|
ICCOM International Center for Chiropractic Office Managers
“A Leader in Chiropractic Office Management and Compliance Training”
|
|
©2009 ICCOM |
|
New Developments in HIPAA Privacy, Are You Ready? By Edie Hofmann |
|
It is time to remember HIPAA Privacy Compliance. In 2003, we were all scurrying around trying to figure out how we were going to be HIPAA compliant. We had been given ample warning, but oh, procrastination…don’t you love it. We bought workbooks, took seminars, “googled” everything we could think of. Hopefully someone had what we needed and we passed it around to all of our friends. That all worked for the immediate.
Everyone started having their patients sign the Acknowledgement and we told the patients they could have a copy of the full Notice of Privacy Practices. Of course, almost every patient said, “No, thanks!”, because every doctor, dentist, pharmacy, insurance company, etc. were giving them a copy of their Notice. We all relaxed. That was easy. So we thought we were done. Those doctors that have utilized my consulting services learned quickly when the first thing out of my mouth was, “Where is your HIPAA Privacy policies and procedures manual?” So far, not one doctor, office manager, or CA knew where their manual was. They had put it out of their minds and somehow it went into a box as they cleaned off the self because they had been lulled to sleep about HIPAA Privacy. The biggest issues I have encountered are: 1) documentation of requested PHI not in a master file for tracking 2) initial and annual staff training not taking place 3) no written policy of staff sanctions for non-compliance 4) a privacy official named that had not worked for them in several years
In January of 2008, CMMS stated that they were going to begin extensive audits of larger hospitals for their security and privacy compliance. This was brought about by complaints received by HHS. PriceWaterhouseCoopers was contracted to conduct these audits. It is true that at the moment their focus is on larger hospitals, but it will eventually come around to the private clinics.
We also think that …. “There are not enough government people or money to do random audits and we believe that no one would make a complaint against us and our staff and patients love us. “ The number one source of complaints is disgruntled employees.
In October of 2008, a nationwide review of CMMS stated that they had not provided effective oversight on HIPAA regulations and the review concluded that CMMS did little to ensure providers were complying with the HIPAA regulations. Well, be prepared. They will now get the money and they will investigate. It will be equal to the “RAC” (Recovery Audit Contractors) program directed at fraud and abuse. When they investigate you for HIPAA Privacy, they will not want to see just your current compliance documentation, they will ask to see your documentation back to either April 14, 2003, or the date you opened your practice. Also, that HIPAA compliance documentation must be maintained for six years.
The following are the MUST regulations from the Department of Health and Human Services. Look at this list. Are you still compliant? Were you ever compliant? Do you have the documentation?
THE HIPAA Privacy Checklist Federal HIPAA privacy regulations mandate that all covered entities MUST: • Designate a privacy official responsible for developing/implementing HIPAA policies and procedures; • Document policies and procedures with respect to PHI showing compliance with the HIPAA privacy regulations; • Make reasonable efforts to limit the use and disclosure of PHI to the minimum necessary to accomplish the intended purpose of the use or disclosure; • Provide a process for access to the individual’s health information; • Develop a system for tracking disclosures of PHI, with some exceptions for payment, treatment, or health care operations related disclosures; • Provide a process for individuals to amend their health records when appropriate; • Develop business associate contracts/agreements that ensure business associates can comply with HIPAA; • Mitigate, to the extent possible, any harmful effect that is known to the entity from the use or disclosure of private health information in violation of the entities' policies and procedures; • Develop procedures for verification of the person requesting PHI and the authority of that person to have access; • Provide a process for individuals to request alternative means of communication, place restrictions on the use of their health information, and make a complaints concerning the covered entity’s policies and procedures or compliance with such policies and procedures; • Refrain from requiring individuals to waive the right to make a complaint to the covered entity or to the U.S. Department of Health and Human Services (DHHS) Office for Civil Rights as a condition of receiving treatment: • Refrain from intimidating or retaliatory acts toward individuals exercising their rights granted under HIPAA privacy; • Have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI; • Provide training for workforce members on the policies and procedures to protect health information; • Apply appropriate safeguards against staff who fail to comply with the policies and procedures of the entity; and • Develop and disseminate a privacy notice.
In the years since 2003, our attention has been taken away from HIPAA Privacy and on to HIPAA Security and NPI. We expected our software vendors and clearinghouses to have worked out electronic transactions and code sets, as well as, security. NPI took only a few minutes to complete the application. Now, everyone is talking documentation and coding that is part of the Fraud and Abuse Mandates that requires more extensive patient care documentation to support the CPT and DX codes you use. As your thoughts move further and further into this aspect, do not forget HIPAA Privacy regulations.
Let’s get it together doctors. The penalties can eventually be extensive and you cannot afford to procrastinate this time. There will be no warning and it will cost you. So make it easy on yourself now, get compliant and stay that way. We have work to do. |
