Don’t let HIPAA myths derail compliance efforts
Preliminary results from the Chicago-based Healthcare Financial Management Association’s (HFMA) membership survey on HIPAA readiness indicate that an alarming number of entities have done little to implement some of the Health Information Portability and Accountability Act (HIPAA) compliance requirements. Worse yet, new myths and misunderstandings constantly are cropping up.
The best way to sort through the HIPAA facts versus the fiction is to review the rules, assert Gail Sausser, a health care attorney with the Washington, DC-based Vinson and Elkins and Tom Sadauskas, an information systems technologist with Northrop Grumman Information Technology, Health Solutions, and Services, both members of HFMA’s HIPAA External Task Force.
Here are six myths surrounding business office and information system functions they say hospitals must guard against:
- Myth: Providers won’t be able to call patients with appointment reminders.
Sausser says contacting patients with appointment reminders, information about treatment alternatives, or other health-related benefits is permissible as long as the provider first discloses its intentions to communicate with the patient. A separate statement disclosing these intentions must be included in the required Notice of Privacy Practices that is given to each patient upon his or her initial visit, she adds.
- Myth: Providers will need a new consent every time a patient comes in for treatment.
Sadauskas says the privacy guidance clarifies that "a health care provider needs to obtain consent from a patient only one time." It also adds the following: "This is true regardless of whether there is a connected course of treatment or treatment for unrelated conditions. A provider will need to obtain a new consent from a patient only if the patient has revoked the consent between treatments."
- Myth: Providers won’t be able to bill if a patient revokes consent.
"Some providers have been alarmed by the privacy rule provision that permits a patient to revoke his or her written consent to use and disclose personal health information," says Sadauskas. "This raises the specter of patients revoking their consent immediately after treatment but before payment."
However, he notes that the privacy rule also states that such revocation is not effective with respect to actions taken in reliance on the consent. In other words, the provider has not violated the rule if it made a permitted good-faith use or disclosure of personal health information before becoming aware of the patient’s revocation.
The privacy guidance further clarifies that, after a patient has revoked consent, providers still may bill for services that were provided before the revocation, he adds.
- Myth: Physicians won’t be able to sell their practices.
According to Sausser, some physicians have worried that HIPAA will hinder them if they seek to sell their practices because they must share a certain amount of protected health information with the potential buyer. But she says the privacy rule includes an exception for such due-diligence activities.
"Permitted disclosures that are considered part of health care operations include the disclosure of personal health information for due diligence to a covered entity that is a potential successor-in-interest," she says.
- Myth: HIPAA technology is the information technology department’s responsibility.
Although information technology plays an integral role throughout the HIPAA regulations, HIPAA is more an administrative compliance function than anything else, Sadauskas says. Even the security rule contains a substantial number of administrative requirements.
"Unfortunately, because policies, procedures, and risk assessments take a great deal of time and effort to develop, many providers are jumping to purchase technical tools instead of first concentrating on developing sound policies and procedures based upon their own unique circumstances and relationships," he says.
- Myth: HIPAA requires encryption and biometrics.
According to Sausser, some people believe that to ensure security, all health information will have to be encrypted. In fact, only health information sent over an open electronic network needs to be encrypted, she says.
Sausser says a related myth is that all staff will need to carry smart cards or have biometric access to computer files. "In reality, the proposed security rule is both scalable and technology-neutral," she says. "Biometrics are put forth in the regulation only as an example of a form of authentication that a covered entity may choose to use."
To read common myths that people have used to delay their implementation activities and addressed treatment-related issues, go to www.hfma.org/publications.
You have reached your article limit for the month. Subscribe now to access this article plus other member-only content.
- Award-winning Medical Content
- Latest Advances & Development in Medicine
- Unbiased Content