Whip HIPAA!

October 1, 2002
Pamela Moore, PhD

HIPAA privacy basics

A bad case of HIPAA paralysis is gripping the nation's physicians. Is it serious, doc? One recent survey found that 22 percent of physician respondents "don't know" when they will be ready for HIPAA. Thirty-one percent of respondents in the same survey, by Phoenix Health Systems, the publisher of HIPAAlert, had spent no time so far educating staff about HIPAA.

Surveys aside, it's hard to find a physician -- especially in a solo or small group practice -- who isn't either up in arms about HIPAA or so overwhelmed by it that thinking about compliance is nearly impossible.

For most of them, the most daunting part of HIPAA is the rules related to patient privacy. The final Privacy Rule -- all 89 pages of it -- will impact daily operations in even the smallest, least technically savvy practice. And the deadline for compliance is coming up fast: April 14, 2003.

But physicians should take a deep breath before paralysis turns to panic. Many are finding the rules less onerous than they first imagined.

Dara Luangpraseut, staff attorney and privacy officer at Marshfield Clinic in Marshfield, Wis., found her organization to be in fairly good shape, HIPAA-wise. Marshfield, which has nearly 700 physicians and 40 regional centers, conducted a "gap analysis" -- a process that HIPAA experts recommend -- which entails going through every part of the regulation to see where a practice needs to make changes in order to be in compliance. Marshfield found that its main job now is to document what it is already doing.

"We are doing many things, but like many other organizations, we don't always document it," says Luangpraseut. The analysis also revealed some inconsistencies across the Marshfield system and a need for some programming so that clinics in one area will have access to HIPAA documents already processed by a clinic on the other side of town.

Mari Beth Anderson, too, was surprised to see how prepared she already is for HIPAA. As director of information systems at University of Florida Jacksonville Physicians Inc., Anderson invited in a consulting firm to tell her what she had to do.

"For the most part, we had the procedures there, and people were doing the right things and knew what to do. ... We had the procedures in place, we just didn't have the policies in place."

As these practices have learned, a good part of the effort to comply simply involves writing down the steps they already take to protect privacy. "Most of the things [the consultants] told us were just good common sense," Anderson says.

Even lawyers promise that complying with the Privacy Rule won't be all that painful. "People are going to have to sit down and devote some time to evaluating how their office uses and releases patient information and making sure the proper procedures are put in place. But once you have your system in place, small practices shouldn't find complying with the Privacy Rule as difficult or intrusive as they expect," predicts Eve Goldstein, an attorney in the Atlanta office of Jones, Day, Reavis & Pogue.

"Physicians definitely need to pay more attention [to HIPAA] than they have been. That said, they need to realize that HIPAA is scalable," says Robyn Meinhardt, an attorney with Foley & Lardner in Denver. Not every practice needs to spend money toward compliance efforts like a hospital would -- the expectations for smaller practices are set lower.

Some have even managed to find a bright side to the regulations. "When I started working on HIPAA, I hated it," confesses Judy Willliams, a HIPAA consultant with Boston-based Beacon Partners. "It's not going to make more money for practices, and it's not going to make them more efficient, but it should help them deliver a better level of care. You have to look at many components of HIPAA as just good business sense."

Of course, all the reassurance in the world won't work if you don't really know what you are up against. Physicians need to understand what the rules require so they can conceptualize how big a commitment is required.

Physicians Practice stands ready to help. Here are all of the basic requirements of the Privacy Rule along with our advice on how to implement them.

Patient consent now optional


As originally drafted, the Privacy Rule required all providers with a direct treatment relationship with a patient to have that patient sign a consent form before they could use or disclose protected health information for treatment, payment, or operations. Protected health information is essentially any information about a patient's health or the payment for healthcare that can be traced back to the patient.

But imagine some of the possible scenarios under this proposal. Scheduling is a healthcare operation, for example, but schedulers would not be permitted to ask patients why they need an appointment without first getting a signed consent. Bedlam would ensue.

