Clearing up confusion to assist with your HIPAA annual training

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) had its first compliance date in 2003. The Act has two main arms: a Privacy Rule and a Security Rule. Even after 20 years in effect, areas of confusion remain about how medical practices can best comply with the Privacy Rule.

Since the Privacy Rule requires practices to “adopt privacy procedures and train employees to follow them,”¹ below, we review some common areas of concern you may want to use for your periodic training requirement (which most practices perform annually).

Q: Do patients have to sign our HIPAA acknowledgment every year?

A: No. The Privacy notice must be provided on the first visit and only again if material changes are made to the practice’s policy. The last material update to the HIPAA Privacy Rule that required re-signing was in 2013.

Q: Do patients have the right not to use their insurance, choose to be self-pay, and restrict their information from going to their insurance when we are contracted with their insurance?

A: Yes. The provider must restrict disclosure of protected health information (PHI) to a health plan wherein the health plan did not reimburse for the healthcare service or item. The requirement was added in 2013 “to restrict the disclosure of PHI about the individual to a health plan, upon request, if the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law … provided the patient has paid in full themselves for the healthcare item or service.”²

Q: Where do we have to post our HIPAA Privacy Summary Notice?

A: Practices must “have the notice available at the service delivery site for individuals to request to take with them” and “post the notice in a clear and prominent location where it is reasonable to expect [patients] to be able to read the notice. The practice “that maintains a web site… must prominently post its notice on the web site and make the notice available electronically through the web site.”³

Q: Must we release other providers’ records in our charts under HIPAA?

A: Yes. Whatever is included in your chart is now part of your medical records and must be released if the patient requests their complete medical record.⁴

Q: When must we account for PHI disclosures?

A: Per the US Department of Health and Human Services: “The Privacy Rule does not require accounting for disclosures: (a) for treatment, payment, or healthcare operations; (b) to the individual or the individual’s personal representative; (c) for notification of or to persons involved in an individual’s health care or payment for health care, for disaster relief, or for facility directories; (d) pursuant to an authorization; (e) of a limited data set; (f) for national security or intelligence purposes; (g) to correctional institutions or law enforcement officials for certain purposes regarding inmates or individuals in lawful custody; or (h) incident to otherwise permitted or required uses or disclosures.⁵

Any other disclosures need to be accounted for in a log that can be made available to the patient: “Disclosures that are subject to the accounting for disclosures requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made as required by law, for a proceeding before a health oversight agency, or in response to a subpoena, discovery request, or other lawful process.”⁶

Summary

Addressing commonly asked questions is a pertinent tool for updating your annual compliance training. Practice management has innumerable compliance requirements, and staying abreast is a challenge that can be made easier by addressing common concerns on any compliance topic. OP

For references, see the online version of this article.

Laurie K. Brown, MBA, COMT, COE, CPC, CPMA, CPSS, LSSYB is a senior consultant with BSM Consulting in Tucson, AZ. She has experience in the ophthalmic industry holding managerial, clinical, and surgical roles for more than 30 years.