I
have decided in this newsletter to bring to the attention more information on
medical office HIPAA and compliance. The following articles I humbly
believe give good information.
From the January, 2002 Practical
Guidance on HIPAA and E-Health for the Physician Practice
(This
was prior to the August 14, 2002 changes by HHS.)
Minimum
Necessary Need Not =Maximum Pain
In
many physicians’ offices, medical charts are open books, kept unlocked and
available to anyone who wants them. Such unquestioned access becomes a thing of
the past under the privacy provisions of the Health Insurance Portability and
Accountability Act. Offices will have to control access in an organized way. The
privacy rule requires that all persons may be privy to only that information
about patients that is deemed the “minimum necessary to accomplish the
intended purpose.” In addition,
this minimum necessary standard applies to what information
may
be disclosed to people who request it, with some exceptions, including the
patient and governmental agencies.
“What we have always done in medicine is everybody has access to
everything,” says Allan Tobias, MD, JD, a health care consultant in Walnut
Creek California. “That ain’t gonna happen
anymore.”
The Office for Civil Rights, under the Department of Health and Human
Services, will begin enforcing the privacy rule as of April 2003.
Officials
from OCR have made it plain that providers must approach this task of limiting
information disclosure seriously, regardless of whether they believe they are
already adequately safeguarding information.
But OCR officials have also stated that the rules, and HIPAA generally,
are
to be implemented in ways unique to each workforce.
“I was in one office, a very busy single doctor office, and everybody
does everything. So everybody is entitled to see all the charts because they are
changing jobs... someone might be out sick with the kids.
The level of access for Office A vs. Office B is going to be different,”
Tobias says. Medical offices have
some work to do, but they will not need to duplicate the intensive efforts that
hospitals or health plans will have to undertake to comply with the minimum
necessary standard.
Thinking about Information
The
kind of information and data that must be safeguarded under the privacy rule,
and the security rule, too, is called protected health information, or PHI.
According to the privacy rule, PHI is that which is “created or received by a
health care provider, health plan, employer or health care clearinghouse” that
“relates to the past, present or future physical or mental health or
condition
of an individual.”
“Under the rule, covered entities must make reasonable efforts to
limit
how they use and disclose information to the minimum amount necessary to
accomplish
that
purpose,” says Linda Sanches, a senior advisor in the Office for Civil Rights.
“You need to control how you use information...you need to think about how you
use information and not use and disclose more than you actually need [to].
That’s the general concept.” Providers
must develop policies for how this information will be handled. And there’s no
way to avoid this, with the hopes that no one will find out: the privacy rule
states that patients must receive a copy of the office’s policy on handling
PHI. It will be among the documents that will be included in a provider’s
notice of privacy practices, which also includes consent for permitting the
physician to use and disclose PHI for the purposes of treatment, payment, and
health care operations. Sanches describes the minimum necessary standard as a
“role-based access concept” that applies to
everyone—even
physicians, although exceptions are granted for providers who are treating
patients.
“You need standard protocols about how doctors get access to information,
nurses, front desk clerks,” she says. “There are all kinds of people who
work in covered entity facilities, they have all kinds of jobs...they probably
don’t all need access to every piece of information you have about a patient.
So minimum necessary means you do have to think about what information they do
need and implement procedures so they don’t get other information that they
don’t need.”
Defining Jobs, Data Needs
Having
to comply with the concept of minimum necessary at first appears overwhelming,
maybe
even
frightening. Yet, like many aspects of the privacy and security rules, in
practice, minimum necessary represents simply a codification or formalization of
practices and behaviors that are already familiar to most offices, says Kate
Borten, CISSP, a medical privacy and security expert.
“Minimum
necessary is a classic information security principle,” says Borten, president
of the
Marblehead
Group in Massachusetts. “There is nothing new about it. Most organizations are
following it informally.” Consider,
for example, who has access to what kind of data or computer files. Front-desk
staff, for example, might be able to read and update information concerning
patients’
name, address, phone number, Social Security number, and insurance information.
“Yet,
they
typically are not allowed access to clinical information,” Borten points out.
“What we need to do is take this a step further. Review what procedures we
have, scrutinize them and see if they are as tight as they can be,” she adds.
“You are making sure there are limits and boundaries that have not explicitly
been stated before.” Even if the
office concludes that information can’t be restricted, perhaps because the
staff is so few, it still must go through this exercise of role defining, Borten
and Tobias agree.
