“Final” modifications of HIPAA privacy rules released

Issue: November 2002

ByCharles B. Brownlow, OD

I hope that you’ll all note an important word in the title above. “Final” is in quotation marks for a reason. I don’t believe these are the final modifications, by any means. The details of the Health Insurance Portability and Accountability Act (HIPAA) have been under the gun for months, actually years. Consider that Congress passed this bill in 1996, and its first policies will be in force no earlier than April 2003.

The HIPAA rules for electronic transmission of patients’ health information were to have gone into effect in October 2002, but providers gained a 1-year extension, to Oct. 15, 2003, just by asking for it. Now, the HIPAA rules regarding privacy have been changed dramatically, with 6 months to go before implementation. Don’t be surprised if more changes follow with respect to these and other parts of HIPAA.

The American Optometric Association (AOA) has done a great job on this issue. They were proactive in commenting on the rules well before any were amended or enacted. They have done an excellent job of providing notices and explanations of the HIPAA program and its details for the past few years. The AOA has even created compliance materials for its members to use and has periodically revised those materials to match the rules du jour. The AOA uses its AOA News and Optometry (the journal of the AOA) to keep its members informed. Hats off to the AOA volunteers and staff for tirelessly pursuing HIPAA’s moving targets and for consistently exercising all communication vehicles to keep members informed.

I have often said that one of the biggest challenges is communication. But the AOA and publications such as Primary Care Optometry News are doing everything possible to help.

So where are we with HIPAA? The two sections that affect doctors of optometry are the Electronic Transaction Standards and the Privacy Protection Rule.

Electronic Transactions Standards

Prior to Oct. 15, 2002, each of you should have applied for a 1-year extension to the deadline for compliance. This will give you 12 extra months to figure out whether you have to make any changes in the way you handle fax or computerized transmissions of patient information to other health care providers.

The application for the extension and the details for what you have to do to comply with the standards prior to October 2003 may all be found on the Web site for the Centers for Medicare and Medicaid Services (CMS). For the extension form and for the details of the compliance plan, go to www.cms.hhs.gov/hipaa. If you are not online, contact your state association, the AOA or me for copies. For now, at the very least, someone in your office should be reading these standards and should be starting to develop a plan for how your office will comply.

The Privacy Protection Rule

The original rules would have required each office to have each patient complete a consent form prior to releasing any health care information, even information that would be used only in the provision of health care services. The requirement for consent forms has now been eliminated.

Instead, each office must develop a plan for informing every patient about the office’s policies for protecting the privacy of patient records. That form, a notice of privacy practices, must be given to every patient, and each patient must be asked to acknowledge receipt of the notice. For example, the notice may have a tear off section that the patient would initial and return to the office.

By mailing the notice of privacy practices to each patient and by asking patients to acknowledge receipt of the notice, your office will comply with this section of the Privacy Protection Rule. The notices must be given once to each patient during or before his or her first visit to your office after April 23, 2003.

Always remember that the privacy provisions of HIPAA do not set aside any state laws that govern your handling of medical records. As a general rule, every office must know and abide by state and federal rules and laws pertaining to patients’ medical records.

Stay informed

Life as a health care provider gets more complicated all the time. There will be more rules and regulations and more changes in HIPAA over the coming months and years. It is important that you and your staff stay as informed as possible, reading articles in the professional press and carefully studying any official-looking notices you receive from Medicare, Medicaid and other governmental agencies. It’s not easy, but the alternatives are not pleasant.

I think it is important to know and understand the stimulus for legislation such as HIPAA, too, and to do all you can within your office to address privacy concerns proactively. Think about ways that your personal health care providers handle you and your family members. Which policies are pleasant and respectful of your privacy and which are offensive and disrespectful? Then, go back to your office and make an objective analysis of how your patients and their privacy are protected.

If you see problem areas, address them immediately. Your patients will appreciate it, and you and your staff will get a renewed respect for the special bond and cooperation that exists between health care providers and their patients.

For Your Information:

The Centers for Medicare and Medicaid Services can be reached at www.cms.hhs.gov/hipaa.

The American Optometric Association can be reached at (800) 365-2219; Web site: aoanet.org.

The AOA’s journal, Optometry, featured a detailed HIPAA update in the October 2002 issue. This should provide an excellent reference for doctors and staff.

Charles B. Brownlow, OD, FAAO, is executive vice president of the Wisconsin Optometric Association and a consultant for Schenck Health Services Solutions. He may be contacted at Schenck Health Services, P.O. Box 10, Weyauwega, WI 54983-0010; (920) 867-3005); fax: (920) 867-3065; e-mail: brownlowod@aol.com.