 |
|
|
Frequently Asked Questions
These questions are from attendees of our HIPAA compliance presentations. Click a question to see its answer.
-
- The rules apply to any provider who transmits health information electronically. This means that dentists and other healthcare providers who bill electronically are covered under the regulations.
-
- The rules do not require a Chain of Trust Agreement between you and another entity if the data exchanged concerns providing treatment to a patient. Obtaining prior results, documentation, or materials would be considered providing treatment for the patient.
-
- In general, due to CLIA regulations, the laboratory would be exempt from the requirement to allow patients to review their medical record or to request changes. However, in this case, since the patient is the person who orders the test, and the results are provided to the patient, it is our opinion that you would need to establish policy and procedures for patient access and correction requests.
-
- The privacy rules will be in effect on April 14th, 2003. At that point you must begin to track health information disclosures. HIPAA does not apply to disclosures of health information that occurred before that date.
-
- HIPAA does not override state privacy rules in cases where the state rule is more stringent than the federal regulation. HIPAA will prevail where the state rule is less stringent.
-
No. The allowance for small health plans caused some confusion, and many people thought that it also included small provider organizations. This is not the case. The three-year compliance timeframe only applies to small health plans.
-
In general, employers are not covered under HIPAA's requirements. However, a self-insured employer that is managing its own health plan is considered a health plan and will be required to comply with HIPAA.
-
Covered entities must develop a procedure for reviewing a patient's request for correction. The procedure must include a notice to the patient stating whether the covered entity agrees with the correction. There is no requirement for the covered entity to actually make a correction that deems inaccurate.
-
If you maintain a locked area where only your organization has access to the medical records, then you probably don't need an agreement with your storage company. If your records are stored in an open area (such as a large open warehouse) that is shared by other organizations, or if the employees of the storage company have access to the records, you will need to establish a Business Associate Agreement or find a more secure location.
-
You would have no recourse but to deny the business associate access to your protected health information. When negotiating new contracts with companies that will have access to protected health information you should include a Chain of Trust Agreement as part of the contract.
-
The short answer is no. The physicians are presumably only accessing systems for the purpose of patient care and thus would be covered under healthcare operations. However, there are some issues to consider. First, the connection that the physician uses to access your system must be secure; this may mean that you need to change the method a physician uses to dial into your system. Second, the physician will need to establish some security on the remote computer. For example, if other family members or guests use the computer then the physician must enable security features that ensure health information from your organization is protected. Finally, your Policy on Workstation Use and Security Policies should contain language governing the use of a personal computer at home.
-
If the janitorial staff has access to protected health information, the answer is yes. In most cases you will not be able to lock up all protected health information each night before you leave. Faxes may arrive after hours or patient charts may be left on a physician's or nurse's desk after hours. If the janitorial staff has access to this information then you will need to have a Chain of Trust Agreement with them.
-
Since these outside organization are not part of healthcare operations, you will need to establish a Chain of Trust Agreement with them if they are able to see protected health information.
-
-
There are several issues that surround the protection of oral and written information. Obviously it is not possible to track who has access to oral information or who has possibly seen written information, but there are some steps you must take to protect this information. For example, if your receptionist or front desk personnel are on the phone with patients in an area where they can be overheard, you may have a problem. Second, if the same front desk personnel have patient records or even an appointment book on the desk, and visitors or patients in the clinic can see these items, you will need to change your workflow.
Also, if patients can see charts in the hall or faxes that haven't been picked up, you will have to review your work areas and redesign them so that oral communications and written information do not occur in an area where they may be seen or overheard.
-
The privacy officer's job, put simply, is to ensure compliance with the HIPAA privacy and security rules. For a small organization such as a doctor's office the privacy officer may be the office manager. For a larger organization the privacy officer may be part of the CIO's staff or an executive who reports to the CEO. The American Health Information Management Association has published a model job description that can be found here.
-
The Office of Civil Rights within the Department of Health and Human Services is responsible for enforcement of HIPAA. The Office will receive and process patient complaints and be responsible for periodic inspections of covered entities. Criminal activity will be investigated by the Department of Justice.
-
Originally, parents were restricted from seeing their children's protected health information, but that was changed in the April 14th, 2001 release of the Privacy Rules. Now parents have access their children's health information just as they do their own.
|
|
|
|