Broad Definitions may be Best
To
begin the process of building the role-based access policy, first determine the
“owners” of PHI in the practice, as Borten puts it. Then the “owner” and
office staff addressing HIPAA compliance
determine
who does work for the practice and may need access to PHI: part-timers,
full-timers and those who might be working as contractors, such as
transcriptionists. Review what sorts
of information and data they routinely need to do their jobs.
The minimum necessary provisions do not apply to the following:
" Disclosures
to or requests by a health care provider for treatment purposes.
"
Disclosures to the individual who is the
subject of the information.
"
Uses or disclosures made pursuant to an
authorization requested by the individual.
"
Uses or disclosures required for compliance
with the HIPAA transactions.
"
Disclosures to the Department of Health and
Human Services (HHS) when disclosure of information
is required under the rule for enforcement
purposes.
"
Uses or disclosures that are required by other
law.
—From HHS
From
the September, 2002 Practical Guidance on HIPAA and E-Health for the
Physician Practice
Start
Now on Privacy Notice for Patients
With
the elimination of the mandatory consent requirement from the privacy rule, the
notice of privacy practices, which describes for patients how the office handles
confidential information
and
their rights concerning this, takes on added significance.
“The consent provision was going
to
require a statement from the patient that they were given an opportunity to read
and acknowledge the notice of privacy practices, but this probably raises the
profile [of the notice] for providers,” says Jeremy Edes Pierotti, principal
with Validus Consulting, Inc., of Minneapolis. “They will now be more focused
on that.”
The government estimates 613 million privacy notices will be given out—and
this is described as an annual number. The Department of Health and Human
Services predicts, no doubt optimistically, that it will only take 10 seconds
for each provider to give out the notice, and just another 10 seconds for the
person to sign off on it. Of course, developing the notice will take much
longer, and some offices even may throw up their hands and presume they can
revert
to
paper, or stick with paper transactions, as a way of getting out of compliance.
But unless the office does not treat Medicare patients, this is an
unrealistic tactic.
“As of next year, Medicare will require everybody who bills them to bill
electronically, so that means that everybody will be covered, with one
exception: if you’re a small provider with 10 or fewer employees, including
the physician,” says Allan Tobias, MD, an attorney in Walnut Creek, Calif.
The purpose of the notice is to explain to patients how their information
is used. While health plans and “direct treatment” providers are required to
develop and distribute their notice to patients, only providers will have to
make a “good faith effort” to provide their notice to patients and to obtain
their signature acknowledging the patients have had an opportunity to review the
notice.
As such it is essential that the notice be done well. It should serve to
reassure patients, rather
than
cause them concern or confusion. Because
the notice is being given to all patients, special care needs to be taken in how
it is written so people at all levels of education can understand it. The rule
requires that the notice be written in “plain language.”
In addition, offices will have to think about whether their notices need to be
translated into more
than
one language. Federal civil rights law holds that communications of this type
must be in
English
and in any languages that represent “a significant element of the practice’s
population,” according to Tobias.
Extra
Step for Doctors
The
rule requires that direct treatment providers “provide a copy of the notice to
an individual at the first service delivery to the individual.” The authors of
the regulation envision that it will be given out at the same time as other
documents, such as other treatment consent forms (not related to HIPAA per se).
Once the patient has been given the notice, the office is required to seek a
signature of acknowledgement. This can be done with a simple check-off box on
the notice coversheet, or the patient may date and initial a separate log,
according to the rule.
The
office is required to document that it gave the notice and sought a signature.
This must be
kept
on file for six years. If the patient refused to sign, the provider is to
document this, but
he or
she is not prevented from treating the individual. A signature is not required
for treatment to
occur.
“The notice of privacy practices must [also] be displayed prominently in the
office,” says Tobias.
“It
doesn’t mean you have to wallpaper your office with this thing; you can have
it in a nice binder
and
available for people to look at, plus they get a copy of it to take home.”
Offices that have Web sites must post the notice on their homepage in a
portable document format (PDF).
In addition, any revisions require posting, but the rule states that providers
don’t have to distribute it again to individual patients. The office has to
post it “in a location where it is reasonable to expect individuals seeking
services from the provider to be able to read the notice,” according to the
rule.
Rights
Can Be Exercised
Of
course, it isn’t enough to simply write a notice. Offices must actually do
what the notice says
they
do, and make good on the rights they offer patients. For some offices, this may
mean new
activities
that may be a source of friction with patients. A patient’s right to inspect
and amend his or her records is one potential area of discord.