Luckily, the Department of Health and Human Services (DHHS) heard physicians' howls of protest. The consent form is no longer required -- at all. It's completely optional.

Here is the language direct from DHHS in the final revision: "The Final Rule makes the obtaining of consent to use and disclose protected health information for treatment, payment, or healthcare operations optional on the part of all covered entities, including providers with direct treatment relationships."

Prepare a notice of privacy practices

DHHS did, however, replace the stipulation for consent forms with a different, though less onerous, requirement. According to the original rule, all physician offices must post a Notice of Privacy Practices somewhere visible in their office. They also have to have extra copies to hand out to patients.

The notice simply describes what steps your office takes to protect privacy and what uses you might make of protected information. It should also include guidelines for patients who want access to their medical records. (The final regulations provide a very good outline. You can also download an electronic sample to customize in the Tools section of www.PhysiciansPractice.com.)

But the proposed revisions added this wrinkle: physician offices must now make a "good faith" effort to get patients' "written acknowledgement" of the notice. The acknowledgement is not needed in advance; it can be included in new patient packets or handed to existing patients when they come in for an appointment. If a patient refuses to sign it for some reason, or there is an emergency situation and you are unable to obtain a signature first, simply note that fact and the reasons in your documentation. You can and should still treat the patient.

The tricky part will be finding a way to track whether patients --especially existing ones -- have signed off on the notice. If a patient comes in two years after the compliance deadline, physicians can't simply assume that person has signed the notice. A checkmark on the outside of the patient's medical record may be tracking enough in some offices; others might prefer a notation in an electronic scheduling program. Do whatever works for your practice so that signature on the notice can be verified.

Regardless of how it is tracked, try seeing the acknowledgement as simply "another form that patients have to sign. It should not prove difficult on a day-to-day basis," says attorney Goldstein.

Disclose the "minimum necessary"

According to the Privacy Rule, just how much protected health information can you disclose? Only the "minimum necessary" needed to accomplish a given task. Two big exclusions to this are disclosures to patients about their own records and to other medical providers for treatment purposes.

In many practices, the only people besides physicians who see protected information are staff. And there's the rub. Practices need written policies concerning who in the practice should have access to what information in order to accomplish their job. In the words of the final rule, practices have to identify:

  • "those persons or classes of persons, as appropriate, in its workforce who need access to protected health information to carry out their duties; and
  • for each such person or class of persons, the category or categories of protected health information to which access is needed. ..."

Williams sees this component of HIPAA as "the most onerous. In a smaller office, everyone does everything. It's going to be difficult for them to decide and monitor how much information each person really needs to have," she says.

On the other hand, "there is so much multi-tasking [in small practices] they may be able to legitimately give access to everything to everyone. It may be easier to look at the few exceptions, who doesn't get access, instead of looking for everyone who does," observes Christopher Coleman, vice president of Strategic Management Systems, an Alexandria, Va.-based business that is helping practices prepare for HIPAA.

Still, it is important to go through the process of formalizing your approach. "Just because it's easier to give everyone access to the full medical record, doesn't mean it's necessary," says Williams.
She suggests making a list of employees, either individually or by job category, then thinking through what kind of access each one needs.


Consider what they do on a regular basis -- if they handle billing, do they need access to the full record or just the last visit? Do you have some way to limit their access or will you just ask them not to flip through a full record? "Think in terms of scenarios," Williams says. "If a patient comes in and asks for his full medical record, and it's the receptionist's job to copy it, she needs access to it."

Think through all the common ways the staff uses the medical record. Other oddball needs will come up, but a practice can simply set a policy that any access outside the ordinary will first be approved by a pre-ordained privacy official in the practice.

Appoint a privacy official

In fact, in the language of the final rule, HIPAA requires every practice to "designate a privacy official who is responsible for the development and implementation of the policies and procedures of the entity" and who can serve as a contact to handle any HIPAA-related complaints or questions.

