I have decided in this newsletter to bring to the attention more information on medical office HIPAA and compliance.  The following articles I humbly believe give good information.

From the January, 2002 Practical Guidance on HIPAA and E-Health for the Physician Practice  

(This was prior to the August 14, 2002 changes by HHS.)

Minimum Necessary Need Not =Maximum Pain

In many physicians’ offices, medical charts are open books, kept unlocked and available to anyone who wants them. Such unquestioned access becomes a thing of the past under the privacy provisions of the Health Insurance Portability and Accountability Act. Offices will have to control access in an organized way. The privacy rule requires that all persons may be privy to only that information about patients that is deemed the “minimum necessary to accomplish the intended purpose.”  In addition, this minimum necessary standard applies to what information may be disclosed to people who request it, with some exceptions, including the patient and governmental agencies.

“What we have always done in medicine is everybody has access to everything,” says Allan Tobias, MD, JD, a health care consultant in Walnut Creek California. “That ain’t gonna happen anymore.”  The Office for Civil Rights, under the Department of Health and Human Services, will begin enforcing the privacy rule as of April 2003.

Officials from OCR have made it plain that providers must approach this task of limiting information disclosure seriously, regardless of whether they believe they are already adequately safeguarding information.  But OCR officials have also stated that the rules, and HIPAA generally, are to be implemented in ways unique to each workforce.  “I was in one office, a very busy single doctor office, and everybody does everything. So everybody is entitled to see all the charts because they are changing jobs... someone might be out sick with the kids.

The level of access for Office A vs. Office B is going to be different,” Tobias says.  Medical offices have some work to do, but they will not need to duplicate the intensive efforts that hospitals or health plans will have to undertake to comply with the minimum necessary standard.

  Thinking about Information

The kind of information and data that must be safeguarded under the privacy rule, and the security rule, too, is called protected health information, or PHI. According to the privacy rule, PHI is that which is “created or received by a health care provider, health plan, employer or health care clearinghouse” that “relates to the past, present or future physical or mental health or condition of an individual.”

“Under the rule, covered entities must make reasonable efforts to limit how they use and disclose information to the minimum amount necessary to accomplish that purpose,” says Linda Sanches, a senior advisor in the Office for Civil Rights. “You need to control how you use information...you need to think about how you use information and not use and disclose more than you actually need [to]. That’s the general concept.”  Providers must develop policies for how this information will be handled. And there’s no way to avoid this, with the hopes that no one will find out: the privacy rule states that patients must receive a copy of the office’s policy on handling PHI. It will be among the documents that will be included in a provider’s notice of privacy practices, which also includes consent for permitting the physician to use and disclose PHI for the purposes of treatment, payment, and health care operations. Sanches describes the minimum necessary standard as a “role-based access concept” that applies to everyone—even physicians, although exceptions are granted for providers who are treating patients. “You need standard protocols about how doctors get access to information, nurses, front desk clerks,” she says. “There are all kinds of people who work in covered entity facilities, they have all kinds of jobs...they probably don’t all need access to every piece of information you have about a patient. So minimum necessary means you do have to think about what information they do need and implement procedures so they don’t get other information that they don’t need.”

  Defining Jobs, Data Needs

Having to comply with the concept of minimum necessary at first appears overwhelming, maybe even frightening. Yet, like many aspects of the privacy and security rules, in practice, minimum necessary represents simply a codification or formalization of practices and behaviors that are already familiar to most offices, says Kate Borten, CISSP, a medical privacy and security expert. “Minimum necessary is a classic information security principle,” says Borten, president of the Marblehead Group in Massachusetts. “There is nothing new about it. Most organizations are following it informally.”  Consider, for example, who has access to what kind of data or computer files. Front-desk staff, for example, might be able to read and update information concerning patients’ name, address, phone number, Social Security number, and insurance information. “Yet, they typically are not allowed access to clinical information,” Borten points out. “What we need to do is take this a step further. Review what procedures we have, scrutinize them and see if they are as tight as they can be,” she adds. “You are making sure there are limits and boundaries that have not explicitly been stated before.”  Even if the office concludes that information can’t be restricted, perhaps because the staff is so few, it still must go through this exercise of role defining, Borten and Tobias agree.

