Articles page     HIPAA page    

First HIPAA Guidelines Released

The Department of Health and Human Services, Office for Civil Rights, has released its first guidance material for the Health Insurance Portability and Accountability Act privacy rule. The guidance is supportive and helpful, but the message is still clear: comply with the regulations by April 12, 2003. Highlights include:

Initially, many individuals were concerned that the consent requirements of the privacy rule would have interfered with the common medical office and physician practice of calling in prescriptions to pharmacies without the prior consent of their patients. Phoned-in prescriptions will be allowed. In addition, friends and family may pickup prescriptions for patients. As long as pharmacists do not keep written records, they may give advice regarding over-the-counter medications without first obtaining a patient’s consent.

The need to obtain patient consent will be relaxed until after a patient referral has been made to a direct treatment provider for purposes of scheduling appointments, surgery or other procedures.

Oral communications will not be curtailed if they will interfere with a patient’s well being. For example, nurses or other health care professionals will still be able to discuss a patient’s condition over the telephone with patients, other healthcare providers and family members. However, the regulations are clear that oral communications must be reasonably safeguarded. Nevertheless, there is no expectation that providers will guarantee the privacy of protected health information from any and all potential risks. The balancing act in determining whether a provider has provided reasonable safeguards will involve a broad perspective including the potential effects on patient care and the financial and administrative burden of any safeguards. For example, it is reasonable and will be expected that personnel use caution when discussing a patient’s condition while avoiding saying the patient’s name out-loud when in public areas. This means that providers may discuss the coordination of a patient’s care as well as the patient’s condition at nursing stations. Even a patient’s condition and lab test results may be discussed with a patient or other provider in a joint treatment area if personnel are cautious about the manner in which the discussions are conducted.

Signed consents are valid for the use and disclosure of protected health information until revoked by the patient. A healthcare provider will be permitted to rely upon his/her professional judgment to determine whether obtaining a prior consent would interfere with the timely delivery of necessary health care when faced with an emergency treatment situation in which protected health information must be used for treatment, payment or other healthcare operations. If, on the other hand, consent can be obtained prior to providing the emergency care, the provider is under the obligation to first obtain such consent.

Patients must be notified, in the consent form, that they have the opportunity to review the healthcare provider’s notice of privacy practices before signing the consent. Whether the patient reads the privacy practices is up to the patient. In addition, the provider need not laboriously explain the notice of privacy practices to the patient before the patient signs the consent form.

Under the minimum necessary standard, healthcare providers "need not limit information uses and disclosures to those that are absolutely needed to serve the purpose. Rather, the reasonableness standard calls for an approach consistent with the best practices and guidelines already used by many providers today to limit the unnecessary sharing of medical information."

The provider is permitted to develop policies and procedures that determine who in the organization will be allowed access to patient information, including the entire medical record, for treatment purposes.

Certain adjustments may be needed to minimize access to protected health information, such as isolating and locking file cabinets or records rooms, or providing additional security, such as passwords, on computers maintaining personal information.

Healthcare providers can still use sign-in sheets.

PULLQUOTE:

The regulations are clear that oral communications must be reasonably safeguarded. Nevertheless, there is no expectation that providers will guarantee the privacy of protected health information from any and all potential risks.

For more information, please Call or E-mail