University of Florida Jacksonville Physicians, with about 285 attending physicians, 274 residents and 150 midlevel providers, is recruiting a lawyer with a health management background for this position. Smaller practices might add the privacy official's duties to the business manager's job description. You simply need to name someone willing and able to take some time to understand the rules. Once an understanding and comfort level are in place, depending on the size of your practice, the privacy official may only spend about 30 minutes a day on this responsibility.

Set up reasonable safeguards

Policies concerning minimum necessary disclosures are fine -- and necessary -- but accidents will happen. A patient will overhear a physician talking to another patient about their medical condition. At check-in, a patient will loudly tell the receptionist that their bunions are killing them, to the entertainment of the others in the waiting room. A cleaning person will spy a file left on a physician's desk with the name of a friend on it. Will physicians be in big trouble for these sorts of so-called incidental exposures?

Not if they are truly incidental. HIPAA simply asks that practices put in place "reasonable safeguards" to prevent such mistakes, but explicitly refuses to outline what those safeguards should be. Practices are given complete liberty to define "reasonableness" for themselves.

The vagueness is "really a positive," says Coleman. "The government is making a statement that what's reasonable for a three-doc practice is not the same as what's reasonable for a 500-bed hospital." Dave Butler, Coleman's colleague and COO at Strategic Management Systems, backs him up: "The government is providing flexibility for you to figure this out. ... [Reasonable safeguards] should not be a big item that costs money."

For example, there are no specific bans on leaving lab results on an answering machine or using sign-in sheets that let other patients see who visited the practice before them. Similarly, there are no particular stipulations about physical characteristics of the office, such as requiring soundproof rooms or glass-enclosed check-in and check-out areas.

Most reasonable safeguards come down to common sense precautions. For example, staff at check-in and check-out should keep their voices low to reduce the chances that other patient will overhear them, attorney Meinhardt suggests. Be sure to train staff about what they should and shouldn't do with regard to reasonable safeguards and document that training to show you've made an effort.

Authorized releases for marketing, research

Thus far, the requirements reviewed here generally apply to protected health information that relates to treatment, payment, or operations. There is another set of requirements having to do with protected information that is for purposes other than for treatment, payment, or operations -- such as some forms of marketing and research. These require the patient to sign an authorization form -- see the sample in the Tools section of www.PhysiciansPractice.com.

For example, if you are using health information for research purposes, you will generally need authorization to do so. The final rule goes into the requirements for research at some length, so be sure to review them if it applies to your practice.

While the HIPAA definition of marketing is a little vague, it includes any promotion of products or services related to a person's medical condition that falls outside case management or care coordination. A reminder to the patient to call the office to schedule a Pap test isn't marketing. However, selling the names and addresses of all your patients with diabetes to a pharmaceutical company with a new insulin drug is, and will definitely get you in trouble.


"Most small practices aren't going to be doing a lot of things that require authorizations," says Goldstein, "but anytime you are requesting or releasing information that is out of the ordinary, go to your privacy official and ask if it falls outside of treatment, payment, or healthcare operations."

Account for disclosures

A very few disclosures of protected health information may fall outside the "free" zone of treatment, payment, and operations but may still not require authorization from the patient -- these disclosures might include disclosures required by law or public health officials. Providers are required to keep track of any such disclosures and be prepared to give patients an account of them, if the patient asks.

Your accounting would have to include:

  • the date of disclosure;
  • who received the information, including the recipient's address when applicable;
  • a description of what was disclosed; and
  • a statement of purpose of the disclosure or a copy of the individual's authorization.

Practices are required to provide one such accounting per year per patient for free. After that, it's OK to charge a cost-based fee. Although it sounds like a terrible burden, in fact, unauthorized releases outside the area of treatment, payment or operations and not to the patient themselves won't come up often in the majority of practices. Most disclosures don't need to be tracked.

