HHS lightens HIPAA's load

Saturday, August 31, 2002

It just got easier to take this walk on the
HIPAA trial. The Department of Health and Human Services (DHHS), now referred to by the foes of competitive bidding as The Destroyer of Homecare Health Services (DHHS written in dark, sinister letters), has made some modifications to the HIPAA Privacy Rule.

As mentioned in last month's article, the published rule requires healthcare providers to keep patients advised on how their health information, or protected health information (PHI), is being used. The rule states that health- care providers, called covered entities (CE), are to:

- Supply patients with a clear written explanation of how the CE uses and discloses the PHI.

- Provide patients with access to copies of their medical and pertinent financial records upon request.

- Provide patients with an accounting — via a written or electronic log — of how the provider has used or disclosed the patient's PHI

When providers "use" PHI it refers to how they employ, utilize, examine or analyze the PHI. In other words, providers "use" the PHI in order to determine the proper treatment regimen.

Providers "disclose" the patient's PHI when they release, transfer or divulge the patient's health information to another source other then the treating provider. For example, physicians "disclose" a patient's PHI to the respiratory provider so the patient may receive the correct oxygen therapy.

In addition, the rule originally required covered entities to obtain patient consent, in writing, before the provider could treat that patient. Yet in the final modifications to the rule, published Aug. 14, 2002, DHHS has removed this requirement for a signed consent form. Beginning April 14, 2003, providers will only be required to provide their patients with a Notice of Health Information Practices, or Privacy Notice. This notice meets the rule's requirement that healthcare providers inform patients on how they intend to use and disclose the patient's PHI.

The modified privacy rule asks that providers make a good faith effort to obtain the patient's written acknowledgement of this notice. The DHHS wants providers to make a good faith effort? This is from the people who want to again invoke Inherent Reasonableness? Aren't these the same people who tell the HME providers they respect them today more then they will tomorrow? Enough said.

The Privacy Notice is to be the provider's public document regarding all uses and disclosures of the patient's PHI. Since this notice is the provider's public statement on how they are complying with the HIPAA privacy rule, this notice better be a good one.

The next trail marker should have information on what healthcare providers should include in their Privacy Notice. Walk this way.

— Randy Schluter is president and COO of Dragonfly Technologies, L.L.C. and also serves as a business consultant to Arrow Professional Enterprises in matters pertaining to HIPAA. Randy can be reached at Dragonfly at 1-888-430-6919 or via e-mail at rschluter@refere-z.com. Also, a schedule of Arrows' HIPAA: Homecare Action Items Programs may be obtained via www.arrowprof.com.