Practical Guidance for Physicians

The privacy, security, and electronic-data provisions of the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") require the immediate attention of physicians and other "covered entities" to ensure proper compliance. By April 14, 2003, all physicians qualifying as covered entities must be in compliance with the HIPAA privacy standards. The following plan describes ten essential steps that all physicians and physician groups should take in 2003 toward HIPAA readiness.

1. Appoint and Train a Privacy Officer. A necessary first step is to appoint an individual as the "go to" person with respect to these complex new standards. Someone in an organization will have to understand HIPAA and be responsible for compliance. The designated employee must have a working knowledge of and familiarity with the regulations in order to properly analyze the HIPAA compliance issues that the practice may face.
2. Conduct an Internal Assessment. Once a privacy officer has been designated and trained, the essential next step is to conduct an internal assessment of existing policies, procedures, and practices for collecting and handling medical records and other patient information to determine where the gaps may be in a practice's ability to meet HIPAA standards. What information is collected from patients? Where is it stored? Who has access to it? What forms are currently used to obtain consent and authorization for necessary disclosures? With what third parties do you share protected health information? These and other questions must be asked and answered in order to identify risk areas and set priorities for further action.
3. Identify and Enter Into Agreements With All "Business Associates." Healthcare providers must enter into special agreements with non-employee service providers that may have access to protected health information ("PHI"). For example, contracts with third-party record storage facilities, translators, or collection agencies will need to include provisions that comply with the HIPAA standards for business associates. Under the privacy regulations, a covered entity may disclose PHI to a business associate and may allow a business associate to create or receive PHI on its behalf if the covered entity obtains satisfactory assurance that the business associate will appropriately safeguard PHI. The first stepwill be to identify all business associates who may receive PHI from the covered entity. Prior to the compliance date, the covered entity must then make requests for amendment to these contracts as they are renewed or renegotiated and obtain the required amendments or enter into new compliance contracts.
4. Adopt a Policy Regarding Minimum Necessary Disclosures. The privacy standards require physicians to make "reasonable efforts" to limit PHI to the minimum necessary to accomplish the intended purpose of a use, disclosure, or request. Although this minimum necessary requirement does not apply to disclosures made for treatment purposes, it will require healthcare providers to consider to whom they grant access and whether these people actually need access to all the information they currently receive.
5. Adopt a Notice of Privacy Practices. Each covered entity must adopt a notice of privacy practices. This notice must describe the uses and disclosures that the entity is permitted or required to make under the rule without additional written authorization. Although a number of form notices are available, it is important to tailor the notice to the practices of the organization.
6. Adopt HIPAA-Compliant Authorizations. For disclosures unrelated to treatment, payment, or healthcare operations, covered entities are required to obtain written authorization from patients. Since these authorizations must be in place by the April 14, 2003, the privacy-compliance deadline, a mechanism should be established now for new or returning patients to complete the required paperwork so that entities in which a physician obtains, uses, or discloses PHI will have the required authorizations in place.
7. Adopt Procedures for Handling Patient Requests. Covered entities must allow patients to make certain requests regarding their own PHI. Patients should be able to place restrictions on the use or disclosure of PHI, request access to inspect and obtain a copy of PHI, request that amendments be made to their information, and request an accounting of certain disclosures of their PHI.
8. Amend Employee Manuals Regarding the HIPAA Privacy Standards. Since the HIPAA privacy regulations require that various policies and procedures be in place in order to protect the privacy of individually identifiable health information, employee manuals must be updated to reflect these policies and procedures.
9. Train Employees. Once practice-specific policies, procedures, and notices are in place, it will be critical to train the staff. HIPAA requires all covered entities to train all work-force members on policies and procedures regarding PHI, "as necessary and appropriate" for the members of the work force to carry out their functions within the covered entity. The final rule leaves to the employer the decisions regarding the nature and method of training to achieve this requirement. Methods may include classroom instruction, videos, booklets, or brochures tailored to the particular needs of workers and employers. For most physicians' practices, this responsibility will fall to the designated privacy officer.
10. Documentation. The privacy regulations impose extensive and specific documentation requirements on covered entities. For example, a covered entity must retain signed authorizations, copies of the notices of privacy practices, and any agreements with patients restricting disclosure of PHI. In addition to meeting these specific requirements, the covered entity should retain documentation to show that reasonable steps were taken to meet generalized and scalable standards imposed by HIPAA. Covered entities should also document staff training, adoption of policies and procedures, and other efforts to comply with HIPAA.