The Wonderful World of HIPAA

February is a month of great celebration. In addition to honoring the birthdays of two presidents (George Washington and Abraham Lincoln) and Valentine's Day, this February is even more special in that we also celebrate the start of Chinese New Year - the Year of the Sheep.

I wonder if any people born in the Year of the Sheep have given much thought to HIPAA. I have, and I'm here to tell you our profession has only a few months - April 14, 2003, to be exact - to become HIPAA-compliant.

The "I" in HIPAA stands for insurance. (The full name of the legislation is the Health Insurance Portability and Accountability Act.) In the U.S., few acupuncturists operate practices that treat patients through insurance, and even fewer bill insurance electronically. Naturally, therefore, many acupuncturists think HIPAA has little (or nothing) to do with them, and that they won't have to change their office procedures much, if at all, to remain in compliance with the law.

Nothing could be further from the truth. In fact, less than six months ago, in August 2002, the Department of Health and Human Services issued the final set of privacy regulations related to HIPAA. These privacy rules impose significant responsibilities on acupuncturists and doctors of Oriental medicine, and will apply to all health care providers regarding the protection of patient health information. In the acupuncture profession, there is a tendency to delay or avoid compliance efforts in the hopes that they will get by or go unnoticed by regulators. When it comes to the HIPAA privacy rules, non-compliance could be costly - very costly.

Have you noticed how many companies have sent you notices or updates about their privacy policies as they pertain to your vital information? Well, just think how much personal and private health information your office has at its disposal. You might have the records of dozens, even hundreds, of people on file. You and your office must take proactive steps to secure that information, and to protect the privacy of your patients.

What does HIPAA require of you?

• You must develop policies and procedures that address privacy requirements via a privacy manual. This manual can be a "standalone" document, or it can be inserted into your existing office policies and procedures manual.
• You (the acupuncturist), along with all current and future office personnel and employees, must be trained on HIPAA policies and procedures.
• Each office must appoint a privacy officer to oversee the practice's compliance. If you have no employees, you will have to be responsible for all privacy compliance.
• Each office must develop a notice of privacy practices to be given to all patients so they understand what your office is doing to ensure the privacy of their information.
• You must include copies of business associate contracts. (A business associate is a party that receives protected information in connection with providing a service to the acupuncturist.) In a typical acupuncture practice, this would include a patient's medical and treatment records; lab records; consultation reports; X-ray records; and demographic information.
• A "chain of trust" is a concept that mandates that every organization with which you share patient information is HIPAA-compliant in the area of privacy.
• If you send, receive, request or confirm any patient information electronically, either through a billing service or directly from your office, you must be HIPAA-compliant. This includes handling patient claims; checking or verifying patient insurance coverage or eligibility; checking the status of insurance paper work and/or payments; verifying referral authorizations; or communications with an insurance company.
• The deadline for privacy compliance is April 14, 2003.
• The "payer testing deadline for electronic filing standards" is April 16, 2003.

The privacy of patient health information has become a key point of contention for consumer rights organizations, patients and legislators. Traditionally, privacy is an issue of concern relating to large health care facilities, but these issues are finding their way into the offices of small groups and solo practitioners. As the adoption of the HIPAA privacy rules becomes a reality, patients have a way to complain - and the government has a way to seek penalties - from a health care provider for failing to protect patient-specific health information.

As the health-care industry moves forward, the HIPAA standards will likely be viewed as the benchmark relating to the privacy of patient records and the right of patients to access their medical information. This will also include the rights of patients to request an amendment to their records, and to request an accounting of the information and disclosures made by acupuncturists. Acupuncturists who comply with HIPAA will be able to use their compliance efforts to demonstrate good faith when approaching patients and the patient's individual right to privacy.

Does all of this sound confusing? You're not alone. Many offices are already doing much to insure privacy for their patients and patient records. There are still areas for compliance. An important part of the process is demonstrating that you and your staff are moving toward compliance.

HIPAA is just another phase in the changing health care arena. It will cost both time and money, but once the process of insuring patient privacy and protection is complete, you will be able to go back to what you do best - helping people reach a new level of health.