Eli's Rehab Report

Published on Wed May 04, 2016 PDF

Prepare for a fresh round of audits too.

You hand every new patient a “HIPAA form” to sign, but have you ever stopped to review if it lines up with what you’re supposed to be doing? Settle these basics … then, set your focus on bigger security issues — and auditors — knocking at your door.

Nail Your First Visit Paperwork Requirements

On the patient’s first visit, and no later, you (the covered entity) must provide the patient with a notice of your privacy practices. You can find a sample notice at http://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html. Because it can be a lengthy document, some patients choose not to take a copy home, but you must at least offer it to them.

You must also post the notice prominently in your facility and make it available on any website that you maintain to provide information to consumers, says Kennedy Hawkins, MBA, JD, LLM, president & general manager of PT Northwest in Salem, OR, and past president of the National Association of Rehabilitation Agencies & Providers. 

Good to know: You are also required to provide a notice of privacy practices “to anyone who asks for it,” Hawkins says. 

Offering and displaying the notice is only half the job. Next, you must ask the patient sign a written acknowledgement that they received your notice of privacy practices. Some providers go the extra mile and have the patient sign two copies — one for the clinic file and one to send home with the patient.

“HIPAA regulations require all covered entities to make a good faith effort to obtain a signed ‘Acknowledgement of Receipt of the Privacy Notice’ when the Privacy Notice is provided to a patient,” says Mary Daulong, PT, CHC, CHP, president & CEO of Business & Clinical Management Services, Inc., in Spring, TX.

If for some reason you can’t get a signed acknowledgement from the patient, you must make a notation in the patient’s record, Daulong says. Also, “treatment cannot be contingent upon obtaining a signature, nor does the lack of it limit the covered entity from using and disclosing the patient’s PHI as permitted by HIPAA.”

Clarification: The patient’s signature on the Acknowledgment form does not mean they agree to any special uses or disclosures of their protected health information (PHI). That’s where the HIPAA Release Form comes in.

Acknowledgement Form vs. Release Form

Healthcare providers (and patients) commonly confuse the Privacy Notice Acknowledgement with an Authorization for the Release of PHI. The former deals specifically with the patient’s receipt of the Privacy Notice, while an Authorization for the Release of PHI is a voluntary authorization, often initiated by the patient, Daulong explains.

“Unless utilized for treatment, payment, or health care operations that are defined in the regulation, the privacy rule generally prohibits a covered entity from using or disclosing PHI unless authorized by a patient,” Hawkins explains. “This is where the HIPAA release comes into play.”

The HIPAA release form gives you the patient’s permission to release their protected health information for another purpose, indicates what information will be disclosed, and to whom.   

Unlike the Privacy Acknowledgement form, federal law does not require a HIPAA release form on the first visit. However, state laws may have their own say.

“Minnesota, unlike any other state, does require a consent (authorization) prior to treatment,” Daulong points out. “While Acknowledgement Forms have no specific content and can be included in other release documents, the Authorization has very specific content requirements set forth by HIPAA and/or state law, if more stringent. An example is that California’s Privacy Notice must be printed in 14-point font.” 

Did you know? Several other HIPAA forms exist besides the Acknowledgement and the PHI release, Hawkins says. Examples include: 

• Request for an accounting of disclosures (the patient can request an accounting of the disclosure of their PHI made by the covered entity).
• Request for an amendment to their record or PHI (the patient may make a request to amend information with which they disagree).
• Request for restriction of use and disclosure of their PHI. 

Beware These Glaring Security Issues 

Paperwork aside, therapy facilities consistently walk a thin line in several security areas, according to Hawkins:

• Inadvertent disclosures or impermissible uses and disclosure: e.g., conversations within the facility and at registration.
• Mobile device usage and security (laptops, flash drives, portable hard drives), loss and/or theft.
• Computer and network access and security: up-to-date software upgrades and definitions, virus monitoring, firewall protections.
• Thorough risk assessments with appropriate mitigation through technical, administrative, and physical safeguards.

Must do: Performing a risk assessment for your privacy and security vulnerabilities is of utmost importance. However, most healthcare professionals in outpatient practices have failed to do this, Daulong says. “I also think that these same professionals feel much more comfortable with privacy compliance, but due to the technological nature of the Security Rule, are amiss in mitigating their security risk through sound implementation of the Security Standards.”

IT Consultants a Must — Yet Now Under HIPAA Watch Too

With all the security risks with the electronic age, an IT consultant is critical, “especially for small and medium group practices that don’t have an IT department for support,” Daulong says. 

But hiring this help could be a double-edged sword if you’re not careful. The IT professional would need to be in full compliance, too.

Why: The HIPAA police have just been dispatched for a fresh round of audits in 2016, and they won’t just be scrutinizing you and your employees, but also “business associates” that come in contact with patient data. For more information on these audits, see http://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/index.html.