While patients have always had the right to copies of their medical records,
more may ask to do this once they see this option spelled out. Offices may need
to develop procedures on how to handle these requests, especially because there
may be patients who want to see their file on a regular basis. Nothing in the
rule prohibits patients from requesting their records once a month, or even once
a week. Many offices, Tobias says, are giving patients the first copy for free
and after that applying a nominal charge. “Realistically,
we’ve never charged, but if you become a pest, guess what? You’re going to
pay to be a pest,” he says.
What
is new is that patients can request an amendment to their health information.
“Request, not
demand,
a change of information on the charts,” Tobias points out.
He adds that the provider does not have to go along with the amendment,
but can add his or her own memo to the records along with the patient’s,
showing that the point is in contention.
The
requirements for the content of
the
notice are found in section
164.520
of the final rule as issued
in
December 2000. With the exception of mention of the consent provision being
deleted, these were
mostly
unchanged by the proposed modification rule, issued in March, or by the final
privacy modification
rule,
issued last month. The privacy rule recognizes the length of notices and the
difficulty this might pose for patients who actually want to wade through them.
So, to enhance patients’ understanding of the notice, the rule allows
providers to offer a summary of their practices, a process the rule calls
layering. A condensed version of the notice may be put on the first page
summarizing what follows, with the full notice included after that.
However, the summary may not take the place of the notice or be separate
from it, explains Allan Tobias, MD, an attorney in Walnut Creek, Calif.
The notice must begin with, or prominently feature, this statement that speaks
directly to patients:
“THIS
NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND
HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
The rest of the notice will be in sections that describe the following:
"
the
office’s duties with respect to the rule
"
the
patient’s rights with respect to his or her medical record
"
explanations
of the types of disclosures the office will make and how it will use patient
information
"
how
complaints will be handled
"
other
housekeeping items
Office’s
Duties
The
rule requires that the notice have a section explaining the office’s duties
with respect to privacy of patient data. This may be a simple restatement of the
rule language, which is that “a covered entity is required by law to maintain
the privacy of protected health information and to provide individuals with
notice of its legal duties and privacy practices with respect to protected
health information.”
There should be another statement that says the office is required to follow the
“terms of the notice currently
in
effect.” In addition, the notice should state that the provider reserves the
right to change the notice.
Patient Rights
The
notice must describe an individual’s rights “with respect to protected
health information and a brief description of how to exercise these rights,”
according to the rule. Patients have
the following rights,
which
must be spelled out:
"
The
right to request a restriction on the use and disclosure of some information.
The provider
doesn’t
have to honor this request, and that should be stated also. But the provider
“must accommodate reasonable” requests.
"
The
right to receive confidential information “by alternate means or at alternate
locations.”
"
The
right to see and make a copy of all information that the provider has in the
“designated record set.” This
includes information that other providers may have sent to the treating
physician.
"
The
right to “an accounting of
disclosures”
of all protected health information that was released by the office for purposes
other than for treatment, payment, and health care operations (TPO).
"
The
right to a paper copy of the notice, if they agreed previously to receive it in
an electronic format.
Types of Uses, Disclosures
This
section is at the heart of what the privacy rule covers. The rule seeks to make
patients aware of what kind of uses and disclosures they can expect an office to
undertake in the regular course of treating them, obtaining payment for their
care, and running their office and undertaking related activities, such as
quality assurance. What patients dislike most, privacy experts say, are
surprises—when their information is used in unanticipated ways.
To combat this, the notice must
"
Describe
and give examples of the disclosures and uses of information that are used for
TPO. As stated above, the patient no longer has to give his or her consent for
these uses, in contrast to a provision that was included in the proposed final
rule. But patients do have the right to know that they are occurring.
"
List
disclosures and uses that the office might be required to make that are not part
of TPO, yet are also not subject to the requirement that the patient authorize
the release or use. These can be
found in section 164.512 of the rule. They include instances when information
must be released by law, such as reporting of communicable disease, birth,
death, injury, and child abuse or neglect. In addition, the provider
may be
compelled by a court order, or a law enforcement request, to release
information. However, in these cases
the rule does not mandate the release of information, but in some instances says
the provider “may” release the information.
"
State
that other disclosures can be made with a written authorization from the
patient, and that such authorizations may be revoked. The rule does not state
what these disclosures are. Instead,
it implies they are everything but what is spelled as allowable without an
authorization.
