What's all this fuss about medical privacy?
"Just mention the term "HIPAA" in a medical office these days and you'll a reaction that combines exasperation and confusion. Even though the April 14, 2003 compliance date of this law is just weeks away, overworked medical records staff are tired of hearing about HIPAA and feel burdened with a crushing load of documentation and claims processing. Medical administrators who understand HIPAA requirements lament that a section of the law termed administrative simplification creates a greater documentation burden for offices handling health information.
And in the human resources office of firms in general industry, the buzz in Internet chat rooms frequented by personnel managers is "how will this new law affect us?"
HIPAA is the acronym for Health Insurance Portability and Accountability Act of 1996. This law brought us improved insurance continuation opportunity when we change jobs, medical savings accounts for small business or uninsured individuals, and new medical privacy standards to protect health information.
With this law, Congress reacts to growing public concerns about protecting the privacy of medical information contained in massive computer files held in health care, insurance and pharmacy organizations.
Abuses of health information are reported in various media. For example, in a recent case in Florida, a pharmaceutical company obtained patient lists and conducted an unsolicited mailing of samples of the powerful anti-depressant drug Prozac to hundreds of patients. In another case, an individual purchased used computers that had formerly belonged to a medical practice that was upgrading its computer system. Medical files remained on the computer hard drives and the individual sought to sell the medical information back to the patients.
The Medical Privacy Rule defines new rights for individuals to assure protection from unauthorized disclosures of protected health information. Organizations that handle health information must advise patients how their health information will be used. Use of health information for treatment, payment and administration is generally unrestricted. But disclosures for non-medical purposes may be made only with the individual's written authorization.
The individual generally has a right of access to his or her own medical file and may copy information upon paying a reasonable fee. The individual may request amendment to a record and may request an accounting of non-medical disclosures. In the event of violation, the individual may file a complaint with the entity holding health information or with the government.
Organizations covered by the HIPAA law must have in place privacy policies, a privacy notice to communicate those policies to patients, training for staff, and designate a privacy officer to oversee the privacy protections.
Self insured employers who receive and handle health information are subject to similar rules. Other employers will find that they need to obtain an employee's written authorization to receive results of a pre-employment drug screen or to administer workers compensation claims or to assist an employee with a question on a group insurance claim for health benefits.
Firms that service the health care industry and handle or become exposed to health information will need to be aware of certain privacy safeguard requirements for business associates.
A privacy protection safeguard checklist is available on request at no charge to assist firms in evaluating whether their office practices may create unauthorized disclosures in violation of medical privacy requirements. Fax your request to 630-513-9494. Further information is available from www.HHS.gov and www.medicalprivacy.info.