By Scott B. Elkind, Esq.
The new Health Insurance Portability Portability and Accounting Act regulations (HIPPA) go into effect on April 14. These new HIPPA regulations include measure to insure patient privacy.
As you have noticed over the course of the last year, every insurer or credit issuer has sent you a Privacy Act Notice in order to conform with their associated privacy rules. Well, formal privacy rules are not just for financiers anymore and these new ones affect your medical practice directly.
Under the new HIPAA regulations, patients have the following rights:
- To inspect, obtain a copy of, and request correction of errors in their medical records
- To ask doctors and health plans to disclose who else has been the patient’s records
- To request certain restrictions of the disclosure of medical data
- To ask that information be delivered to a location other than the address of record
- To bar hospitals from releasing information about inpatients to the public, including friends and family members
In rendering access to files, you may charge for copying of the records in accordance with your local rules. Also, you may require corrections requests to be made in writing. Please be advised that you cannot refuse to a patient the right to review or receive copies of treatment records due to unpaid bills.
So, you ask, what do I have to do to comply with these regulations to keep myself out of trouble. Well, here is a short list of initial steps to assist:
- Adopt your own privacy statement stating that all information collected with remain confidential and will only be released to authorized medical sources and other persons
- Make sure your personnel maintain strict compliance with this statement and do the following:
- Do not authorize medical information to be sent to another person or entity without written authorization by the patient
- Do not give information over the phone to a patient’s friends or relatives unless specifically authorized
- Do not leave patient records in public areas in which others may view their contents either purposefully or inadvertently. This includes hanging charts on examination room doors and moving computer screens below eye level in the reception area.
- Cease the practice of requesting the purpose of a patient’s appointment as part of a sign-in procedure
- When leaving messages to a patient by phone, you can only use cryptic language such as “the test results are normal” or “you need to contact us concerning your test results”
You may include additional information on your privacy statement stating that the patient’s information will not be utilized for marketing purposes and will only be used for furtherance of their treatment. You may also remind patients of their rights and the new safeguards put into operation to preserve their privacy rights. You may also reserve the right to request written authorization to release information to unfamiliar sources.
When releasing information to authorized parties, you may wish to include a cover page stating that the information has been released in accordance with a lawful request, but that the information contained cannot be transmitted to others without similar express authorization or for any purpose other than the treatment of the subject patient.
Of course, should you wish to ignore this column and continue to practice as you always have been, I should need to remind you that violations are subject to a $50,000.00 fine and year in prison for intentional disclosures and $250,000.00 and 10 years in prison for disclosure of information with the intent to sell it. I hope this will serve as an incentive for regulation conformity.
Scott B. Elkind is a principal at Elkind & Shea in Silver Spring, Maryland. His practice focuses on disability and medical issues.