The Right Reaction to HIPAA (Part 3 of 3)
Most of the regulations have been finalized.
By Sofia R. Plotzker, J.D., and Mark E. Kropiewnicki, J.D., LL.M.

The regulations issued under the Health Insurance Portability and Accountability Act (HIPAA) have been a continuing source of concern for all ophthalmologists, and for good reason. The rules are cumbersome. They impose new responsibilities on medical practices. Meeting the requirements may be costly. But after much comment and many changes, most of the key regulations pertaining to patient privacy were finalized in August. With the final form of the HIPAA regulations now taking shape, you should be stepping up the pace of your planning to meet these federal requirements.

Of the many HIPAA regulations, there are three types that will likely have the most immediate impact on your ophthalmology practice. In this concluding article of our three-part series, we'll provide you with the current status of these regulations and offer practical steps you can take to prepare for implementing them.

Following is the most up-to-date information on the new HIPAA Security, Transactions and Privacy standards and a basic timetable for compliance.

Standards for Electronic Transactions ("Transactions Regulations"). The Transactions Regulations are intended to provide uniformity. All providers, payers and clearing houses must conduct electronic (and paper) transactions using the same format and codes.

The covered transactions will ultimately include the following:

• healthcare claims or equivalent encounter information
• healthcare payment and remittance advice
• coordination of benefits
• healthcare claims status
• health plan enrollments/removals
• health plan eligibility
• health plan premium payments
• referral certification and authorization
• first report of injury
• health claims attachments
• other transactions that the Secretary of Health and Human Services may prescribe by regulation.

For physicians, this is actually a good thing. Gone will be undecipherable explanations of benefits and unique referral forms. Training billing staff will be much less complicated. For most practices, the conversion will be done with a simple installation of new software. No longer will you be required to submit claims in a variety of different formats, depending on the payer. The claim form required under the Transactions Regulations is essentially similar to the current UB-92 and HCFA 1500. The difference is that this form will be used for all payers and not just Medicare or Medicaid.

The final Transactions Regulations also designate five medical code standards to be used. These include:

• International Classification of Diseases, 9th Edition, Clinical Modification (ICD-9-CM)
• Current Procedural Terminology, 4th Edition (CPT-4)
• Health Care Financing Administration Common Procedure Coding System (HCPCS)
• Code on Dental Procedures and Nomenclature, 3rd Edition (CDT-3)
• National Drug Codes (NDC).

Most practices are already using these code standards, with the one exception of NDC. However, there's a proposed modification to allow practices to use the more commonly used J-Codes instead of NDC.

The required date of compliance for the transactions standards was to have been Oct. 16 of this year. However, an extension to Oct. 16, 2003 was approved last December. To be granted the extension, you should have filed a "plan for compliance" by Oct. 16. But if you need an extension and haven't filed for it, you can still try to obtain it by going to the Centers for Medicare and Medicaid Services Web site at www.cms.gov/hipaa/hipaa2/ default.asp as soon as possible and submitting your "plan for compliance." Your plan for compliance must generally include:

• analysis of the extent of and reasons for your noncompliance
• a budget, work plan, schedule and implementation strategy for becoming compliant
• a description of vendors or contractors you plan to use to assist you
• a timeframe for testing your systems, with testing to begin no later than April 16, 2003.

Remember, for most ophthalmology practices, this is a software issue. As long as the billing software or service you use has the proper forms loaded, you should be fine, assuming you already use the standard codes (CPT-4, HCPCS, CDT-3).

Be aware, however, that the HIPAA rules don't require your software service to be compliant. Ultimately, it's your responsibility to be compliant or to obtain the extension.

Standards for Privacy of Individually Identifiable Health Information ("Privacy Regulations"). These regulations provide standards for maintaining the privacy and integrity of protected health information. The required date for compliance is April 14, 2003.

The Privacy Regulations require physicians to intensify their efforts to maintain patient confidentiality. Increased staff training and security of records are key. Perhaps one of the greatest impacts of the Privacy Regulations involves the patient's right to be formally notified of the uses and disclosures of his medical information and to have full access to those records.

To sum up the most basic and essential information that pertains to patient privacy, it's important to remember that The Privacy Regulations require that practices provide patients with a "Notice of Privacy Practices" at the first visit. Practices must make a good faith effort to get a written acknowledgement that the patient has received this notice, preferably a signed Consent form. Once you've received a written acknowledgement, you won't need to get written acknowledgement again. For example, if you use the Consent form it only needs to be signed once. You don't need a new Consent to be signed each time the patient comes in.

The Notice of Privacy deals with how you'll use and disclose information for the purposes of treatment, payment and healthcare operations (TPO). In general, TPO doesn't include research and marketing activities. For activities that aren't TPO, you'll need an Authorization to be signed. Unlike the written acknowledgment of the Notice of Privacy Practices, you'll need to have the patient sign a new Authorization for each nonTPO activity. Consult with your healthcare attorney if you have any questions about a particular activity.

Note these changes

After the release of the final Privacy Regulations last year, the Department of Health and Human Services received numerous comments from concerned practitioners, healthcare attorneys and consultants, and organizations representing physician specialties, hospitals and health plans. These comments were then evaluated and in late summer final modifications to the Privacy Regulations were published.

As expected, these modifications don't create a general extension of the compliance date, although they allow some extra time to comply with specific sections of the regulations. They're primarily geared toward making changes necessary to avoid the unintended negative effects of the original Privacy Regulations. Key changes that will impact your practice include:

Consent forms are no longer mandatory. However, providers still need to make a "good faith effort" to obtain written acknowledgement from their patients that patients have received a copy of the Notice of Privacy Practices. The acknowledgement doesn't have to contain all of the specific elements that are currently required in the Consent form. In fact, you can simply have the patient initial each page of the Notice of Privacy Practices. Keep in mind that this modification only affects the Consent form. Providers still have to provide the Notice of Privacy Policies -- and obtain Authorizations where necessary. Plus, it's still a good idea to get a signed Consent form when feasible.

