Advanced Search

Health Information Compliance Alert

HIPAA Privacy:

SAFETY FIRST FOR DOC GROUP HIPAA COMPLIANCE

Published on Wed May 01, 2002 Print Friendly and PDF PDF

The war cry for privacy officers everywhere should be "better safe than sorry," and at least one expert says getting best practices in place even before the rule is finalized could be the best bet in the long run.

The final version of the Health Information Portability and Accountability Act's consent requirement is still under review, but there are still a few practical issues medical groups and physicians' practices can chalk down to ensure they're in the clear with the act's privacy standards.

The notice of proposed rulemaking issued in March by the Department of Health and Human Services would essentially remove the HIPAA consent requirements but it's still not clear whether Congress will step in and force consent provisions to be restored. In the meantime, there are a number of practical issues physician practices should consider when it comes to consent:

  • When should you get it? Questions that arise with respect to consent often revolve around whether the practice should start obtaining consents from patients now or whether they should wait until the rules are finalized. While this is mainly a judgment call that should be made on a practice-to-practice basis, "it makes good sense to start obtaining these documents now" before the compliance deadline, says Scott Edelstein with the Los Angeles office of McDermott, Will & Emery.

    Additionally, there's the question of whether consent should be obtained from the patient early in the process or whether the provider should wait until the patient is receiving some kind of treatment, posed Edelstein in a May 7 teleconference seminar, "Issues and Answers for the Physician Practice." In most cases the best bet is to get the patient's consent as soon as the patient presents himself at the reception area or registers for treatment, notes Edelstein.

  • How many forms must be completed? Another question raised by physicians is whether or not different consent forms need to be provided for each physician in the practice. The answer is generally "No." Since each physician is part of one covered entity, the group practice, consequently only one consent form would be required to cover all the physicians in that practice, Edelstein explains.

  • To treat or not to treat It's not such a difficult question. A practice can lawfully discharge or refuse to treat a patient who does not sign a consent agreement. Not only can the practice do that, it should do that, Edelstein recommends. "I think a practitioner should not treat an individual unless it's an emergency, of course, unless they have consent."

    If a provider uses PHI or discloses it without a consent form from the patient, he might be in violation of HIPAA, and the patient could file a complaint with HHS , which could lead to penalties. Erring on the side of caution, Edelstein tells Eli providers should always obtain the patient's consent prior to using any PHI or disclosing it for treatment, payment, or health care operations.

  • Consents for camp or school? Would an executed consent form be sufficient to release a camp form to a camp, or an immunization record to a school? Generally, the answer is "No," since these types of releases are not in connection with treatment, payment, or health care operations, and consequently aren't covered by consent, but rather by an authorization form.

    And as a practical matter, these types of documents should probably be given to the patient instead of directly to the camp or school, advises Edelstein, since by doing so, one wouldn't have to obtain the patient's authorization "one less administrative hurdle to overcome," he points out.

    • Other Articles in this issue of

    Health Information Compliance Alert

    View All