Vendor guarantees HIPAA compliance. (HIPAA Update).(Blue Ridge Networks)(Brief Article) - Health Management Technology

Healthcare providers who seek HIPAA help from their IT vendors as compliance dates draw near might check out Blue Ridge Networks' HIPAAGUARD. The provider of virtual private network (VPN) solutions guarantees HIPAA compliance when transmitting protected health information over their networks-including the pledge to pay penalties or fines that result from the failure of their secure transaction network.

Syracuse businesses adjust to HIPAA regulations - The Business Journal - Central New York

LIVERPOOL - Privacy regulations that are part of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 went into effect April 14. While HIPAA mostly affects healthcare providers and healthcare 'clearinghouses' that manage billing services for health plans, employers need to comply with the regulations as well.

Jeff Andrews, vice president of Aon Consulting and manager of the company's upstate New York office in Liverpool, has been working with local businesses to ensure HIPAA compliance. According to Aon, there are 23 companies (employing more than 23,000 people) in Syracuse that must comply with the new privacy requirements.

'In this day of electronic information, there's a substantial amount of information floating around ... the Internet - [from] credit-card companies and everywhere... on individuals,' Andrews says. 'It's important that it should be private information; therefore, health plans need to take steps to protect [that] information.'

Andrews urges every employee to look for a privacy statement from his employer-that shows the organization is in compliance with HIPAA.

'The most important thing is for the employer, as sponsor of a health plan, to sit down - it does not take a lot of time - and examine the issues and take an organizational approach to compliance and implement that approach,' he says. 'There are a lot of tools out there that make it a pretty easy process.'

Health-care companies with annual receipts of more than $5 million were required to comply with HIPAA on April 14 of this year. Companies with receipts less than $5 million need to comply by April 14, 2004.

One of the main focuses of HIPAA is the privacy of 'protected health information'. or PHI. The United States Department of Health and Human Services defines PHI as 'individually identifiable health information transmitted or maintained in any form or medium, which is held by a covered entity or its business associate.'

According to Andrews, a health plan cannot use or disclose PHI other than for treatment of a medical condition or payment of a claim through the operation of the health plan.

'You could have a very small employer or a very large employer, [but the focus is on] how the health plan is financed and how it is administered,' Andrews says. 'That will determine how they comply.'

Andrews says that employers are going to have different compliance strategies depending on AC what kind of health plan they use. Fully insured plans, where the employer only needs to send information to the insurance company about who is covered and the employee's eligibility, have a very different strategy than self-insured plans - where the employer is involved in the day-to-day administration of the plan, Andrews says.

'What employer[s] need to do is to look at how they use PHI and how they interact with the [health-plan] administrator, so that they minimize the use of protected health information,' Andrews says. 'They need to understand PHI and have the documents in place, but the reality is that they're probably not in a position where they could be in violation [of the HIPAA regulations].'

Andrews has outlined a nine-step program for compliance: designate a privacy officer and make sure the information is protected; establish a compliance team to implement the procedures; inventory and identify how and where PHI resides in the organization; work to limit access and disclosure; adopt privacy policy and procedures; identify business associates who might have access to PHI; train staff who might be working with PHI; talk to your health-care provider that deals with PHI and confirm compliance; and develop an employeecommunication program that lets the employees knows that you're taking steps to protect the information.

Additionally, Aon has created an online assessment that companies can use to ensure compliance. It is located at www.aon-hipaa.com. Aon also has a Power Point presentation that is designed to educate senior management about HIPAA, a do-it-yourself privacy kit that addresses all of the key issues and comes with a compact disk full of the required documents, and a module that helps companies train their employees about the regulations.

