Risk Manager
Prepare for the New Privacy Rules
The HIPAA regulations are scheduled to take effect in 2003. But take these steps now to smooth your compliance efforts.

Sweeping new federal regulations for protecting the privacy of all patient medical records will affect every doctor, hospital, pharmacy and health plan in the country when they go into effect in April 2003.

The controversial rules, mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), are designed to strictly limit the use and disclosure of all protected health information -- whether it's electronic, on paper or verbally communicated.

While privacy protection is generally welcomed, you may find these complex rules -- and the price tag for required compliance -- a bit overwhelming. According to a survey conducted by the American Hospital Association, the costs to hospitals alone could reach $22.5 billion over a 5-year period. The Department of Health and Human Services (HHS) estimates that each physician in private practice will have to spend approximately $4,000 to comply with the rules. However, many experts believe that even these estimates are unreasonably low.

KNOW YOUR RESPONSIBILITIES

Unless the Bush administration and Congress make changes in the privacy regulations, you'll be required to:

• notify patients of your information practices and provide them with a copy of your relevant policies and procedures. You'll also have to update patients if you change your policies.
• provide patients with access to their protected health information, including information maintained by your business associates
• give patients an accounting of all disclosures of protected health information. You must ensure that business associates who access your patients' records can also provide an accounting.
• enter into a written agreement with business associates ensuring that they will appropriately safeguard protected health information
• establish a procedure to deal with patients' complaints, and their requests to amend or correct their records.

You can only release or disclose the minimum necessary information to accomplish the intended purpose of use, disclosure or request. The "minimum necessary" standard, one of the most controversial issues under the rules, should be part of your HIPAA policies and should be consistently applied.

YOUR KEYS TO COMPLIANCE

Many providers are expected to have difficulty meeting the compliance deadlines. Failure to comply in a timely manner could lead to large fines -- and even imprisonment. To ensure timely compliance, you should:

• Establish a budget for HIPAA compliance. Budgeting anticipated expenses in advance can help you avoid major surprises and allow you to focus on the important issues.
• Appoint an HIPAA compliance committee or officer. Specifically delegating this responsibility will help you to understand compliance requirements, develop policies and procedures, and implement and monitor compliance.
• Establish privacy policies and procedures. You should review current information practices and develop all other necessary policies and procedures, notices and form letters.
• Incorporate privacy policies into your compliance program. To ensure constant compliance with the privacy rules, incorporate the rules into your existing compliance program.

Your progress toward complying with HIPAA rules will be of paramount importance during the 2-year implementation period. That's why it's crucial to begin developing a comprehensive and appropriate privacy and compliance program now. Planning ahead is the best way to avoid penalties later.

Lisa G. Han, Esq., is a partner in the Health Law Department of Schottenstein, Zox & Dunn in Columbus, Ohio. Her practice focuses on health law privacy issues and healthcare areas of significance to physician practices. She can be reached at lhan@szd.com. Risk Manager provides a general summary of legal issues and should not be construed as personal legal advice. Application of these principles varies according to individual situations.