  Broad Definitions may be Best

To begin the process of building the role-based access policy, first determine the “owners” of PHI in the practice, as Borten puts it. Then the “owner” and office staff addressing HIPAA compliance determine who does work for the practice and may need access to PHI: part-timers, full-timers and those who might be working as contractors, such as transcriptionists.  Review what sorts of information and data they routinely need to do their jobs.

  The minimum necessary provisions do not apply to the following:

  " Disclosures to or requests by a health care provider for treatment purposes.

" Disclosures to the individual who is the subject of the information.

" Uses or disclosures made pursuant to an authorization requested by the individual.

" Uses or disclosures required for compliance with the HIPAA transactions.

" Disclosures to the Department of Health and Human Services (HHS) when disclosure of information is required under the rule for enforcement purposes.

" Uses or disclosures that are required by other law.   —From HHS


From the September, 2002 Practical Guidance on HIPAA and E-Health for the Physician Practice  

Start Now on Privacy Notice for Patients

With the elimination of the mandatory consent requirement from the privacy rule, the notice of privacy practices, which describes for patients how the office handles confidential information and their rights concerning this, takes on added significance.  “The consent provision was going to require a statement from the patient that they were given an opportunity to read and acknowledge the notice of privacy practices, but this probably raises the profile [of the notice] for providers,” says Jeremy Edes Pierotti, principal with Validus Consulting, Inc., of Minneapolis. “They will now be more focused on that.”

The government estimates 613 million privacy notices will be given out—and this is described as an annual number. The Department of Health and Human Services predicts, no doubt optimistically, that it will only take 10 seconds for each provider to give out the notice, and just another 10 seconds for the person to sign off on it. Of course, developing the notice will take much longer, and some offices even may throw up their hands and presume they can revert to paper, or stick with paper transactions, as a way of getting out of compliance.  But unless the office does not treat Medicare patients, this is an unrealistic tactic.

“As of next year, Medicare will require everybody who bills them to bill electronically, so that means that everybody will be covered, with one exception: if you’re a small provider with 10 or fewer employees, including the physician,” says Allan Tobias, MD, an attorney in Walnut Creek, Calif.  The purpose of the notice is to explain to patients how their information is used. While health plans and “direct treatment” providers are required to develop and distribute their notice to patients, only providers will have to make a “good faith effort” to provide their notice to patients and to obtain their signature acknowledging the patients have had an opportunity to review the notice.

As such it is essential that the notice be done well. It should serve to reassure patients, rather than cause them concern or confusion.  Because the notice is being given to all patients, special care needs to be taken in how it is written so people at all levels of education can understand it. The rule requires that the notice be written in “plain language.”

In addition, offices will have to think about whether their notices need to be translated into more than one language. Federal civil rights law holds that communications of this type must be in English and in any languages that represent “a significant element of the practice’s population,” according to Tobias.

Extra Step for Doctors

The rule requires that direct treatment providers “provide a copy of the notice to an individual at the first service delivery to the individual.” The authors of the regulation envision that it will be given out at the same time as other documents, such as other treatment consent forms (not related to HIPAA per se).

Once the patient has been given the notice, the office is required to seek a signature of acknowledgement. This can be done with a simple check-off box on the notice coversheet, or the patient may date and initial a separate log, according to the rule.   The office is required to document that it gave the notice and sought a signature. This must be kept on file for six years. If the patient refused to sign, the provider is to document this, but he or she is not prevented from treating the individual. A signature is not required for treatment to occur.

“The notice of privacy practices must [also] be displayed prominently in the office,” says Tobias.   “It doesn’t mean you have to wallpaper your office with this thing; you can have it in a nice binder and available for people to look at, plus they get a copy of it to take home.”  Offices that have Web sites must post the notice on their homepage in a portable document format (PDF).

In addition, any revisions require posting, but the rule states that providers don’t have to distribute it again to individual patients. The office has to post it “in a location where it is reasonable to expect individuals seeking services from the provider to be able to read the notice,” according to the rule.

Rights Can Be Exercised

Of course, it isn’t enough to simply write a notice. Offices must actually do what the notice says they do, and make good on the rights they offer patients. For some offices, this may mean new activities that may be a source of friction with patients. A patient’s right to inspect and amend his or her records is one potential area of discord.