New HIPAA And HITECH Regulations Are Coming.(Health Insurance Portability and Accountability Act)(Health Information Technology for Economic and Clinical Health Act)(Brief article) - Mondaq Business Briefing

Staff at the U.S. Department of Health and Human Services' ('HHS') Office of Civil Rights, Health Information Privacy Division, stated to Duane Morris that 'comprehensive HITECH regulations' will be published in the next several weeks, following final agency approval. The Health Information Technology for Economic and Clinical Health Act (the 'HITECH Act,' Title XIII of the American Recovery and Reinvestment Act of 2009) amended the Health Insurance Portability and Accountability Act ('HIPAA') to improve and expand current federal privacy and security protections for protected health information ('PHI'). The HITECH Act requires the Secretary of HHS to interpret key provisions through regulations. Since most of the HITECH Act's HIPAA amendments are effective on February 17, 2010, providers, group health plans, business associates and others have been awaiting these regulations in order to make any necessary changes to their HIPAA programs by the compliance deadline. Based on the act, the regulations are likely to address:

The expansion of the definition of business associates and the extension of HIPAA's Security Rule and parts of the Privacy Rule to business associates;

New definitions of the 'minimum necessary' amount of PHI that may be used or disclosed;

Disclosure requirements for electronic health records;

Limitations and exceptions to the prohibition on the sale of PHI;

The definition of 'reasonable in amount' with regard to restrictions on marketing of PHI; and

The modification of HIPAA Privacy Rule's provisions regarding fundraising.

The HITECH Act also creates an infrastructure for the development of a national electronic health records ('EHR') system by the end of 2014. The act sets forth requirements for EHRs, provides funding under Medicare and other programs to help providers pay for EHRs, and requires the Secretary of HHS to issue regulations on EHRs by the end of 2009. The upcoming HITECH Act regulations are expected to include:

Specific standards and requirements for 'meaningful users' of EHRs (only meaningful users qualify for EHR funding under the HITECH Act);

Specific standards and requirements for 'certified EHR technology'; and

Technologies that protect privacy and promote security in a qualified EHR.

These regulations are likely to be significant for providers and other entities that are developing EHRs, particularly if they intend to seek assistance funding.

Duane Morris will continue to monitor developments under the HITECH Act.

If you have any questions regarding this Alert or would like more information on the anticipated changes to HIPAA or the new EHR requirements, please contact Lisa W. Clark, Erin M. Duffy, any member of the Healthcare Information Technology Practice Group, or the attorney in the firm with whom you are regularly in contact.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets.

Ms Lisa Clark

Duane Morris LLP

30 South 17th Street

Philadelphia

19103-4196

UNITED STATES

Tel: 2159791000

Fax: 2159791020

E-mail: solutions@duanemorris.com

URL: www.duanemorris.com

Click Here for related articles

HIPAA-cracy.(at law)(Health Insurance Portability and Accountability) - The Hastings Center Report

The Department of Health and Human Services has recently been exercising its authority under the (wittily named) 'administrative simplification' part of the Health Insurance Portability and Accountability Act to regulate the confidentiality of medical records. I love the goal; I loathe the means. The benefits are obscure; the costs are onerous. Putatively, the regulations protect my autonomy; practically, they ensnarl me in red tape and hijack my money for services I dislike.

HIPAA (a misnomer--HIPAA is the statute, not the regulations) is too lengthy, labile, complex, confused, unfinished, and unclear to be summarized intelligibly or reliably. (Brevis esse laboro, obscurus fio.) However, a covered entity is any health plan or 'health care provider' that 'transmits any health information in electronic form.' If HIPAA has a general rule, it is that (1) a 'covered entity may not use or disclose protected health information except as permitted,' (2) the entity must 'make reasonable efforts to limit protected health information to the minimum necessary,' and (3) the covered entity must require its 'business associates' to 'appropriately safeguard the information.' With plentiful exceptions and restrictions, entities may use or disclose information 'for treatment, payment, or health care operations.'

There is much more. For instance: (1) Information may usually be disclosed for 'marketing' only with the patient's elaborately detailed authorization. (2) An entity may reveal a patient's name, room, and general condition to 'persons who ask for the individual by name' but 'must inform an individual of the protected health information that it may include in a directory and the persons to whom it may disclose such information ... and provide the individual with the opportunity to restrict' the disclosures. (3) Entities may release information with the patient's consent. If a patient cannot give consent, the 'entity may, in the exercise of its professional judgment, determine whether ... disclosure [to a person taking care of the patient] is in the best interests of the individual and, if so, disclose only the ... information that is directly relevant to the person's involvement with the individual's health care.'

