Massachusetts Massachusetts Massachusetts
Bulkley, Richardson and Gellinas
Home About the Firm Practice Areas Directions Attorneys News Community Contact Us Employment
 

Latest Bulletins

April 2003
Health Law Newsletter

Three Basic Documents for HIPAA Privacy Regulation Compliance
by Elizabeth H Sillin, Esq.

Most health care providers are aware that they must be ready to comply with HIPAA’s privacy regulations. HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a sweeping federal law that addresses a number of issues relating to individuals’ health insurance. The so-called “privacy regulations” are among a number of regulations, promulgated as a result of HIPAA, that address the standardization of electronic communications for health insurance transactions. The privacy regulations, effective April 14, 2003, create national standards aimed at protecting the privacy of patients’ health information. Most doctors, dentists, nurse practitioners, mental health providers, and other individual and institutional, health care providers will need to comply.

Health care providers already have an obligation to protect patient privacy under state law and professional codes of ethics. Thus, most health care providers already have office procedures that maintain patient confidentiality, and may generally be in compliance already with many provisions of the privacy regulations. However, be aware that the privacy regulations have specific new compliance requirements. For example, there are three essential documents that form the foundation of compliance with the privacy regulations.

1. Notice of Privacy Practices

By April 14, 2003, every patient coming into a health care provider’s office must be presented with the provider’s Notice of Privacy Practices, a copy of which must also be posted. The Notice of Privacy Practices must contain certain required language and must inform patients: (1) how the health care provider may use or disclose a patient’s health information; (2) when a patient must specifically authorize, or have an opportunity to object to, the use or disclosure of protected health information; (3) what a patient’s legal rights are with respect to restricting the use of, inspecting, amending and accounting for the uses and disclosures of protected health information; and (4) how and to whom a patient may complain about the provider’s privacy practices. Health care providers must document their good faith efforts to provide the Notice of Privacy Practices to each patient.

2. Authorization Form

The privacy regulations require that health care providers obtain written patient authorization before they disclose patient health information under certain circumstances. The Authorization Form, which must be signed by the patient, must specifically state: (1) who may receive the information; (2) who may use the information once it has been disclosed; (3) the purpose of the disclosure; and (4) an expiration date for the authorization. Health care providers should be mindful of state laws that mandate additional requirements for disclosure of AIDS/HIV testing or other protected information.

3. Business Associate Agreement

Anyone who receives from a health care provider a patient’s health information in order to perform a service for or on behalf of the health care provider must sign a contract agreeing to properly protect that health information. Thus, billing companies, management services, accreditation agencies, software maintenance companies, accountants, lawyers, or any other entity receiving health information from and performing a function for a health care provider must sign a “Business Associate Agreement,” in most cases by April 14, 2003 (but in some cases, by April 14, 2004). The Business Associate Agreement must outline the business associate’s obligations with respect to the health information, which include: (1) maintaining its confidentiality; (2) obligating others to whom it is disclosed to keep it confidential; (3) keeping track of the persons to whom it is properly disclosed; (4) making it available to the provider if the patient seeks accountings of disclosures, amendment or inspection; and (5) returning or destroying the information once the business associate no longer needs it to perform the services for the health care provider.

With these three documents in place, a health care provider will be on its way toward compliance with the HIPAA privacy regulations.

If you would like assistance in preparing or reviewing your Notice of Privacy Practices, Authorization Forms, or Business Associate Agreements, or in identifying HIPAA compliance obligations and integrating them into your health care operations, please contact Kelly A. McCarthy, Esq., Coordinator of the BR&G Health Law Practice Group, at (413) 272-6306.

Liz Sillin is an associate in the firm’s Health Law Practice Group. She can be reached at (413) 272-6296.

News & Articles
The Largest Firm in Western Massachusetts
About the Firm | Practice Areas | Directions | Attorneys | News | Community | Contact Us | Employment
LexisNexis: Martindale-Hubbell
Advertising. In accordance with rules established by the Supreme Judicial Court of Massachusetts. This web site must be labeled "advertising." It is designed to provide general information for clients and friends of the firm and should not be construed as legal advice, or legal opinion on any specific facts or circumstances.This web site is designed for general information only. The information presented at this site should not be construed to be formal legal advice nor the formation of a lawyer/client relationship. [ Site Map ]