While patients have always had the right to copies of their medical records, more may ask to do this once they see this option spelled out. Offices may need to develop procedures on how to handle these requests, especially because there may be patients who want to see their file on a regular basis. Nothing in the rule prohibits patients from requesting their records once a month, or even once a week. Many offices, Tobias says, are giving patients the first copy for free and after that applying a nominal charge.  “Realistically, we’ve never charged, but if you become a pest, guess what? You’re going to pay to be a pest,” he says.

What is new is that patients can request an amendment to their health information. “Request, not demand, a change of information on the charts,” Tobias points out.  He adds that the provider does not have to go along with the amendment, but can add his or her own memo to the records along with the patient’s, showing that the point is in contention.

The requirements for the content of the notice are found in section 164.520 of the final rule as issued in December 2000. With the exception of mention of the consent provision being deleted, these were mostly unchanged by the proposed modification rule, issued in March, or by the final privacy modification rule, issued last month. The privacy rule recognizes the length of notices and the difficulty this might pose for patients who actually want to wade through them.

So, to enhance patients’ understanding of the notice, the rule allows providers to offer a summary of their practices, a process the rule calls layering. A condensed version of the notice may be put on the first page summarizing what follows, with the full notice included after that.  However, the summary may not take the place of the notice or be separate from it, explains Allan Tobias, MD, an attorney in Walnut Creek, Calif.

The notice must begin with, or prominently feature, this statement that speaks directly to patients:


The rest of the notice will be in sections that describe the following:

" the office’s duties with respect to the rule

" the patient’s rights with respect to his or her medical record

" explanations of the types of disclosures the office will make and how it will use patient information

" how complaints will be handled

" other housekeeping items

Office’s Duties

The rule requires that the notice have a section explaining the office’s duties with respect to privacy of patient data. This may be a simple restatement of the rule language, which is that “a covered entity is required by law to maintain the privacy of protected health information and to provide individuals with notice of its legal duties and privacy practices with respect to protected health information.”

There should be another statement that says the office is required to follow the “terms of the notice currently in effect.” In addition, the notice should state that the provider reserves the right to change the notice.

  Patient Rights

The notice must describe an individual’s rights “with respect to protected health information and a brief description of how to exercise these rights,” according to the rule.  Patients have the following rights, which must be spelled out:

  " The right to request a restriction on the use and disclosure of some information. The provider  doesn’t have to honor this request, and that should be stated also. But the provider “must accommodate reasonable” requests.

" The right to receive confidential information “by alternate means or at alternate locations.”

" The right to see and make a copy of all information that the provider has in the “designated record set.”  This includes information that other providers may have sent to the treating physician.

" The right to “an accounting of disclosures” of all protected health information that was released by the office for purposes other than for treatment, payment, and health care operations (TPO).

" The right to a paper copy of the notice, if they agreed previously to receive it in an electronic format.

  Types of Uses, Disclosures

This section is at the heart of what the privacy rule covers. The rule seeks to make patients aware of what kind of uses and disclosures they can expect an office to undertake in the regular course of treating them, obtaining payment for their care, and running their office and undertaking related activities, such as quality assurance. What patients dislike most, privacy experts say, are surprises—when their information is used in unanticipated ways.

To combat this, the notice must

" Describe and give examples of the disclosures and uses of information that are used for TPO. As stated above, the patient no longer has to give his or her consent for these uses, in contrast to a provision that was included in the proposed final rule. But patients do have the right to know that they are occurring.

" List disclosures and uses that the office might be required to make that are not part of TPO, yet are also not subject to the requirement that the patient authorize the release or use.  These can be found in section 164.512 of the rule. They include instances when information must be released by law, such as reporting of communicable disease, birth, death, injury, and child abuse or neglect. In addition, the provider may be compelled by a court order, or a law enforcement request, to release information.  However, in these cases the rule does not mandate the release of information, but in some instances says the provider “may” release the information.

" State that other disclosures can be made with a written authorization from the patient, and that such authorizations may be revoked. The rule does not state what these disclosures are.  Instead, it implies they are everything but what is spelled as allowable without an authorization.

