For more information contact Jerri Lynn Ward.
Posted November 13, 2002
Applicable to All Covered Entities
The Privacy Rule under HIPAA requires that all covered entities be compliant by April 14, 2003. As of November 14, 2002 you have less than 6 months to make your facility, business, office or practice HIPAA compliant.
HIPAA contains over 400 pages of legalese that the average healthcare provider has little time to read and analyze. The following is a short summary of those 400 pages; it outlines what you need to do to be in compliance with the Privacy Rule by the April 2003 deadline.
Garlo Ward attorneys are available to help you. Do not hesitate to contact us with any questions, big or small.
- WHO IS COVERED IN TEXAS?
Although the federal rule only covers entities that submit private health information electronically, Texas has a more stringent requirement.
In Texas, anyone who engages in
- Assembling (i.e. data entry), or
- Collecting (i.e. market researcher), or
- Analyzing, or
- Evaluating (consultants), or
- Storing (clearinghouse), or
- Transmitting (third party billers)
private health information is covered and must comply with the Privacy Rule.
This means that all healthcare providers operating in Texas must comply with the Privacy Rule.
- WHAT WILL HAPPEN IF MY COMPANY IS NOT HIPAA COMPLIANT?
You will be exposed to state and federal penalties.
Fines may be imposed up to $250,000 for HIPAA violations. Violators may also be sentenced to up to 10 years in prison.
Your company may have its license suspended, revoked or be placed on probation by the state licensing agency.
- WHO WILL ENFORCE HIPAA?
The Office of Civil Rights has been designated as the HIPAA “enforcer.” It is expected that enforcement rules will be drafted within the next 12 months
- WHAT DO WE NEED TO DO TO BECOME HIPAA COMPLIANT?
STEP 1: DESIGNATE A PRIVACY OFFICER.
You do not need to hire a new employee. Your privacy officer can be a current employee, for example an administrator or DON.The Privacy Officer’s job is to review existing policies and implement new HIPAA compliant policies to protect private health information. The privacy officer will also be responsible for evaluating facility compliance with HIPAA, and training employees on the privacy aspects of the Rule.
STEP 2: DRAFT BUSINESS ASSOCIATE CONTRACTS.
A business associate is a person or entity who, in the course of doing business with the healthcare provider, has access to individuals’ private health information. Business associates include accountants, attorneys and consultants.
Each business associate, who has access to private health information, must sign a business associate contract. This contract holds the associate to the same high privacy standards as the healthcare provider.
STEP 3: PROVIDE NOTICE TO ALL PATIENTS ABOUT YOUR PRIVACY POLICIES
All patients, before their first treatment, must sign a notice that advises them of their rights under HIPAA and your policies to protect their private health information.
The notice must also advise patients of the circumstances under which their private health information may be disclosed, for example to business associates.
STEP 4: IMPLEMENT AN AUTHORIZATION POLICY.
Anytime a healthcare provider gives private health information to an individual or entity for purposes other than treatment, payment or healthcare operations (for example, for marketing purposes); the patients concerned must sign an authorization.
There are some exceptions when the authorization is not required, such as when the information is required by law, for public health activities, or for research.
STEP 5: ESTABLISH SAFEGUARDS TO PROTECT PRIVATE HEALTH INFORMATION.
Private health information cannot be in plain view, and appropriate safeguards must be implemented to keep such information private.
STEP 6: ESTABLISH A SYSTEM TO IMPOSE SANCTIONS ON YOUR WORKFORCE FOR HIPAA VIOLATIONS.
Possible sanctions a healthcare provider may impose include employee reprimand, suspension or termination.
STEP 7: ESTABLISH A SYSTEM WHERE INDIVIDUALS MAY MAKE COMPLAINTS ABOUT HIPAA VIOLATIONS
A system must be established to document and investigate alleged HIPAA violations committed by your employees. If a complaint is substantiated, sanctions and disciplinary action must be documented, as well as any policy changes made as a result of the violation.
CONCLUSION
You have less than six months to make your company, facility, practice or office HIPAA compliant. Becoming HIPAA compliant requires staff education, administrative changes, new policies, patient notices and procedures and additions to or new contracts with business associates.
We are available to walk you through this voluminous piece of legislation and provide practical, cost-effective advice for HIPAA compliance in your business. Do not hesitate to contact us.
All information in this article is informational only and is not legal advice. Should you have any questions or a situation requiring advice, please contact an attorney.
Copyright 2004 by Garlo Ward, P.C., all rights reserved
Austin, Texas 78752-3714 USA
Telephone: 512-302-1103
Facsimilie: 512-302-3256
Email: Info@Garloward.com
