Who needs to pay attention?

Friday, May 31, 2002

Last month I left you standing at the head of the HIPAA trail. As I said before, the HIPAA trail is a bureaucratic trail so you will need to pay close attention to all the trail markers. I will explain the markers to you in terms working hikers can understand, rather than in the legal and bureaucratic language of the Department of Health and Human Services, (DHSS), which is known for saying things like "The HIPAA regulations will be done on schedule or some time afterward."

The first trail marker indicates that in order to reach the destination of becoming HIPAA compliant, healthcare providers need to know the key players addressed in the Privacy Rule. As required by HIPAA, the Privacy Rule covers health plans, healthcare clearinghouses, and healthcare providers who conduct financial and administrative transactions electronically. The Rule calls these businesses covered entities. The regulation does not apply to healthcare entities if they engage in paper-only transactions. Yet, if at anytime a provider uses an electronic format, i.e. fax, e-mail, Internet, etc. to communicate and/or distribute medical information, regardless of current paper billing or record keeping procedures, then HIPAA privacy regulations apply to them as well.

In addition, the Privacy Rule has regulations dealing with the business associates of these covered entities but we'll deal with that part of the trail when we come to it. Or, as the bureaucrat might say, "Don't count your fish before they fry."

The second trail marker deals with rules and regulations set forth in the Privacy Rule pertaining to patient's rights and the control of their health information. It does so by setting boundaries on the use and release of medical records by covered entities; it establishes safeguards that healthcare providers must use in order to protect the privacy of health information. It also states that patients have the right to find out how their medical information is being used and what disclosures of that information have been made.

In addition, the Privacy Rule limits the release of health information to the minimum reasonably needed for the treatment of the patient and it gives patients the right to examine and obtain a copy of their health records and request changes.

As always, when government regulations are concerned, the rule holds violators accountable, with civil and criminal penalties that can be imposed if they violate the patient's privacy rights.

In the current marketplace healthcare providers already take precautions to ensure the privacy of their patient's medical records. The implementation of HIPAA merely sets forth official government standards regarding the patient's right to privacy in regards to their personal health information.

As you can see, the HIPAA trail may twist and turn, but it can be followed. So rest assured that where HIPAA compliance is concerned, there is light at the end of the rainbow.

- Randy Schluter is president and COO of Dragonfly Technologies and also serves as a business consultant to Arrow Professional Enterprises in matters pertaining to HIPAA. HME