HIPAAnotes Volume Three, March 2003

No. 10 – The Compliance Date for Security Isn’t Until 2005, So Can I Take a Break?

The good news is that the Security Rule has been finalized. The security standards were published as a final rule in the February 20, 2003 Federal Register with an effective date of April 21, 2003. Most covered entities will have two full years -- until April 21, 2005 -- to comply with the standards; small health plans will have an additional year to comply, as HIPAA requires.

The burning question is: If the compliance date is not until April 21, 2005, will covered entities have time to take a breath between implementing privacy before they start security? The answer is maybe a few quick breaths but not much more.

Keep in mind that the Privacy Rule has its own embedded Security components in section (45 CFR 164.530(c)) and requires the implementation of "appropriate administrative, technical and physical safeguards" for protected health information in all forms, non-electronic and electronic." Most covered entities realize that ensuring patient information remains private and confidential requires proper security measures to be in effect. It is difficult to imagine convincing a patient that his or her information will be safeguarded if the covered entity cannot demonstrate that proper physical security policies and procedures are implemented.

The bottom line is that HIPAA Privacy and Security Rules are designed to complement each other and to work in tandem. So do not sit back and relax too long before focusing on security -- be proactive and start planning your security program now!

Read a summary analysis of the Final Security Rule.

View the final rule.

Henry Driller, Director
Phoenix Health Systems

No. 11 – Are the HIPAA Police Really Going To Be Out There Watching for Privacy Violations?

Most healthcare organizations wonder how the enforcement of the HIPAA Privacy Rule is possible. This is especially true in the case of the small covered entity that believes it is impossible to police all healthcare organizations for potential violations of the HIPAA Privacy Rule. Clearly, the Office of Civil Rights cannot oversee compliance of all covered entities. Some feel the federal government is too busy to be concerned with the "little guys." Many are asking, "How is anyone going to find out if we violate a HIPAA Privacy regulation?" The answer is that enforcement of the HIPAA Privacy regulations may come from another source - one that many covered entities have not considered - the patient!

To date, there have been several court cases that affirmed the right of the patient to not have their PHI sold to a third-party entity without their written permission. One case involved the unsolicited mailing of prescription samples accompanied by a marketing letter to a Florida resident. In another example, a major pharmacy chain settled a case in Florida in which customers' signatures were used for third-party marketing without proper customer notification.

The bottom line is clear - don't just worry about whether the government will sanction you for HIPAA violations. Of course, you should be concerned about violating patients' rights. You may be surprised to find that you are also being policed by better-informed patients. The next time a patient walks into your healthcare organization, make sure you understand that he may be well aware of his rights, one of which is filing a complaint with HHS about the privacy violations that you commit.

Henry Driller, Director
Phoenix Health Systems

No. 12 – Preemption of State Laws: Do Not Forget to Update Policies/Procedures

Let's eavesdrop on the thinking of a very busy Privacy Officer at the local hospital...

"I am up to my ears in all sorts of last-minute activities to be ready for the HIPAA Privacy compliance date. What if we aren't ready? What did we forget? The process of implementing our organization's HIPAA Privacy policies and procedures is taking even more time that I thought it would. It's less than four weeks until April 14!"

"At least my long 'to do' list is getting shorter. Stop for one minute! Did we remember to identify impacts to the HIPAA Privacy Rule based on state law preemption? Not really. I better go back and review our strategies for addressing our state's privacy laws in the new policies being put into place for HIPAA compliance."

"Let's take a second look at each of the HIPAA Privacy policies we are implementing to be sure they don't conflict with the state laws for patient privacy:

Are the state laws more or less stringent than the federal HIPAA Privacy Rule?
- If my state laws are more "stringent," my Privacy policies and procedures must be developed following state provisions. I have to remember that the HIPAA concept of "more stringent" applies to state laws that provide any of the following:
  - Greater rights of access and amendment of PHI
  - Greater privacy protection for the patient or individual
  - Longer retention duration and/or more information for record keeping of accounting of disclosures
  - Greater restrictions on uses and disclosures of PHI
  - Increased privacy protections or a more narrow scope of duration for authorization forms
Is the Privacy policy or procedure related to reporting of disease or injury, child abuse, birth or death, public health surveillance, management of financial audits, program monitoring and evaluation, or licensure or certification, etc.? If the answer to any of these is yes, then I must follow state law.
Does the Privacy policy or procedure relate to unemancipated minors? If the answer is yes, then state law must prevail.
Do the state provisions actually impede my organization's ability to achieve the "full purposes and objectives" of HIPAA? If the answer is yes, then the Privacy policy or procedure must follow federal HIPAA Privacy guidelines."

...Just one more day in the life of a Privacy Officer!

For more on state laws and preemption, go to HIPAAdvisory.com.

Henry Driller, Director
Phoenix Health Systems

No. 13 – Do you know about the Office of Civil Rights (OCR)...Are you aware of all they do?

The Department of Health and Human Services' (HHS) Secretary Tommy Thompson recently appointed Richard M. Campanelli as the Director for OCR. In his new position, Mr. Campanelli is tasked with ensuring that covered entities under HIPAA comply with the enforcement, monitoring, and compliance directives under the HIPAA regulations. This is no small endeavor.

One of the most important tasks OCR has is to address any patient-related complaints through a thorough review and audit process, and if required, make recommendations for criminal prosecution. Clearly, part of the challenge is the education and awareness programs for health care organizations wanting to know what their organization needs to know about HIPAA.

In order to better educate the health care community, OCR offers a series of national seminars to help covered entities learn about applying the HIPAA regulations to their organizations. In addition, the OCR web site also publishes links to the latest announcements by HHS' Centers of Medicare and Medicaid Services (CMS) for adopting the new security standards for protecting identifiable health information and the final modifications to the transaction standards.