Home / Medicine & the Law / HIPAA countdown for physicians

HIPAA countdown for physicians

By Katherine M. Keefe. Esq.

With summer now over and the regulatory compliance dates under the Health Care Portability and Accountability Act (HIPAA) fast approaching, physicians who have not yet done so need to address their HIPAA obligations.

The range of HIPAA awareness on the part of physicians varies and many physicians have not yet taken steps to ensure that their practices will be HIPAA compliant by the required dates. While HIPAA poses a compliance challenge for physicians, recent modifications to HIPAA’s privacy requirements provide some clarification to assist in compliance efforts. This article briefly recaps the status of the regulations, describes a couple of the recent privacy modifications that may be helpful to physicians and suggests some compliance priorities.


Briefly, HIPAA requires “covered entities” to adhere to several sets of administrative simplification regulations designed to standardize electronic health care transactions and protect the privacy and security of individually identifiable health information. In addition to health plans (including those offered by employers) and health care clearinghouses which convert data from nonstandard to standard formats and vice-versa (such as billing or repricing companies), physicians and other health care providers are covered entities and subject to the HIPAA regulations if they transmit information electronically in connection with a health care transaction regulated by HIPAA. Physicians who submit claims for payment only via paper processes would not be covered under HIPAA. However even some of these physicians may become subject to HIPAA due to the statutory requirement that after October 16, 2003, except for physicians with fewer than 10 full-time employees. Medicare will make payment only for electronically submitted claims.

The HIPAA administrative simplification regulations and their compliance deadlines include the following.

• The standard transaction and code set rule (Standard Transaction Rule) requires that certain health care transactions, such as claims submissions and claims payments, be conducted using standard content and data formats. Compliance is required by October 16, 2002, or October 16, 2003 if a covered entity files a compliance plan with the federal Department of Health and Human Services (HHS).

• The final privacy rule (Privacy Rule), as modified on August 14, 2002, essentially imposes federal controls on the use and disclosure of individually identifiable health information maintained in any form and provides individuals with certain rights of access to and amendment of their own health information. Compliance with the Privacy Rule is required by April 14, 2003.

• Security regulations, issued in proposed form in August 1998, will set standards for safeguarding the security of electronically stored and transmitted individually identifiable health information. Compliance will be required 24 months from the effective date of a final security rule.

Final Privacy Modifications

Consent Out/Written Acknowledgement In. A significant change to the Privacy Rule made through regulatory modifications issued on August 14, 2002 eliminates the written consent requirement. Under the Privacy Rule as originally issued, prior to treating a patient, a physician (or other health care provider) would have had to obtain the patient’s written consent for the physician to use or disclosure the patient’s protected health information (PHI) for purposes of treatment, payment or health care operations (TPO).

The government agreed with health care providers’ concerns that the written consent requirement could potentially interfere with the treatment of the patient. Physicians may now use and disclose PHI for TPO without a HIPAA consent form. HIPAA continues to require specific written authorizations for certain uses and disclosures of PHI for purposes other than for TPO, such as marketing, fundraising and research.

However, while the Privacy Rule modifications remove the consent requirement, the modifications impose a new requirement: a physician with a direct treatment relationship with a patient must make a good faith effort to obtain the patient’s written acknowledgement of receipt of the physician’s notice of privacy practices. Covered health care providers are obligated under the Privacy Rule to provide individuals with a notice of privacy practices that describes the covered provider’s use and disclosure of PHI and the individual’s rights with respect to the PHI. Like the requirement to provide the notice, the new requirement to make a good faith effort to obtain the patient’s written acknowledgement of the receipt of the notice must occur no later than the date of the first service delivery.

If a patient fails or refuses to give written acknowledgement, a physician will be required to document the good faith effort and the reason the acknowledgement was not obtained. Physicians with indirect treatment relationships, i.e., radiologists who report results directly to the treating physician, are not required to obtain acknowledgements, but they remain obligated to have a notice of privacy practices and to furnish the notice to individuals upon request.

The written acknowledgement requirement is eased but not eliminated in emergency treatment situations. Physicians are permitted to provide the notice and to make the good faith effort to obtain the written acknowledgement at such time as is reasonable after the emergency.

TPO of Others. The Privacy Rule modifications clarify when physicians may use or disclose PHI beyond their own TPO purposes without the patient’s written authorization. Under the Privacy Rule as originally issued, a physician is permitted to use and disclose PHI for purposes of treatment by another health care provider. The modifications clarify that a physician may disclose PHI to another covered entity or to any health care provider (regardless of whether the provider is covered under HIPAA) for the payment activities of the entity or the provider that receives the information.

Additionally, a physician may disclose PHI to another covered entity for the health care operations activities of the covered entity receiving the PHI as long as certain conditions are met. The receiving entity must have or have had a relationship with the subject of the information and the disclosure must be for one of the following purposes: health care fraud and abuse detection or compliance, QA/QI activities, population-based activities relating to improving health or reducing costs, case management and care coordination, training, accreditation, licensing or credentialing.

The Privacy Rule and Modifications address other topics including policies and procedures for PHI use and disclosure, content of notices of privacy practices and authorizations, limitations on marketing, research and many other requirements.

HIPAA Compliance Priorities

HIPAA’s compliance requirements are extensive and the compliance dates are nearly here. Some priorities for physicians to consider include the following.

Standard transactions. Is your practice ready to conduct standard electronic HIPAA transactions this year or next? Has a compliance plan been submitted to HHS in order to obtain an additional year–until October 16, 2003–to comply? Physician practices should immediately discuss Standard Transaction Rule compliance with their billing companies and should also be aware of the compliance timelines of their third party payers. Compliance plans can be submitted electronically; information regarding the compliance plan submission process can be obtained at www.cms.hhs.gov/hipaa.

Forms, policies and procedures. Has your practice begun to review existing confidentiality and privacy forms, policies and procedures against HIPAA’s privacy requirements? Among other policies and procedures, physician practices will have to develop new processes for obtaining written acknowledgements and for accounting for certain disclosures of PHI. Template privacy forms and certain policies and procedures may be available through professional associations, including medical societies, and are a good starting point.

Training. Have you considered how your staff will be trained on new HIPAA-required policies and procedures? HIPAA requires that by April 14, 2003 a covered provider’s workforce be trained in the provider’s HIPAA policies and procedures. Large covered providers may want to consider on-line training programs; smaller practices will at least want to ensure and document that all staff, including physicians, have thoroughly reviewed all HIPAA policies and procedures.

Business associates. Have you identified those vendors who perform services or functions on behalf of your practice who have access to PHI. HIPAA calls such vendors “business associates” and requires covered providers to enter into written business associate agreements containing specific privacy provisions. HHS published sample business associate contract provisions with the Privacy Rule modifications and template business associate agreements are available through many sources.

Katherine M. Keefe, Esq. heads Reed Smith’s health information and managed care practices within the firm’s national Health Care Group. Ms. Keefe is located in Reed Smith’s Philadelphia office.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.