What's considered private by HIPAA?

Wednesday, July 31, 2002

At the present time, here on the HIPAA
trail, we have reached the trail marker named Privacy Safeguards. HIPAA has established privacy standards that covered entities - healthcare providers and payers - must meet. What is considered private by HIPAA? Glad you asked.

The HIPAA privacy regulations, as we learned a few trail markers back, are called the Privacy Rules. Knowing the governments love for acronyms I imagine this rule will become known as the PR, then simply R, followed by a moaning sound. This Privacy Rule specifically states that healthcare providers must protect any and all information concerning a patient's health information.

This patient's health information, also called protected health information or PHI for short (moaning sound), is any individually identifiable health information maintained or transmitted via electronic media or any other form of medium. Electronic media includes the Internet, private networks, leased lines, phone and fax lines and those transmissions that are physically moved from one location to another, i.e. magnetic tape, disk or CD-ROM. In other words, all PHI, whether in spoken, written, or electronic format, is to be protected by the provider.

Healthcare providers are to protect, the PHI by having written privacy protection policies and procedures in place prior to April 14, 2003. I guess the government believes you can hold these written policies up in front of your face when you're discussing the patient's PHI. You could also place these written procedures over your computer screen or fax machine so no one can see what's on them. If someone is trying to gain access to the PHI without authorization, you can throw these policies at his head. Now that would be protecting the PHI the way it should be protected.

Actually, HIPAA requires you to have these policies and procedures written so that you can, one, prove you are in compliance with the Privacy Rule, and two, have detailed guidelines that all your employees should follow in protecting the patient's PHI. In general, providers must have written privacy procedures that address the following:

- Patient's rights and responsibilities.

- Obtaining patient consent and authorization regarding healthcare treatment and payment.

- The uses and disclosures of the PHI during treatment of the patient.

- Policies regarding uses and disclosures of the PHI to business associates, i.e. billing services and manufacturers' representatives.

- Policies regarding the education and training of a provider's HIPPA Privacy Officer and all employees.

The Privacy Rule does not dictate how the provider is to develop these policies and procedures. Yet the Rule does lay down some guidelines that need to be addressed in those procedures. On the HIPAA trail ahead we will meet these guidelines and I'll tell you how to deal with them in a fast and efficient manner. We will make short work of these guidelines and make them easily understood by everyone. Just like the government's acronyms. Moan.

Randy Schluter is president and COO of Dragonfly Technologies, L.L.C. and also serves as a business consultant to Arrow Professional Enterprises in matters pertaining to HIPAA. Randy can be reached at Dragonfly at 1-888-430-6919 or via e-mail at rschluter@refere-z.com. Also, a schedule of Arrows' HIPAA: Homecare Action Items Programs may be obtained via www.arrowprof.com.