The sections dealing with a practitioner's ability to share protected health information with other providers for the purpose of treatment have been clarified. It was never intended that you couldn't send records to a specialist to whom your patient is being referred for care.

Incidental uses and disclosures of protected information are permitted, as long as the primary use or disclosure of the protected information isn't a violation of the rule. For example, consider the practice of using sign-in sheets. Patient Bill Smith signs his name on a sheet at the check-in desk. The name "Bill Smith" is protected information that the practice uses for legitimate treatment, payment and/or operations purposes. If Mary Jones sees Bill Smith's name on the sign-in sheet when she signs in, the incidental disclosure of Bill Smith's name isn't a violation of the privacy rules.

Under certain circumstances, the final modifications give providers up to one additional year to have "Business Associate" contracts in place. These contracts spell out the specific terms under which business associates, such as billing companies, can use your protected patient information.

The definition of "Marketing" has been revised. Under the final rule, face-to-face communication and using patient lists to send out promotional gifts of nominal value aren't considered marketing. Thus, you won't have to get a signed Authorization for these communications. You will, however, have to obtain an Authorization if you use a patient's name to promote the practice in any way. The good news here is that using standard Authorization forms will be permitted.

The Privacy Regulations will initially create a great deal of additional work for medical practices. However, once you have developed basic policies and procedures that put your practice in compliance, implementation shouldn't be terribly difficult.

Take action now

To assist in planning for compliance with the HIPAA Privacy Regulations, consider taking these steps in the following areas:

Physical plant. Keep paper records related to patients, whether it's billing or clinical, out of publicly accessible areas. You should also make sure to:

• secure all paper records/charts in locked rooms
• keep lab reports, correspondence and other items regarding patients waiting for filing out of common areas
• don't leave computer terminals in open areas. Those that must be out should be secured to lock keyboards and block views of the screen.

Computer equipment. Set up systems so that access to protected health information is limited to the minimum amount necessary for staff to perform their job functions and to protect the availability and integrity of such information from outside hackers. Contact your software vendor to see how they can help you be compliant. To ensure that electronic medical records will always remain private and that electronic transactions will be handled smoothly:

• install all necessary forms, data sets and software for electronic transactions
• set up passwords so that each staff member's password allows access only to the minimum necessary information to complete job functions
• install an encryption system to scramble information in case there's an unauthorized interception
• include software to verify the sender of information you receive
• establish firewalls and other protections from unauthorized access from the outside
• maintain adequate back-up records and store those records in a safe place
• establish a disaster recovery system so that if anything happens to your electronic records, you'll be ready
• maintain logs of access to your system, data transmitted and data received.

Staff training. Develop a staff training program covering aspects of protected health information. Then, make sure that you:

• require staff to attend training at time of hire and whenever the practice makes a change to its policies
• provide staff with a copy of written policies and procedures
• develop policies and procedures to handle staff violations including termination of employment
• maintain adequate records of all training and staff violations, including how these were resolved.

Forms. First, develop a "Notice of Privacy Practices" form. Then, do the following:

• develop a Consent form for use with patients for whom you'll create and/or maintain protected health information that you'll use for treatment, billing and/or healthcare operations. Note that you are no longer required to use such a form; however, it's still good practice to use the Consent form whenever possible.
• if your practice participates in research, fund raising, marketing or other activities for which you will use protected health information, develop an Authorization form.

Business associates. Obtain adequate assurances that business associates not directly covered by the regulations -- including billing companies, attorneys, accountants and anyone else to whom you disclose or who may use on your behalf protected health information -- will comply with the standards.

Once you've done this, it's your responsibility to make sure that you execute contracts with all business associates limiting the use and disclosure of information provided by or created on behalf of the practice.

Compliance. Appoint a Privacy Officer and a Security Officer. (The positions can be held by the same individual.) Once those positions have been filled, you can begin to work with your Privacy and Security Officers to:

• develop policies and procedures regarding the use and disclosure of protected health information
• create a procedure for staff suggestions and complaints with a "no retaliation" policy
• implement routine reviews and audits of the uses and disclosures of protected health information
• develop a standard exit interview for all departing staff that includes questions about compliance with privacy and security measures.

Patients. Recognize that patients now have the right to access and amend their personal medical records. Once you've accepted the concept of patient access, develop ways for patients to exercise these rights by:

• establishing procedures for patients to request to either review or receive a copy of their medical records
• determining the reasonable cost you may charge patients to obtain copies of their records
• developing a procedure for patients to add to or amend their own records.

You should be planning now

The HIPAA regulations may appear overwhelming at first glance. Indeed there's a lot of work to do initially. However, the basic concepts aren't new to medical practices.

You should now be planning for full compliance. The regulations are very specific in many areas. Don't attempt to do it all alone. Contact your software provider now. Many have begun to develop HIPAA-compliant packages for medical practices. Talk to your hospital and third-party payers to work cooperatively where possible. Consider retaining a healthcare consultant who specializes in HIPAA compliance. Above all, consult with a competent healthcare attorney versed in the HIPAA regulations for guidance in developing your plan. OM

Sofia R. Plotzker, and Mark E. Kropiewnicki, J.D., LL.M., are consultants with The Health Care Group and attorneys with Health Care Law Associates, P.C., both based in Plymouth Meeting, Pa. They can be reached at (610) 828-3888 or via e-mail at splotzker@healthcaregroup.com or mkrop@healthcaregroup.com.