" Spell out other contact that might occur with patients. Separate statements are required if the office intends to “contact” patients—a description that would appear to imply written notices and phone calls—to remind them of appointments.  In the same way, offices that plan to alert patients about “treatment alternatives or other heath-related benefits and services that may be of interest to the individual,” or to contact them about fundraising, must state in the notice that they may be doing so.


A statement must be included that notifies patients that they can complain about perceived privacy violations to both the office and the secretary of the Department of Health and Human Services. A “brief description” of how to complain to the office is to be included. The person who is named can be the office’s privacy official. To encourage patients to come forward, this portion of the notice must also contain the reassurance that any complaining patient “will not be retaliated against.”

  Housekeeping Details

The notice must list who in the office, including the person’s name, or title, and phone number, patients can contact if they have questions about the notice. This person could be separate from the person who handles complaints, or one person could share these functions. The privacy official could also be the contact person, as well as the complaint taker.

An effective date must be listed for when the notice went into effect.  The rule specifies that the notice can’t be backdated. “The notice must contain the date on which the notice is first in effect, which may not be earlier than the date on which the notice is printed or otherwise published.”

I hope you have enjoyed the articles and have learned something about how medical offices can easily accommodate to the new law.  Another article below discusses compliance in the medical office.

From the September, 2002 Medicare Compliance Alert

Be prepared, before OIG comes knocking at your door

No matter how good your compliance plan or how clean your medical records and documentation, the day may come when OIG or CMS comes calling or sends you a certified letter asking you to hand over medical records. 

Probably nothing can substitute for a good compliance program to prevent government investigations, says attorney Allan Tobias, Healthcare Consulting & Law, Walnut Creek, Calif. The seven steps of such a program, Tobias adds, are routine self-auditing, standard setting, use of a compliance officer, staff training, quick error response, communication and enforcement of your standards. However, even the best-prepared providers may face occasional government scrutiny.

“Don’t panic, because in the majority of government investigations, the provider receiving the letter or subpoena for their records may not be the final target of the investigation,” advises former Medicare hearing officer, Ben Frosch, president, Frosch Medical Consultants, Plantation, Fla. Someone may have stolen your unique provider identification number, and tried to use it to fraudulently bill for services you never provided. Or, OIG may be checking your records to be certain that you actually treated a listed beneficiary, Frosch adds.

Several seasoned health care attorneys and consultants who have been through the experience offer tips on what to expect and how to respond when the government comes to investigate you.

1.              Hire an experienced health care attorney, and do as he or she instructs.  This is not the time to rely on a general practice lawyer who was your best buddy in college, advises Vicky Mycowiak, Mycowiak & Assoc., Detroit. She and Tobias recommend asking your medical society for names of high caliber health care lawyers.

2.              Comply with any subpoena or search warrant immediately. If inspectors from OIG have a court-ordered, administrative subpoena or search warrant, “there’s not much you can do, except get out of the way and hand over the records,” Tobias says.  They may even take away your computers.  Mycowiak recommends that providers keep enough generations of back-up copies offsite, so in the event inspectors subpoena your computers, you can get back to business in short order.

3.              Make two copies of your records in the event OIG needs you to justify your billing. You may have a week to 30 days in which to hand over the records, says Frosch.

4.              Ask CMS for an extension.  “If you sense you will not be able to gather your records in time, call them up and ask for an extension,” Frosch advises.  Document your request and the CMS allowance of an extension.

5.              Clarify your records, particularly gaps in medical necessity. In reviewing records with your attorney, make sure you documented medical necessity for tests or referrals and seek out significant gaps in documentation. You can provide explanations of medical need for tests or procedures in a cover letter, Frosch says. If illegible hand­writing is an issue, dictate a verbatim translation of messy sections to a stenographer, because CMS and OIG need to be able to read your records, Mycowiak says.

If you suspect you have a whistleblower, don’t fire the employee.  Also, never tell employees that they “can’t talk” to inspectors.  Instead, offer to hire an attorney to advise them, Mycowiak says. 

As with the articles on HIPAA, I hope you have learned something from this Compliance.  The seven steps are truly important and easy to accomplish.

Please subscribe for free and read my every two week updates at www.medicalaw.net


DISCLAIMER: Although this article is updated periodically, it reflects the author's point of view at the time of publication. Nothing in this article constitutes legal advice. Readers should consult with their own legal counsel before acting on any of the information presented.