HIPAA delayed? Not really

Monday, September 30, 2002

It's not over! The HIPAA Trail goes on. Contrary to what many providers may believe, the Health Insurance Portability and Accountability Act (HIPAA) has not been delayed. If you have heard about a delay concerning HIPAA, you're partly right.

The Privacy Rule isn't delayed. What is delayed is the requirement for covered entities to be compliant with the HIPAA Electronic Health Care Transaction Code Sets originally scheduled for implementation on Oct. 16, 2002. If you, as a covered entity, will not be compliant with these codes and transaction sets you must file a compliance plan form prior to Oct. 16. You can find this form at the government Web site http://www.cms.gov/hipaa/hipaa2/ASCAForm.pdf.

By the time you read this article, I hope you have filed for a delay, if necessary. By requesting the delay your company will not have to be compliant with the codes and transaction sets until Oct. 16, 2003. If it is after Oct. 16 when you read this, and you have not filed the form, you're too late - HIPAA police are probably at your door right now arresting your staff and setting fire to any loose privacy stuff laying around.

If you are compliant, or have filed for the delay, then you can proceed on up the HIPAA Trail towards the Privacy Notice. The Privacy Notice is one of the most important chunks of the HIPAA Trail - HIPAA requires a covered entity to provide all patients with a Privacy Notice.

The Privacy Notice is the homecare provider's public document regarding all uses and disclosures of the patient's protected health information (PHI) and the patient's rights with respect to that information. HIPAA states that any public person, except prison inmates, can ask to see a copy of your Privacy Notice. Even your mom can ask to see it. So, you'd better write a good Privacy Notice because it could end up on your parents' refrigerator door.

HIPAA doesn't tell providers exactly how a Privacy Notice is to be written, but they do require it address the following:

- Provide detailed information regarding the provider's uses and disclosures of PHI.

- Explain the patient's rights to inspect, copy, and amend information contained in their PHI, and how to file a complaint with DHHS.

- Define the provider's responsibilities under HIPAA.

- Make every effort to provide the Notice in a language understood by patients and provide the information to any blind or illiterate patients as well.

- Make the Privacy Notice available to patients in hardcopy, or electronically if the patient agrees to that format.

As we have progressed down the HIPAA Trail, providers have been told they need to develop written privacy policies and procedures and establish safeguards for protecting the PHI, as well as produce a Privacy Notice that encapsulates all this material. The task sounds so hard, it's too bad we can't make prison inmates write this stuff.

Who is going to write these policies and the Privacy Notice? The answer lies ahead on the HIPAA Trail.

Randy Schluter is President and COO of Dragonfly Technologies, L.L.C. and also serves as a business consultant to Arrow Professional Enterprises in matters pertaining to HIPAA. Randy can be reached at Dragonfly at 1-888-430-6919 or via e-mail at rschluter@refere-z.com. Also, a schedule of Arrows' HIPAA: Homecare Action Items Programs may be obtained via www.arrowprof.com.