"
Spell
out other contact that might occur with patients. Separate statements are
required if the office intends to “contact” patients—a description that
would appear to imply written notices and phone calls—to
remind
them of appointments. In the same
way, offices that plan to alert patients about “treatment alternatives or
other heath-related benefits and services that may be of interest to the
individual,” or to
contact
them about fundraising, must state in the notice that they may be doing so.
Complaints
A
statement must be included that notifies patients that they can complain about
perceived privacy violations
to
both the office and the secretary of the Department of Health and Human
Services. A “brief description” of how to complain to the office is to be
included. The person who is named can be the office’s privacy official.
To
encourage patients to come forward, this portion of the notice must also contain
the reassurance that any complaining patient “will not be retaliated
against.”
Housekeeping
Details
The
notice must list who in the office, including the person’s name, or title, and
phone number, patients can contact if they have questions about the notice. This
person could be separate from the person who handles complaints, or one person
could share these functions. The privacy official could also be the contact
person, as well as the complaint taker.
An effective date must be listed for when the notice went into effect.
The rule specifies that the notice
can’t
be backdated. “The notice must contain the date on which the notice is first
in effect, which may not be earlier than the date on which the notice is printed
or otherwise published.”
I
hope you have enjoyed the articles and have learned something about how medical
offices can easily accommodate to the new law. Another article below
discusses compliance in the medical office.
From
the September, 2002 Medicare Compliance Alert
Be prepared, before
OIG comes knocking at your door
No matter how good your
compliance plan or how clean your medical records and documentation,
the day may come when OIG or CMS comes calling or sends you a certified letter
asking you to hand over medical records.
Probably nothing can
substitute for a good compliance program to prevent government investigations,
says attorney Allan Tobias, Healthcare Consulting & Law, Walnut Creek,
Calif. The seven steps of such a program, Tobias adds, are routine
self-auditing, standard setting, use of a compliance officer, staff training,
quick error response, communication and enforcement of your standards. However,
even the best-prepared providers may face occasional government scrutiny.
“Don’t panic, because in
the majority of government investigations, the provider receiving the letter or
subpoena for their records may not be the final target of the investigation,”
advises former Medicare hearing officer, Ben Frosch, president, Frosch Medical
Consultants, Plantation, Fla. Someone may have stolen your unique provider
identification number, and tried to use it to fraudulently bill for services you
never provided. Or, OIG may be checking your records to be certain that you
actually treated a listed beneficiary, Frosch adds.
Several seasoned health care
attorneys and consultants who have been through the experience offer tips on
what to expect and how to respond when the government comes to investigate you.
1.
Hire
an experienced health care attorney, and do as he or she instructs.
This is not the time to rely on a
general practice lawyer who was your best buddy in college, advises Vicky
Mycowiak, Mycowiak & Assoc., Detroit. She and Tobias recommend asking your
medical society for names of high caliber health care lawyers.
2.
Comply
with any subpoena or search warrant immediately.
If inspectors from OIG have a court-ordered, administrative subpoena or
search warrant, “there’s not much you can do, except get out of the way and
hand over the records,” Tobias says. They
may even take away your computers. Mycowiak
recommends that providers keep enough generations of back-up copies offsite, so
in the event inspectors subpoena your computers, you can get back to business in
short order.
3.
Make
two copies of your records in the event
OIG needs you to justify your billing. You may have a week to 30 days in which
to hand over the records, says Frosch.
4.
Ask
CMS for an extension. “If
you sense you will not be able to gather your records in time, call them up and
ask for an extension,” Frosch advises. Document
your request and the CMS allowance of an extension.
5.
Clarify
your records, particularly gaps in medical necessity.
In reviewing records with your attorney, make sure you documented medical
necessity for tests or referrals and seek out significant gaps in documentation.
You can provide explanations of medical need for tests or procedures in a cover
letter, Frosch says. If illegible handwriting is an issue, dictate a verbatim
translation of messy sections to a stenographer, because CMS and OIG need to be
able to read your records, Mycowiak says.
If
you suspect you have a whistleblower, don’t fire the employee.
Also, never tell employees that they “can’t talk” to inspectors.
Instead, offer to hire an attorney to advise them, Mycowiak says.
As
with the articles on HIPAA, I hope you have learned something from this
Compliance. The seven steps are truly important and easy to accomplish.
Please subscribe for free and read my every
two week updates at www.medicalaw.net.
Archive
DISCLAIMER: Although this article is updated
periodically, it reflects the author's point of view at the time of publication.
Nothing in this article constitutes legal advice. Readers should consult with
their own legal counsel before acting on any of the information presented.