Medical Privacy Rules Extend Beyond Doctor's Office"What is this HIPAA and how does it affect my firm?" lamented the sales representative for an area communications firm. "We sell communications systems, but when I proposed a project to an area health care institution, they said we have to be HIPAA compliant." This frustrated sales representative was referring to the Health Insurance Portability and Accountability Act of 1996, a law that requires the establishment of new privacy protections for health information. At first glance, one would think that government regulations on the privacy of health information would focus primarily on the doctors office.
But the reach of this law and the regulations implemented by the US Health and Human Services Department extend much farther. HIPAA is like a hippo, waiting submerged in a tropical river only showing its nostrils and eyes appearing as a stepping stone; the reality is a large animal beneath the surface, much more than what meets the eye. The medical privacy regulations define certain covered entities to include health plans, health care clearing houses and health care providers. Health plans are those individuals or organizations that provide or pay the cost of medical care. This includes insured and self-insured plans. A health care clearinghouse is an entity that processes health information from standard to non-standard formats or back again, part of the growing trend for electronic processing health care and insurance claim information rather than traditional paper processing of records. A health care provider is a person or organization who provides health services or products and who transmits health information in an electronic form. For example, self insured employers receiving medical information and paying employee health claims, or paying an administrative service for claims processing may qualify as a health plan subject to the rule. The regulations also apply to a category of entities referred to as a business associate. A business associate is an individual or organization who performs a function or activity involving use or disclosure of health information, such as claims processing, administration, billing, benefit management or other similar function. Also considered as business associates are individuals or organizations that provide legal, accounting, actuarial, consulting, financial, administrative or other professional services for an entity covered by the regulation. The communications project proposed by the sales representative described above involved access to protected health information. As a result, the communications firm qualified as a business associate subject to certain medical privacy requirements. Covered organizations are responsible to designate a privacy officer, define privacy policies including a privacy notice and complaint procedure, and provide training to employees. Business associates are responsible to agree to implement safeguards to protect records privacy, permit individual access, and arrange for return or destruction of private data upon termination of their business associate role. The compliance deadline for these activities is April 14, 2003. A free HIPAA compliance checklist is available in response to a faxed request to 630-513-8237. Further information is available from www.HHS.gov and www.medicalprivacy.info. About the Author . . . . . . William S. Hubbartt is president of Hubbartt & Associates, a St. Charles, IL consulting firm specializing in employee compensation, employee handbooks, personnel policies and supervisory training. (www.Hubbartt.com) Mr. Hubbartt is author "The Medical Privacy Rule - A Guide for Employers and Health Care Providers." |
February 2000 © KANE COUNTY CHRONICLE
Reprinted with
permission
