Progressive Focus© Newsletter
|Volume 3, Number 1||Spring, 2002|
|Helping You Manage the Expectations of Managed Vision Care|
In This Issue:
The sky is falling, the sky is falling.
It is characteristic of wisdom not to do desperate things.
Henry David Thoreau, Walden
When thinking about and planning for HIPAA, where do optometric practices typically fall on the Chicken Little--Henry David Thoreau "response continuum"? Regrettably, it appears that a considerable number may be edged slightly over toward the Chicken Little side.
Perhaps nothing the Federal Government has done in the healthcare arena over the past two or three years has generated as much rumor, confusion, uncertainty, and fear as HIPAA (the Health Insurance Portability and Accountability Act). The healthcare press is full of ominous news about new, mandatory confidentiality and security regulations that will come into force starting in April 2003. And the dire warnings about large financial penalties are enough to make anyone shudder.
No one knows how things will play out since some of the regulations are still undergoing revision. Still, everyone knows that HIPAA will bring new administrative burdens and implementation costs that optometric practices must deal with in any case.
Every third party payer and administrative entity – HMO, PPO, vision plan, hospital, etc. -- is now getting its ducks in a row, preparing staffs and systems. Without doubt their provider agreements will be amended to assure your compliance with the HIPAA mandates imposed on these payers and administrators.
Therefore, the time to start your preparation is now. Even though there still are many unknowns, enough of the elements are defined to a point that you can begin building the infrastructure necessary to allow an orderly and efficient transition -- moving in a manner consistent with Thoreau's side of the response continuum. (Note, before initiating and changes for HIPAA you should always check with an experienced attorney or advisor.)
In this edition of Progressive Focus© I'll briefly touch on some of the key issues you'll want to start addressing immediately.
Inaction breeds doubt and fear. Action breeds confidence and courage. If you want to conquer fear, do not sit home and think about it. Go out and get busy.
You'll need to begin by creating a document that becomes the foundation of your practice's HIPAA compliance program. This is the Notice of Privacy Practices. An experienced attorney can help you prepare it.
The Notice will describe your practice's privacy protocols. It will also inform the patient of her rights vis-a-vis how you'll use and disclose protected health information (PHI) under a variety of healthcare delivery and "business" related circumstances. You must present this document to each patient upon their first presentation on or after April 14, 2003. You are required to use best efforts to obtain from each patient a signed acknowledgment of receipt of the Notice. You should fully document any unsuccessful efforts in the patient chart.
The HIPAA regulations do not spell out the form of the Notice -- only that it must be in writing. However, the content of the Notice is described in the regulations.
Note that on March 21, 2002 the Department of Health and Human Services (DHHS) issued a proposed change to the HIPAA regulations that eliminated the previously mandatory and incredibly burdensome Patient Consent Form. That form would have required providers to get a signed release from each patient authorizing the use and sharing of protected health information with others -- even for use in many of the normal courses of business. This easing of the regulations could change if DHHS receives enough adverse input during the 30 day comment period.
Though you won't have to obtain a signed consent form from each patient before sharing PHI with others for healthcare delivery or business related purposes (e.g., claims processing or utilization management), you will have to get a signed release before sharing the data for marketing purposes. Thus, without specific, signed authorization you're not to release PHI to any company that would use it for targeted marketing -- to encourage the use or purchase of specific products or services. Note that case management and care coordination are excepted.
With certain exceptions HIPAA does require you notify your patient when you release PHI, the purpose of the release, and to whom the PHI was given.
Communications with patients
HIPAA will require your staff to interact differently with patients both in and out of your office. It's no longer business as usual, especially when it comes to confidentiality. And what your staff says and to whom they say it will be crucial concerns under HIPAA.
For example, you might consider asking the patient to sign an authorization allowing your staff to contact him at home and/or at work. And when leaving a message you must be concerned that nothing confidential is revealed to the person taking the message. (Certain exceptions apply -- for example you can discuss a minor's PHI with a parent or guardian unless there is state law in place that allows a minor to consent to treatment and exclude the parent or guardian from access to the PHI).
Even leaving a message on an answering machine can have HIPAA confidentiality concerns since the person who picks up the message may not be the one for whom it was intended.
Another concern: Doctors and staff should be careful not to conduct conversations with or about patients that could be heard by others not privy to the conversation. This means you should guard discussions in common areas (e.g., hallways, elevators, lobbies, etc.).
This does not mean that you can't conduct discussions where there is any possibility that you might be overheard. Rather, you must make reasonable effort not to be overheard.
Here are some more new patient communication "wrinkles" that you'll want to investigate as you write your office's formal HIPAA compliance plan:
- Can staff call your patients at work or at home to confirm appointments, and what exactly can they say/should they not say?
- Can you use any of the contact numbers or addresses in the office database to reach a patient?
- Can you use sign-in sheets at the reception desk, and what information should/should not be asked?
- Can staff call patients by name into the exam room?
Communications with other healthcare entities
This is another area where everyone must be careful. What you and the staff have done out of habit in the past might now run afoul of HIPAA regulations. Here are a few suggested changes for "matter of fact" activities:
- If staff faxes PHI it's imperative to confirm the recipient's fax number prior to transmission and to then confirm receipt immediately afterward. (This means faxing should be done only during business hours.)
- Staff and doctors should not use speakerphones during business hours if a conversation might be overheard in common areas.
- Be careful that you have permission to take a copy of your patient's medical record to the surgical center if you co-manage and are present when she has surgery.
