So, your patients are already receiving privacy notices from all other providers (MDs, acupuncturists, drug stores, managed care organizations, etc.) with whom they interact. Have they received your Notice of Privacy Practices? If not, you are in violation of the most basic HIPAA regulation, and while you may not be aware of it, your patients are probably beginning to notice that you haven't given them any statement of how you are keeping their personal health information private.
The solution is not to begin providing your patients with your own version of a Privacy Notice or using something from another doctor. Before you present a privacy notice to your patients, you must first:
- create formal HIPAA-compliant privacy procedures specifically for your office;
- document your compliance procedures in your HIPAA manual;
- utilize the necessary forms and procedures required to be HIPAA compliant; and
- ensure your office is compliant with your state's privacy laws.
In addition, all privacy notices are required to include the following language:
- a series of statements on how all protected health information (PHI) is to be used in your office;
- a listing of all newly created patient rights, and how your office will comply with these rights. This should include the following:
- the right to restrict patients' file information, and how you will comply;
- the right to alternative communications, and how you will comply;
- the right to inspect and copy patient PHI and how you will comply;
- the right to amend patient PHI records, and how you will comply; and
- the right to receive an accounting of all disclosures of PHI, and how you will comply.
- a mandatory statement, including examples concerning treatment, payment and operations PHI disclosures; and
- A mandatory paragraph on how the patient may file a formal complaint about you to the Office of Civil Rights, along with where to send such a complaint.
Handing out Notices of Privacy Practices or posting them on your Web site without having actually implemented the required HIPAA privacy procedures is probably an act of fraud. If so, this will make you eligible for one of several fines that could total as much as $250,000 per occurrence.
If you are delivering health care and are not HIPAA privacy compliant (not to mention preparing for HIPAA security compliance), take a deep breath and face the facts: You are probably running your practice in violation of federal HIPAA laws. The April 14 deadline has passed and the Office of Civil Rights has yet to beat down your door, arrest you and/or close your practice (and maybe they never will) - but why risk the harsh penalties attached to noncompliance?
Eventually, you will have to demonstrate HIPAA compliance to third-party payers, government administrators, managed-care organizations and those patients who are becoming better informed of their rights under HIPAA. Even if you only operate a cash practice and never use a fax machine or computer, how are you going to deal with the privacy requirements your patients are eventually going to expect and request?
Admitting to your patients that you are refusing to abide by the federal privacy laws could generate a complaint against you for HIPAA privacy violations - particularly if someone in your office accidentally reveals some piece of a patient's health information.
I predict that in the next 12 months, you will read about at least one doctor who was turned in for HIPAA violations. It may be a patient, insurance company or former employee who turns the doctor in, but it will happen. (I see another real danger coming from a disgruntled PI attorney you wouldn't cut your bill with who might also decide to turn you in. Most doctors don't realize it, but PI attorneys actually turn in, or encourage their clients to turn in, many DCs to their state licensing boards.)
If you haven't done so already, spend a little time and money to make your office HIPAA compliant. Use a program you can customize; using boilerplate forms or programs is just asking for trouble. Also make sure the program is guaranteed and provides at least the security update and your state compliance information included in the price.
You will sleep easier at night knowing you are in compliance with federal laws that apply to how you and your staff operate every day.
Howard Ross
Rancho Santa Margarita, California