| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume One, Number 22No. 22 (4/4/01) HIPAAdetail: Keeping TrackWho has seen a patient's record? Under HIPAA, covered entities are required to keep track of all disclosures of individually identifiable health information. Additionally, a patient has the right to see an accounting of disclosures. Sound overwhelming? Possibly, if not for some very important exceptions. Disclosures made for the purposes of treatment, payment and health care operations are excepted. For most organizations, this exception covers the vast majority of information sharing. For example, a hospital would not have to keep track of health information sent to outside doctors providing follow-up care to patients. Further, "disclosure" is defined as information going outside your organization. HIPAA therefore does not require covered entities to track who within the organization has had access to protected information. For more information, go to: No. 23 (4/11/01) HIPAAdetail: Posting the Virtual Privacy NoticeIt's not uncommon to find a privacy policy posted on web sites. But is it the policy only for the web site -- or for theorganization sponsoring the site? HIPAA requires a notice ofthe organization's privacy policies on web sites provided by "covered entities." Many web sites collect personal user information in the form of cookies or forms. Since wary users are concerned about improper or intrusive use of their information, sites have developed and posted privacy policies to explain how their information will be protected. Under HIPAA, if you are a covered entity, your web site will have to post a notice of the organization's privacy policies. The notice must be "prominently" posted. Don't shred all that paper yet. Individuals maintain the right to a paper notice, even if they receive an electronic version. If your web site doesn't provide information about your customer services or benefits, then the notice is not required by HIPAA. Of course, you -- and your users -- would have to wonder what your web site does offer. For more information, go to: No. 24 (04/22/01): HIPAAreg: When Is A Final Regulation Final?If you thought the final HIPAA Privacy regulation was published back in December, you were right. BUT - how final was it? What has happened since then? The Bush Administration announced last week that the HIPAA Privacy rule would become effective on April 14. If you've been following the news, along with HIPAAlert and HIPAAlive, perhaps you were confused - or amused -- by the ever-changing status of the final HIPAA Privacy regulation since its publication. Although the final rule was published on December 28, 2000, the Washington bureaucracy played its role in slowing down the effective date. First Congress "got into the act" (pun intended) after being left out of certain required notifications that would have signaled the onset of a required two-month Congressional review period. As a result, the original effective date of the rule, February 28, 2001, was extended to April 14 to allow the full review period. The rule came under further scrutiny at the Executive level when Bush moved into the White House and Tommy Thompson into the Department of Health and Human Services as its new Secretary. The Administration decided to re-open the public comment period during the extended Congressional review period. This renewed comment period was described as an opportunity to acknowledge public concerns about the final rule's complexities and feasibility. This renewed scrutiny and delay led to much industry speculation
that "HIPAA is dead" or "Congress will kill the rule
under the Congressional Review Act" or "HIPAA will be
delayed indefinitely." But with last week's reaffirmation of
the rule's April 14th The deadline for implementation of the HIPAA Privacy rule is April 2003, two years from the effective date of the rule. If you haven't already started, you and your organization need to begin your HIPAA assessments and implementation plans.
|
