Congress enacted the Health Insurance Portability and Accountability Act (HIPAA) in 1996. Title I protects health care coverage for employees when they lose or change their jobs. Title II known as the Administrative Simplification (AS) requires the establishment of national standards for electronic claims submission, national identifier numbers for providers and the security and privacy of all health data.
The HIPAA Privacy Rule took effect in April of 2003, with a compliance date for most entities of April 21, 2005. Patient's medical records are referred to as Private Health Information or PHI and all covered entities that provide medical services are compelled by law to protect patient confidentiality and communication.
Any patient who feels that the Privacy Rule is not being upheld can file a complaint with the Department of Health and Human Services Office for Civil Rights (OCR).
Policy : All covered entities will be required to adopt a written set of procedures to insure patient confidentiality. A privacy officer should be designated to develop and implement these procedures and clearly document security controls. If any practice business is assigned to a third party, the practice must assure that this party is also in compliance with the safeguards required.
For Example : Medical Records must be kept in a secure location that can be locked at the end of the day. In addition, the practice should clearly identify those individuals who are allowed access to these records. Any and all conversations regarding PHI must be held in in a secure area.
Copy and fax machines as well as outgoing mail must be located away from patient access. Employees should double check all machines each day to make sure originals are not left behind. Only authorized staff should have access to incoming mail. E-mail systems must also be protected to assure HIPAA compliance.
You are required to implement a HIPAA training program for your facility, and employees are required to have a good understanding of your office's compliance policies. They must sign off after training is complete and records of their signatures must be kept on file.
An emergency plan must be in place for computer data backup and recovery.
Equipment and Records : Medical records must be disposed of properly to make sure that PHI is never compromised. Shredders must be available to destroy old documents. In addition, access to equipment such as fax and copy machines must be away from the patient waiting area or exam rooms and your office workstations must be organized so that charts are not viewable to the patients or visitors to your facility. Daily sign in sheets are now available so that after the patient signs in the name can be peeled off and placed on a secure daily data sheet not viewable by other patients.
Technical Support : Computer software should be password protected and the entity should assure that these passwords are not share or accessible to non-authorized personnel. Security is available on most of the better software and allows management to restrict or deny any non task related information in keeping with the employee job description. Configuration and authentications of software, passwords, and office equipment is the responsibility of the practice security offices who monitors access to data. A quarterly audit of all equipment and security measures should be completed to make sure the practice remains compliant.
Your HIPAA Patient Statement: All new patients should be given a HIPAA statement when they check in for their visit. This statement should outline that the practice is committed to adherence with all HIPAA policies as well as pose a number of questions to the patient's preference in matters of confidentiality. These may include:
May we share your medical records with other practitioners that are providing concurrent care?
Can confirmation calls be left on your phone answering machine?
May we call you at work with test results or appointment reminders?
Do you currently have a health care proxy that is allowed to make decisions for you, should you be unable to make these decisions yourself? Who is this person and what is their relationship to you?
Do you have any specific requests regarding your PHI?
The answer sheet for these questions should be filed in the patient chart. Any specific request should be noted on the chart and help you abide by your patients wishes.
Use common sense with implementing HIPAA procedures in your office. If your exam rooms have outside chart holders, you may want to place the chart backwards so that the patient name is not visible. You can purchase bins to store charts pulled for the day or week. Chart preparation and filing of patient records should be done in your file storage area where a small table may be a useful addition.
Physicians may often continue conversations with their patients as they leave the exam room and do not realize that this may compromise their patient's confidentiality. Doctors should complete their consultations and write any scripts inside the exam room.
Tomorrow : Your Office
No comments:
Post a Comment