HIPAA In The Small Practice – Figuring Out The Minimum Requirements Small practices are struggling to find ways to comply with HIPAA regulations without restructuring their current procedures. One benefit of being a small practice is that if your office has less then 10 full time employees, you may be excluded from the standardization of electronic claims. Be aware, though, that as of October 16, 2003, all providers will be required to submit claims electronically to Medicare. At that point, being a “paper only” facility will not help the small physician office dodge the rules and regulations of HIPAA. Privacy standards are unavoidable no matter if you are a single practitioner or work with a group of 20 physicians. HIPAA requires covered entities to make reasonable efforts to minimize the release of protected health information (PHI). In other words, use only the patient data necessary to accomplish the task at hand. Which health information falls under the Privacy Standard you ask? Anything that contains data that can identify an individual. Medical records, insurance information and billing records are all examples of where confidential information can be found. Please keep in mind that all PHI can be communicated in written, oral or electronic form. Physician offices must make a conscious effort to avoid unnecessary PHI exposure. This means no paperwork containing PHI can be left on desks, fax machines, counter tops or copiers. There must be written policies and procedures in place regarding how information is going to be protected and who has the right to view certain data. One way in which employers can proceed with this is by dividing employees into categories. Two examples of this would be as follows: 1.) Data entry personnel need to see demographic information but do not need to view the actual medical records. 2.) Patient account representatives also need to have access to demographic information, but at the same time may need to view the medical records in order send them to entities requesting them for payment purposes. One of the most insecure items in an office is the fax machine. The following are some suggestions on protecting faxed information: · Implement a confidential fax cover sheet with the heading of the cover sheet stating “Confidential Health Information Enclosed”. Follow up by using astatement that indicates that unauthorized disclosure is prohibited by law. · Designate a fax machine in a low traffic area for receiving PHI. · Fax only urgent PHI and limit the transmittal of routine incidents. · Be sure that PHI has a proper release on file before transmitting. · Designate an authorized employee to routinely check the fax machine for incoming faxes and to deliver this information in a secure manner. · Develop policies and procedures on facsimile use and provide continuous training for all new employees. Every small entity must post a notice regarding privacy practices. This must explain to a patient how their protected health information may be used and how they can gain access to this information. A patient must also sign a form acknowledging that they received this information. If you would like further information on the privacy notice, please visit www.nchica.org/hipaa/sampledocuments.asp. As the clock continues to tick closer to HIPAA implementation, the staff here at Applied Medical Systems, Inc. will do our best to keep you informed with our articles. Keep your eyes open for future editorials. This article is reprinted with permission from the March 2002 issue of M.D. News magazine. This article is copyright © 2002 Applied Medical Systems, Inc.