Listen up, everyone! The deadline is almost upon us - the HIPAA compliance deadline, that is. The law's security standards have just been finalized with essentially no changes from the information previously released.
Some intriguing data regarding public concerns about privacy was released recently. Here are a few of the more interesting statistics:
- 20% of consumers in the US believe their health information has been used or disclosed inappropriately.
- 17% of Americans report that they have taken action to avoid the inappropriate use of their health information, including providing inaccurate information to health care providers, changing physicians to keep their information private, or avoiding health care altogether.
- The Association of American Physicians and Surgeons reports that 78% of its members have withheld information from a patient's record due to privacy concerns, and 87% of its members have had a patient request that information be withheld.
Looking as the above statistics gives one an idea that the public is concerned about their personal health information, and it is not something they want others to know or be aware of. The number one crime in the U.S. today is that of identity theft. This involves the illegal use of demographic information; Social Security numbers; credit card numbers; and savings and checking account information.
As a health care provider, you gather not only demographic information, but personal health information. As an acupuncturist practicing in the U.S., you are responsible for keeping your patient's personally identifiable health information private. If you practice in the state of California, you are a named entity in the privacy regulations in the Health and Safety Code as well as the Business and Professions Code. The California standards are actually more stringent than the HIPAA privacy regulations.
We at Acupuncture Today in general, and myself in particular, have received numerous inquiries regarding HIPAA, what to do to be compliant and where to find the information. I will endeavor to present some information, in a simplified procedure, to help you in your office.
When a new patient calls in for an appointment, you take only the minimum information necessary to book the appointment, which is the first step in privacy regulations. When the new patient arrives in the office for the first visit, there must be new forms for that person to read and sign. The consent form must be signed by the patient. This form states that the patient gives you permission to use their health information to provide treatment, collect payment (either from them or via billing a third-party entity), and conduct the general administrative business of your office.
The new patient is also given a notice of privacy policies. This form outlines the methods you are going to use to keep the patient's protected health information private via the various safeguards you have in you office policy and procedures.
The patient must sign a separate form that says they acknowledge receiving the notice of privacy policies, and that they have read it, discussed it and understand it.
In addition, the new patient must sign an authorization form, which authorizes you to release their protected health information for specific requests. If the patient chooses not to sign the authorization form, you must inform them that it will not be held against them, and they can receive treatment from you clinic.
Each of these forms must contain specific included areas and wording. Marketing is just one of the included areas.
In addition to the forms to present to the new patient and requiring signatures, your office must keep a policies and procedures manual. This manual is maintained by a privacy officer who has been appointed by you. If you do not have staff or any other people to serve in this position, you, the licensed acupuncturist, are the privacy officer.
There is a list of duties and responsibilities to the performed by the privacy officer. One duty is the keeping of the HIPAA compliance manual. This includes all of the procedure logs procedures that have to be kept. One is the procedure for receiving complaints from patients regarding their protected health information - and the list goes on.
I have heard various sides and issues regarding HIPAA from the profession. Some experts claim you are covered entities because you gather health information and write it down; others say you are not covered entities because you do not bill electronically. The opinions vary widely.
Based on my reading, studying and learning about HIPAA and its regulations, as a medical professional in the U.S. - someone who gathers and discusses personal health information - you are included in the regulations and must comply with HIPAA Privacy Regulations and Security Standards. Compliance is necessary, and it can be manageable in a very small or large acupuncture office.
I encourage you to talk to representatives of your state organization or licensing board to get a definite answer on HIPAA. You are also welcome to call me or contact me on the Web if you have question or comments.
Good luck!
Click here for more information about Marilyn Allen, Editor-at-Large.