Q Am I required to put HIPAA privacy policies in writing for my staff?
A Yes. Among the areas you need to address in your policies and procedures manual are: release of medical records, patient access to records, patients' right to amend their records, faxing medical information, permitted uses and disclosures of protected information, and complying with the "minimum necessary" standardwhich generally limits the information doctors may disclose to the minimum necessary to accomplish a specific purpose.
Employees aren't the only ones who need to see your HIPAA policies in writing. Your policies also should be outlined in a Notice of Privacy Practices, which you probably distributed to all patients last April, and which you should give to all new patients. You should also make a good faith effort to have established patients sign an acknowledgment form, indicating that they've seen the notice. If there's a complaint, be prepared to share your policies with the Office for Civil Rights, US Department of Health and Human Services.
Q Where can I find out more about how to prepare a HIPAA policy manual and a Notice of Privacy Practices?
A Besides the federal government itself ( http://www.hhs.gov/ocr/hipaa ), many state medical societies make this material available on their Web sites or in hard-copy form. In many cases, you can customize these sample manuals and notices to suit your practice. Also consult your hospital (you can adapt its policies to your own practice) and an attorney familiar with HIPAA.
Q Does HIPAA require a certain kind of staff training?
A Yes. Any staff member who handlesor comes into contact withmedical information must be trained to understand both the general privacy requirements and the specific ways they're implemented in your practice. How you reach this goal, if you haven't reached it already, is up to you. For example, you could buy a HIPAA compliance guide (many state and county medical societies make these available) and ask your staff to read it, along with your own policies and procedures manual. You could also send staff members to HIPAA seminars. Whatever method you employ, be sure to document all steps you take to train staff members.
Q Once these elements are in place, what other steps do I need to take to be HIPAA compliant?
A The administrative requirements discussed above only address HIPAA's privacy regulations. On October 16, 2003, another set of standardswhich regulate the transmission of electronic claims and other transactionsalso took effect. Fortunately, the Centers for Medicare and Medicaid Services has devised a temporary contingency plan for accepting noncompliant transactions. If you show you're working toward compliance, you can continue to use existing formats. How long this de facto extension will last is anyone's guess, so you need to move toward compliance. Beginning in 2005, you will also need to comply with HIPAA's Security Standards, which define the administrative, physical, technical, and other steps practices must adopt to maintain patient privacy and confidentiality.
HIPAA Consult. Contemporary Ob/Gyn Mar. 1, 2004;49:124.