training.
10. Ensure that “Business Associate Agreements” are sent, signed, and returned:
    • Where necessary, implement “Chain of Trust Agreements.”
    • Create a policy of sanctions for non-compliance.
    • Implement procedures for monitoring ongoing compliance.
    • Document the process and progress of getting those signed
      Business Associate Agreements and/or Chain of Trust Agreements.
    • Recognize that business associates and other third parties may need
       training or even an introduction to HIPAA requirements.
11. Be aware of the potential for state laws being more stringent and superceding
      HIPAA, and a state’s right to apply for exemption.
12. Establish a process to keep informed of any changes to or interpretations
      involving HIPAA.
     • Make necessary changes to your practice’s policies and procedures.
     • Re-train your employees.
13. Document all of the above to create a HIPAA policies and procedures
      manual for your practice

Security Guidelines

  1. Appoint a HIPAA Security Officer.
  2. Secure client files (paper and electronic) and software programs.
  3. Set up computer and client file backup procedures, and test them.
  4. Design and implement a “Disaster Recovery Plan.”
  5. Implement procedures for maintaining client records for a minimum of 6 years.
  6. Make arrangements for permanent erasure or destruction of old client data files, papers, etc (ie, files over 6 years old).
  7. Design and implement appropriate administrative, technical, and physical safeguards.
  8. Document all security procedures within your HIPAA policies and procedures manual.

The size of a covered entity only changes the scope of the HIPAA compliance process. Smaller firms may more easily implement changes in how business is done. Larger practices may need to do more analysis of current procedures in order to determine what changes need to be made. The HIPAA rules and regulations do not change regarding size of an entity.

Business Associates
Another group of people impacted by HIPAA is the people with whom you do business, called Business Associates (BA). Any third party, except employees and other covered entities that receive patient information from your firm, must sign an agreement (contract) with you promising to treat the information with the same care as you do. Oddly enough, even though HIPAA does not apply directly to these entities, this agreement essentially places them under the same HIPAA controls. Business Associates include billing and collection services, accounting and law firms, etc, that would have access to patient information, and—in the case of the hearing care professional—hearing instrument manufacturers.

In our marketing research, we are finding that few BAs are aware of the implications of HIPAA. In order for a BA to do business with a covered entity, the BA must implement the same policies and procedures that a Covered Entity must, including training employees. It is very likely the third parties you do business with will need your guidance relative to what they need to do. If they don’t comply, you cannot do business with them. Worse yet, you could be held responsible for any violations, since the patient information at risk comes from your office.

The most obvious BAs for dispensing professionals are the hearing instrument manufacturers. The Hearing Industries Assn. (HIA) has provided a standard BA Agreement for use with hearing aid manufacturers (visit the HIA HIPAA HelpDesk at www.hearing.org/hipaa).

So Where Do You Start?
You can read the law, pull out the rules and regulations, and start a program yourself. The Department of Health and Human Services has posted the entire rule set plus more on their Web site (http://www.cms.hhs.gov/hipaa/hipaa1/default.asp). Many sources have sample forms and documents you can use. You can even find a checklist of the general things that you must do to make your office compliant.

You could also pay to obtain someone else’s research and save yourself a lot of time. As confusing as the law is, unless you have time on your hands, it may be more economical (and easier) to subscribe to a service from someone who has done the research. Should you pay for a consultant to come in and do an analysis? For some (mostly large) firms that is a good idea; however, for smaller firms, simply implementing the new procedures (and documenting them) should be the objective.

HIPAA is a culture change for entities that collect health information. It will alter many of the ways you do business. It gives patients access to their health information, and it forces covered entities and the people they do business with to protect the privacy of their patients. You need to learn about HIPAA and implement HIPAA practices in your firm. You and your employees must be HIPAA-aware, and have a “HIPAA Policies and Procedures” manual for your office.

Did you miss the April 14 deadline? It is not too late to start. This is only the beginning of HIPAA compliance, not the end.

Dennis P. Begley, CLU, is president of HIPAAps.com, Minneapolis, a software company specializing in HIPAA compliance for a number of industries. An insurance professional with more than 30 years of experience, he got involved with HIPAA requirements through his industry and clients.

Correspondence can be addressed to HR or Dennis P. Begley, HIPAAps.com, 5115 Excelsior Blvd. Suite 202, Minneapolis, MN 55416; email: [email protected];  Web site: www.hipaaps.com.  The Tao of HIPAA, a story written by the author, can be found at http://www.TAOofHIPAA.com.