Computer system and Internet security
Since so much medical data is now being transmitted electronically, you'll have some new concerns with the implementation of HIPAA. You'll need to take steps to secure your computer system and the PHI from unauthorized, outside intrusion. HIPAA will also require you to implement protocols preventing inadvertent or intentional compromise of PHI from inside the office. All of this must be considered in your written computer security plan.
Here are just a few suggestions on ways to secure your computer network and prepare the office for HIPAA:
- Protect your office computer network from unauthorized inbound transmissions by using both a firewall and a password-protected router/hub/modem. And if you have a high-speed ("always on") DSL connection it's a good idea to configure the system for "dial on demand" so that your system's ports are not left continuously exposed and vulnerable to hackers using port scanners. (Note that a high quality firewall can also protect the system from unauthorized, outbound transmissions -- for example if a hacker got to your system and planted a program on the hard drive that tried to "call home" and transfer your data to the hacker's computer.)
- If you're hosting the office website you obviously want to invite outsiders to reach the website server. But in doing that you don't want to create a portal for hackers to find your medical and business records. Therefore, it's essential that you break any connection between the office's medical and business records and your website. Put the data on different servers.
- Limit staff access to PHI. Use "network permissions" as a means to limit staff access to files on an "as needed" basis. For example, there's no reason that temporary accounting help needs access to the confidential medical records. So those files should be locked electronically and accessible only with specific permission.
- Create password (log-in) policies for anyone with access to the computer. Protocols should specify password format and how often they must be changed.
- Limit remote access. Be very careful authorizing anyone to access the system from offsite (e.g., work from home). At a minimum your system should log all remote access, identifying the user and recording from where that access was initiated. Remember, however, while access limits and logs are helpful they only offer limited protection. A smart hacker will cover his tracks and erase any evidence of intrusion.
- No computer terminal should be accessible to the public, certainly none that has access to PHI. Monitors should be positioned so that screens are not visible to the public, and keyboards should be locked when not in use.
Keeping HIPAA in perspective
Don't worry about the world coming to an end today. It's already tomorrow in Australia.
Charles M. Schulz
(creator of "Peanuts")
You may be concerned that HIPAA will place impossible administrative burdens on an already overburdened staff. True, you will have to jump through some hoops -- it won't be easy. And, obviously, the relative "ouch" of the changes will vary practice to practice.
But it's not the end of the world. And this is not the time to do a Chicken Little.
The HIPAA regulations do recognize that size does matter. The issues and constraints that major players (HMOs, hospitals, etc.) need to address are more involved and detailed than most of those you will have to face.
As such, you'll want to be wary of any documentation sent to you (such as amendments to provider agreements or provider manuals) that would impose an unreasonable and/or inappropriate burden on your practice. For example, an HMO may send you language changes supposedly to bring your practice into HIPAA compliance. But changes that may be mandatory for an HMO may be totally inappropriate for practitioners, and you should not have to comply with such changes if they are not part of HIPAA's intent. Again, seek guidance from experts.
Some points to consider:
- Every office will need to designate a Privacy Officer who will be responsible for developing, implementing, and monitoring compliance protocols, and for educating the doctors and staff. Most practices will delegate this responsibility to the practice administrator or office manager. The Privacy Officer in small practices does not need to be a full time position.
- Larger practices probably will want to designate a Privacy Committee to work with the Privacy Officer (who might, indeed, be full-time). The committee typically will include some or all of the doctors, the practice administrator, and, perhaps, another staffer or two who have specific areas of responsibility significantly impacted by HIPAA. Thus, you might find it helpful to staff the Privacy Committee with those persons responsible for medical records or computers, but you'd probably benefit somewhat less if, instead, you included an employee from your optical lab.
Vision Plan Profile
Health Net® Vision
Health Net® Vision is one of the largest providers of network-based vision care in California and Arizona. Founded in 1986 as AVP Vision Plans, Foundation Health Plan (a major California HMO) acquired the program in 1992. Foundation then became Health Net® in 2000.
Vision ranks as one of the most popular ancillary healthcare benefits offered by Health Net® to its employer-clients. The network provides care to nearly one million Health Net® Members.
Vision benefits are available to employers via several product lines including HMO and PPO, as well as traditional indemnity. For information on becoming a Health Net® Vision provider:
Health Net® Vision
PO Box 57074
Irvine, CA 92619-7074
For summary requirements in the Notice of Privacy Practices see:
PRIVACY Please! in Optometric Management, February 2002
For useful information on HIPAA security and confidentiality issues see:
For a primer on firewalls see:
|Firewalls for Beginners||<http://www.securityfocus.com/infocus/1182>|
For a primer on network connections and Internet security see:
Copyright © 2003-2007, Gil Weber, MBA. No part of this newsletter may be reproduced or distributed in any form whatsoever without the author’s prior written authorization.
These materials are intended to provide useful information about the subject matter covered. The author believes that the information is as authoritative and accurate as is reasonably possible and that the sources of information used in preparation of the materials are reliable, but no assurance or warranty of completeness or accuracy is intended or given, and all warranties of any type are disclaimed.
The materials are not intended as legal advice, nor is the author engaged in rendering legal services. The materials are not intended as a replacement for individual legal or professional advice. Information contained herein is presented only for illustrative purposes, and it should not be used to establish any fees or fee schedules, nor is it intended and it should not be construed as encouraging any user of the materials to take any actions that would violate any state or federal antitrust laws, tax laws, or Medicare or Medicaid laws.