This information is provided as guidance only. Providers should always consult with their privacy and security officer(s) or an attorney when considering their privacy and security policies.
All HIPAA-covered entities and business associates of covered entities must comply with the Privacy Rule requirements. Find out if you are a covered entity.
The Privacy Rule applies to all forms of protected health information, including oral, paper, and electronic.
Protected health information, or PHI, is any information that may reasonably allow someone to identify the individual. It is anything that is created or received by a health care provider, health plan, employer, or health care clearinghouse. PHI includes such things as:
In addition, any information about the person's health status, treatments, prognosis, and payment should be protected. Whenever information is shared, only the minimum information needed to meet the request should be included. The minimum necessary standard specifies that covered entities must "make reasonable efforts to limit the use of disclosure of, and requests for, protected information to the minimum necessary to accomplish the intended purpose" (45 CFR Parts 160 and 164 [PDF], Final Rule, page 53195).
There are specific instances in which a covered entity can release PHI without patient authorization or consent. These instances include:
In addition, PHI may be used or disclosed without patient authorization for reasons such as suspected abuse or neglect, marketing, as requested by law enforcement or the courts, for workman's compensation, and more.
Covered entities must appoint a privacy officer, develop privacy policies and procedures, train staff, and draft appropriate paperwork.
In addition to the policies and procedures mentioned above, covered entities must have a privacy notice that is shared with all new patients at the first visit or as soon as possible in cases of emergencies. This notice must also be posted in a prominent place in the office or facility. The notice can also be posted on the web and any updates must be provided to patients upon request.
Patients must sign a form acknowledging that they have received the privacy notice. Providers must make a good faith effort to get this signature and, if unsuccessful, must document the effort and reason why acknowledgement was not obtained.
Patients must also sign an authorization form if information is to be used in any way outside of the allowable reasons under the HIPAA regulations. Providers must keep a list of when a patient's information was used or disclosed, called an accounting of disclosures.
If the audiologist or SLP works with a business associate (billing agency, contractors, etc.), a business associate agreement is necessary.
To summarize, the following paperwork is required:
Additional forms and documents may be required, depending upon your circumstance. You should review the privacy regulations closely to determine your needs.
The logical progression of HIPAA preparation activities include:
Risk assessment and gap analysis
A gap analysis is an assessment of how your office's/facility's current practices measure up to the new federal requirements. A gap analysis could include an evaluation of current compliance with medical privacy laws, a review of existing procedures for the use and disclosure of protected health information, and a review of the facility and ways information is accessed.
Every covered entity must have documentation to show how they intend to comply with the privacy rule. These documents must be retained to show compliance. The documentation may include the designation of the privacy officer; the development of a training program for employees; methods of implementing safeguards to protect health information from intentional or accidental misuse; a means for individuals to lodge complaints about an entities' information practices; and a system of sanctions for employees and business associates who violate the entity's policies and procedures for compliance. In addition, the covered entity must have an authorization form and notice of privacy statement available for the patient's signature.
It is important to note that the privacy rule allows for flexibility in the complexity of the compliance documents. For example, a small private practice may have different compliance practices than a hospital or skilled nursing facility.
Sample HIPAA forms
This list is not exhaustive and inclusion does not imply endorsement from ASHA or a guarantee of the quality of the contents.
Additional samples can be found through an Internet search. Software programs are available that include HIPAA forms.
Your patients have a number of specific rights under the Privacy Rule. They can:
You do not necessarily have to agree to all of these requests. This information must be clearly explained in your privacy notice.
The Workgroup for Electronic Data Interchange (WEDi) published the Small Practice Implementation White Paper [PDF] that outlines special considerations for small practices who may not be able to afford HIPAA consultants. The intent is to provide a simple, straightforward description of the basics of HIPAA, as well as resources and links to additional information.
The privacy notice is to be written in plain language so that patients and families can clearly understand their rights. To assist providers, a guide to writing HIPAA privacy notices is available on the US Department of Health and Human Services website.
On November 25, 2008, the U.S. Department of Health and Human Services and the U.S. Department of Education released joint guidance explaining the relationship between the Family Educational Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). See HHS/ED Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) and HIPAA to Student Health Records [PDF].
Yes, HIPAA rules are designed to allow for the natural provision of health care. Providers should still take precautions to allow only the minimum necessary information to be exchanged. There is more information available from the Office of Civil Rights.
HIPAA regulations do not prohibit e-mail communication between provider and patient or provider and provider. Information contained in le-mails should be kept to the minimum necessary and a risk analysis should be done to determine the privacy risks and address them. More information about e-mails is available in the Security Rule FAQs.