Draft business associate agreements

While a practice primarily controls the protected health information it accumulates, many practices also give other companies who are assisting them access to medical information. HIPAA calls these outside entities "business associates," and requires practices to have a signed agreement with each one. The agreements essentially require the associate to maintain patient privacy. You can find a sample in the Tools area of www.PhysiciansPractice.com.

Luckily, physicians are not held liable if a business associate violates that agreement, and the final revision offers some leniency in complying for practices that will be renewing or updating contracts with identified business associates during 2003. If you will be renewing a contract during the year, but after the April deadline for HIPAA compliance, you can put off complying with this one piece until your usual contract renewal time -- as long as it's done by April 2004.

But before putting these agreements in place, identify who counts as a business associate. "Even a small practice has a lot of folks they contract with," notes Coleman. A business associate is defined as someone who works on behalf of a practice -- but isn't an employee -- and who has access to protected health information. Examples make it easier to understand: billing companies, attorneys protecting a physician in a malpractice suit, consultants reviewing coding practices. Excluded from the list are payers, hospitals, and people like janitors or florists who don't have access to health information.

Give patients access

The vast majority of HIPAA's Privacy Rule focuses on protecting patients' privacy. But there is a second important element: giving patients access to their own medical records. Right now, rules concerning patient access -- whether and how physicians must provide it and whether they can charge for it -- have been set at the state level. HIPAA would set a federal standard as of April 2003.

In essence, all patients have a right to their medical record, excluding:

  • psychotherapy notes;
  • information compiled for civil, criminal, or administrative proceedings; or
  • some other exceptions such as concerns for confidentiality or self-harm.

Practices can require patients to provide a written request for access as long as they let patients know about that requirement in advance (include this in your Notice of Privacy Practices); you must respond to a request within 30 days, or take a one-time 30-day extension. Denying access is a possibility, but you'd have to back it up by meeting one of the exceptions listed above.

In granting patients access to their records, you can:

  • provide inspection of the original or a copy, but you have to follow the patient's wishes in this regard;
  • provide just a summary -- again, if the patient agrees to it;
  • charge a reasonable, cost-based fee, including your costs for copying, postage, or preparing a summary.

Also, patients have the right to request an amendment to the record, and physicians have lenient rights to deny the request if it will hurt the patient or someone else, or if an amendment would make the record incorrect.

If these rules and rights conjure up a vision of hordes of patients clamoring for expensive, time-consuming reviews and changes, don't worry, it's not likely.

"In a lot of states now, patients can get a look at [their medical record], but you don't see a flood there," Coleman notes.
Williams agrees: "I don't think there will be a lot of people asking [for access]. I don't think a lot of people are aware of [HIPAA]." Still, it's important to manage the process for those patients who do want to see their record. Put one person in charge of satisfying requests, Williams suggests, and be strict about requiring written requests. That way, staff can set a schedule for arranging admission instead of being constantly interrupted.

She also points out a possible problem: What happens when patients can't read their physician's handwriting? Have a process in place for physicians to provide dictation or analysis. Above all, do not have employees interpreting clinical information for patients. You can't afford any errors.


Coleman advises practices to encourage patients to look only at copies of the record, not the original. If the patient insists, "keep some oversight. Don't just put them in a room and let them have at it. ... Watch them." Even though all of these regulations are ultimately designed to protect patients' privacy and right to access their own health information, patients should not have carte blanche with important medical records.

All in all, the HIPAA Privacy Rule should not cost the average solo or small group practice physician much money or effort. It may seem like another aimless attempt on the part of the federal government to make the lives of physicians miserable, but the objective of protecting patients is fundamentally good. Commit some time to understanding the requirements and implementation shouldn't cause too many sleepless nights.

Pamela L. Moore can be reached at pmoore@physicianspractice.com.

This article originally appeared in the October 2002 issue of Physicians Practice.