 |
|
 |
 |
| |
News -> January, 2003 News
Carol Lyn Kuhn, M.P.H., J.D.2
Savannah, GA
E-mail: ckuhn@hunter
A vestige of Hilary Clinton's healthcare reform plan lives and becomes effective April 14, 2003. More than a sterile series of obligatory forms, it ushers in a new health care delivery culture.
The U.S. Department of Health and Human Services recently finalized rules regulating the use and disclosure of protected health information (PHI)3. These rules implement portions of the Health Insurance Affordability and Accountability Act of 1996 (HIPAA). HIPAA defines PHI broadly to include all information that identifies the individual or could reasonably be used to identify the individual. Health care providers must implement a broad compliance program by April 14, 2003 or face potentially severe civil and/or criminal penalties of up to $250,000 and ten years in prison.4 The Privacy Rule is designed to provide a national standard for confidentiality of PHI. Providers and other covered entities may not use a disclose PHI without a patient's express written authorization except as provided by law. Those exceptions include the use and disclosure of PHI for treatment, payment and certain health care operations. All uses and disclosures are subject to the "minimum necessary rule." All disclosures and uses must be limited to the minimum information necessary to accomplish the intended purpose.
In order to show good faith and compliance before April 14, 2003, a provider must at a minimum:
(1) draft a manual of practices and procedures intended to comply with HIPAA requirements;
(2) draft and provide to patients, a notice of provider's privacy practices and secure each patient's acknowledgment of receipt;
(3) provide patients with the right to review their PHI, request amendments to it, receive a list of certain PHI disclosures, and receive a copy of their records;
(4) determine who is a Business Associate and secure HIPAA required Business Associate Agreements;5
(5) train provider's workforce on HIPAA privacy regulations;
(6) assign a Privacy Officer and contact person;
(7) redefine job descriptions applying minimum necessary standards and implementing progressive employee discipline sanctions up to and including dismissal for the Privacy Rule violations.
HIPAA Compliance requires a number of other actions in addition to those highlighted above. If you engage in research or marketing, there are specific rules with which you must comply. Providers are urged to seek legal counsel. Compliance is achievable; however, delay or avoidance could be costly.
For more info about HIPAA, please see the latest info posted by the Office of Civil Rights (U.S. Department of Health & Human Services).
Notes
- This article is intended solely as a very broad overview of a highly complicated regulation. Readers are urged to seek the advice of legal counsel to devise a compliance plan.
- Carol Lyn Kuhn, M.P.H., J.D. is an attorney specializing in health care law and commercial litigation at Hunter, Maclean, Exley & Dunn, P.C.(Savannah, Ga).
- 67 FR 53182 et. Seq. (August 14, 2002)
- HIPAA defines Health Care providers as any person/entity who furnishes, bills or is paid for health care in the normal course of business and that conducts electronic form transactions. Physician offices with fewer than 10 FTE are exempted.
- Business Associates are defined as third party entities to which a provider entrusts PHI to perform a service or function for the provider.
|
|
|
|
|
