By: BRIAR A. ANDRESEN
The HIPAA privacy regulations have been out in "final" form since late 2000, and since that time, covered entities have been trying to determine how to get in compliance by April 14, 2003. In doing so, they have been faced with myriad sources of sometimes conflicting information, which has understandably resulted in a good deal of confusion about what is required for HIPAA compliance. This article describes some of the most common HIPAA misconceptions.
Health care providers must have a business associate agreement with everyone they do business with, including janitorial services and consulting physicians.
FACT: A covered entity needs to have business associate agreements only with those who perform services on the covered entity's behalf, and who use protected health information to perform those services. Janitorial services do not use protected health information to perform their services and therefore are not business associates. (It is not a bad idea, however, to sign a confidentiality agreement with your janitorial service, but this is not a business associate agreement.) Entities performing treatment-related services, on the other hand, do use protected health information, but uses of information for treatment purposes have been deemed to be provided on behalf of the patient, not on behalf of the covered entity. In determining who your business associates are, figure out who performs services for your benefit and whether they use PHI to do so.
HIPAA requires my clinic to keep medical records under lock and key.
FACT: The Privacy Rules do not have specific requirements for storage of medical records. Covered entities are required to use reasonable safeguards to protect patient information, but the government has provided no required specifics. The standards are meant to be flexible, so take the steps to keep information protected that make sense - both financially and practically - for your organization.
My clinic will no longer be able to use a sign-in sheet.
FACT: Sign-in sheets, along with other common clinic practices such as calling out patient names in the waiting room, will still be permissible under HIPAA. These "incidental disclosures" are permitted so long as the clinic uses reasonable efforts to keep disclosures to a minimum. So, for example, sign-in sheets should not require or reveal medical information, such as diagnosis or reason for visit, but typical office practices can continue as long as they reveal only the information necessary to accomplish the clinic's patient care goals.
After two sets of proposed rules, two sets of final rules, and formal government-issued guidance, the HIPAA Privacy Rules are finally settled!
FACT: Though the newest set of final rules did clarify some outstanding questions and provider obligations, there are still many areas where confusion remains. In fact, in the preamble to the final rules, the government promised "further guidance" in at least eight areas. Until that further guidance is published (probably in the form of a Q&A on the CMS website), covered entities should work towards compliance while keeping in mind that for some questions, there are still no final answers.