Skip to main content

Nine key components of the HIPAA privacy rule

February 1, 2001

Nine key components of the HIPAA privacy rule

Here are some bread-and-butter issues

Here is a synopsis of what the new HIPAA privacy rules mandate:

1. Physician practices must maintain physical security of all health care information. This includes limiting access to computer terminals and physical access to other documents. Records should be kept under lock and key, with limited access. For instance, your reception staff no longer will be able to keep patient files sitting out unless they are in a closed and locked area. Sign-in sheets should ask for minimal information.

"What HIPAA requires is that a physician practice be extremely careful as to where files are located. For instance, patients should not be able to look over the shoulder of a nurse or physician and see someone else’s patient record on the screen," says Peter Adler, JD, a health care attorney with Foley & Lardner’s Washington, DC office.

2. Access to individually identifiable health information is restricted to a "need to know basis." You must develop criteria setting out which of your employees needs to see identifiable health information and identify the people or groups of people who will review the requests of disclosure.

For instance, the billing people shouldn’t have access to the clinical notes and the clinical people don’t need to know the patient’s financial information, according to Janice Cunningham, JD, an attorney with The Health Care Group, a Plymouth Meeting, PA, health care consulting firm. If the front desk is doing just scheduling and registration, they don’t need access to either the financial or the clinical information, she adds.

3.You can disclose only the "minimum information necessary." For most disclosures, the regulations require you to disclose the minimum information needed for the purpose of the disclosure. For instance, if you are asked to release information to process a workers’ compensation claim, you must restrict the information disclosed to the minimum necessary amount. However, the final rule does not apply to the transfer of medical records for treatment. The new regulations give providers full discretion to determine what information to include when you send patients to other providers for treatment.

4. Patients have significant new rights of control over their health information. The new law gives patients access to their individual health information that is in your files. This means that you will have to make the records open to a patient any time he or she wants to see them. They will be able to request a correction or amendment to any information which is incorrect or with which they disagree. The regulations give patients the right to a "disclosure history," which lists entities that receive the information.

5. You have to provide your patients a written notification of their rights. You will be required to give patients a clear, written, detailed explanation of how you use, keep, and disclose their health information. Patients also have the right to request restriction on the use and disclosure of their health care information. Your consent forms must state these rights. The law states that the individual has the right to review your privacy notice before signing the consent. This will make it difficult if you decide to change your privacy practices. Adler suggests that you state in your consent form that you have the right to change your privacy practices

6. Patients must give written consent before you share their information. The final provisions require physicians to obtain written consent from patients whenever payment, treatment, or operations result in disclosure of health information. You must obtain a patient’s written authorization to use or disclose health information for treatment, payment, or health care operations, including use within your own organization. The consent form needs to be written clearly and should clearly identify what kind of consent is being given.

You must get the authorization at the onset of care, with the exception of emergency care and legal requirements, such as treatment in an emergency room. Consent documentation must be kept for six years. If you have been using a blanket consent form for release of records, it probably will no longer be adequate. Under the new HIPAA regulations, physicians will have to obtain very specific patient consent any time they release identifiable health information. The consent form must state exactly to whom the information is going and for what purpose.

For instance, if you are referring a patient to a specialist, you can’t give the specialist any diagnostics, background notes, or written or oral information about the patient unless you get specific written consent from the patient. "There has to be a new consent form every time a physician releases patient information. If there is a patient with multiple problems who is referred to several specialists, there will have to be a separate form for each specialist," Cunningham says.

Patients also must sign a consent form if you are sending their health information to a third-party billing company or payer. A one-time consent form is okay in this case. The regulations allow disclosure without patient consent for some activities including quality assurance, public health, judicial or administrative procedures, limited law enforcement activities, emergency circumstances, identification of a deceased person or cause of death, and activities related to national defense and security.

The physician can refuse treatment if the patient refuses to sign the consent form. If there is an emergency or it’s a case where the law requires you to give treatment, you may treat the patient without the consent form. The new regulations also require providers to obtain specific consent for non-routine uses of information and most non-health care purposes such as releasing the information to financial institutions determining mortgages or selling mailing lists to interested parties. Providers and health plans cannot condition treatment on patient’s agreement to disclose health information for non-routine uses.

7. All entities covered by the rule must have a privacy officer. This is someone who is basically in charge of ensuring that the records in your office are handled in accordance with the privacy regulations. If a patient has a complaint about how his or her records are handled, the privacy officer would handle it.

8. Staff must receive training on your privacy policies and procedures every three years. "The organization will have to provide documentation that training has been given," Adler says. The training should cover all aspects of how and why you are protecting health information and should be in conjunction with security training, which will be mandated in the yet-to-be-released security regulations. Your staff must be re-trained and re-certified every three years.

9. You must make sure that anyone with whom you share confidential patient information follows the HIPAA privacy regulations. The Department of Health and Human Services puts the onus on providers to make sure that anyone with whom they share individually identifiable patient information follows the HIPAA privacy regulations. "If physicians share confidential patient information with other entities, they must bind their business associates to adhere to the same regulations as the practice," Cunningham says.

"Business associates," referred to as "business partners" in the regulation, are people who perform or assist in the performance of a function or activity or perform legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. The new regulations have softened the burden of requiring physician practices to police their business partners. However, if you know there has been a violation of the HIPAA privacy regulations, you have to push for immediate corrective action.