The Right Reaction to HIPAA (Part 1 of 3)
Begin by understanding and formulating the proper notices, consents and authorizations.
By Mark E. Kropiewnicki, J.D., LL.M.

Does your practice know what it needs to do to comply with the new patient privacy regulations that will become effective in April of next year under the Health Insurance Portability and Accountability Act (HIPAA)?

Meeting the patient consent requirements for sharing medical records could cause you a great deal of confusion if your practice hasn't adequately prepared for the new regulations. You'll have to spend some time planning to meet the requirements, but once you have the appropriate policies in place, you'll probably find that these rules aren't as bewildering as you might have originally thought.

In this article, I'll tell you how to develop policies and procedures that will put your practice in compliance with the new regulations. In subsequent articles, I'll suggest steps you can take to safeguard electronic medical records and protect patient information, and I'll offer some practical advice that you can use in dealing with the new HIPAA regulations.

Begin your compliance effort by understanding and implementing the following guidelines and you'll be able to breathe a lot easier when next year's deadline arrives:

Develop a privacy notice

HIPAA has mandated that patients be provided with advance written notice of your practice's policies regarding the use and disclosure of protected health information. This "Notice of Privacy Practices" must contain:

• a description of the types and uses of the protected information that the practice will disclose regarding treatment, payment, and health care operations
• a description of instances where you, as the provider, may use or disclose the information without the consent or authorization of the patient
• the provisions of applicable state law, if state law is more stringent than the federal patient privacy regulations
• a statement that patient consent must be obtained for all non-exempt uses of medical records
• a description of the patient's right to request restrictions on your policies as listed in the notice, along with a procedure that instructs the patient how to do so
• a description of the patient's right to access, inspect, copy, and amend his or her own records, along with a procedure that allows the patient to do so
• a description of the patient's right to receive a listing of all information disclosures
• a statement affirming the patient's right to receive a paper copy of the privacy notice upon request
• the procedure for filing a complaint with your practice and with the Department of Health and Human Services if a patient believes that his privacy rights have been violated
• a statement that your practice is legally required to safeguard the information, provide notice of its privacy policies, and is bound by the terms of the notice unless amended in accordance with the law
• a statement that your practice can contact the patient for appointment reminders or to transmit relevant information about other health services that may be of interest.

It's a good idea for your practice to draft a Notice of Privacy Practices as soon as possible. In addition, if your practice maintains a Web site, a copy of the Notice must be prominently displayed there. You can distribute the Notice to patients electronically, but only if they give written consent to receive it in this fashion.

There are exceptions

In most cases involving the release or sharing of medical records, patients will need to first sign a consent form or an authorization. However, there are times when a patient's consent isn't needed. These instances include those disclosures:

• required by law (typically involving gunshot wounds, stabbings and other injuries inflicted by criminal activities)
• for public health records, such as reporting of communicable diseases, births and deaths
• regarding victims of abuse, neglect, or domestic violence, provided that your practice also notifies the victim that the disclosure is being made
• for health oversight, such as governmental audits
• for judicial or administrative proceedings, if legally ordered
• for law enforcement purposes pursuant to state law or subpoena, including reports of suspicious deaths
• for research, in specific instances where waiver from authorization requirements are met
• to avert serious danger to health and safety
• in instances pertaining to certain members of the armed forces or prisoners.

It's important to note that the HIPAA consents and authorizations differ from the informed consent that medical practices obtain for treatments or procedures. Your practice will still need to obtain informed consent where appropriate.

When you need consent

Determining whether you need a consent or authorization depends on the intended use of the protected health information. For most practices, disclosures of protected information will fall into one of three categories, requiring a patient's signed consent:

Treatment. A consent covers communications between and disclosures to referring doctors and specialists, hospitals, and other healthcare facilities, and other providers for administering treatment.

Payment. A consent covers typical payment activities, such as verification of coverage, pre-certifications, referrals and claims processing.

Administrative activities. A consent covers certain administrative and management activities, such as compliance monitoring, quality improvement and business planning.

What a consent must include

Once you've determined that a patient's healthcare information will only be used for treatment, payment, or healthcare operations purposes, you must have the patient sign a written consent. The consent must:

• state that protected health information may be disclosed or used for treatment, payment, or healthcare operations
• refer to the required Notice of Privacy and give the patient the opportunity to review it
• reserve the right to change your privacy policies and the way in which a patient will be notified of any changes
• give the patient the right to restrict further uses of the information, other than what the policies specifically allow
• state that the patient may revoke the consent in writing at any time and all future disclosures will then cease
• be signed and dated by the patient.

Your practice is entitled to decline a patient who refuses to sign the consent form.

Using authorizations

Authorizations are required for use or disclosure of protected health information for purposes other than treatment, payment, or healthcare administration. These documents must include:

• a specific description of the information that's to be used or disclosed
• the identity of the specific individuals who may use or disclose the information
• the identity of the specific individuals who may receive and use the disclosed information
• the expiration date of the use or disclosure
• a statement of the patient's right to revoke the authorization at any time in writing, along with a procedure for doing so
• a statement that the protected health information used or disclosed as authorized may be subject to redisclosure by the party receiving the information and may no longer be protected by the privacy regulations
• the patient's signature and the date.

Know the law

Your practice must be aware of the proper procedures for obtaining patient consent prior to the release of confidential medical information. Not following the appropriate procedures can result in a legal claim against you and/or your practice. Although the new privacy regulations may at first appear intimidating, once you've developed the appropriate forms and written the necessary policies, your practice should be able to adapt to the new rules quickly.

Mark E. Kropiewnicki, J.D., LL.M., is a principal consultant with the Health Care Group, Inc., and a principal and president of Health Care Law Associates, P.C., in Plymouth Meeting, Pa. He regularly advises physicians and practices on contracting matters and business law obligations. He can be reached at (800) 473-0032.