Almost every part of HIPAA instructs the entity to loose rivers of information upon the patient. Entities may do many things without consent, but they must specify these things at punishing length. One example: the notice must describe each purpose 'for which the covered entity is permitted or required ... to use or disclose protected health information without the individual's written authorization.' This 'description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.' Entities may do many things only with consent, which must be solicited through another grueling barrage of disclosures.

Why HIPAA? Medical privacy was multiply protected--by ethical codes, state and federal statutes and administrative regulations, tort law (which, unlike HIPAA, give patients remedies), accrediting organizations, hospital policies, even the market--long before HIPAA gleamed in a bureaucrat's eye. As Richard Epstein notes, before HIPAA we saw no 'explosion of improper disclosures of sensitive information, and no systematic unwillingness to deal with the problems that do arise by private organizations or even by more limited and focused regulatory responses.'

So why HIPAA? HHS presented and justified its basic rules in 400 large pages of small print. First: 'Privacy is a fundamental right.... [I]t speaks to our individual and collective freedom.' This makes me reach for my Burke. He could not praise 'anything which relates to human actions ... on a simple view of the object ... in all the nakedness and solitude of metaphysical abstraction. Circumstances (which with some gentlemen pass for nothing) give in reality to every political principle its distinguishing color and discriminating effect.'

'Privacy' means everything and nothing. In law, 'privacy' is so protean that it is meaningless without modification. Privacy as 'fundamental right' is an idea from constitutional law, but it refers to freedom of choice, not confidentiality of information. The Constitution protects physical privacy only sporadically; for example, only some searches are prohibited. More broadly, I doubt that the interests protected by 'privacy' are distinctive or illuminating enough to make up an independent moral category.

And fundamental? Complete privacy is impossible even for a hermit and unhealthy for anyone. Every day we trade privacy for the many things we value more. Privacy itself has costs for individuals and society, as when it makes illness embarrassing. Finally, many invasions of medical privacy are unfortunate and wrong but not greatly damaging. When they are damaging, it is often the misuse of the information by a third party, not the breach of privacy itself, that causes the harm.

HHS's rationale for HIPAA quickly descends from the loftily vague to the absurdly narrow: 'The health insurance claims forms of thousands of patients blew out of a truck on its way to a recycling center....' 'An employee of the Tampa, Florida health department took a computer disk containing the names of 4,000 people who had tested positive for HIV....' Sad stories, but HIPAA cannot prevent winds from blowing nor employees from stealing, and state law already provides sanctions for negligence and theft.

HHS concedes that the 'costs and benefits of a regulation must, of course, be considered as a means of identifying and weighing options.' Does HHS believe this? In the same paragraph it warns cryptically that because privacy is a 'fundamental right ... it must be viewed differently from any ordinary economic good.'

However 'fundamental' privacy may be, HIPAA is otiose if it promotes it ineffectively. Some privacy is unattainable; HIPAA can do little to reduce the number of people who need to see medical records. Other kinds of privacy cannot be achieved with HIPAA's tools. Consider HIPAA's incessant disclosure requirements. My hospital distributes seven pages of disclosures in print so small I can't read them with my glasses on. One analysis placed these forms at a college reading level. Like this:</p> <pre> Examples of these activities include obtaining accreditation from independent organizations like the Joint Commission for the Accreditation of Healthcare Organizations, the National Committee for Quality Assurance and others, outcomes evaluation and development of clinical guidelines, operation of preventive

health, early detection and disease management programs, case

management and care coordination, contacting of health care providers

and patients with information about treatment alternatives, and

related functions; evaluations of health care providers (credentialing

and peer review activities) and health plans; operation of educational

programs; underwriting, premium rating and other activities relating

to the creation, renewal or replacement of health benefits contracts;

obtaining reinsurance, stop-loss and excess loss insurance; conducting

or arranging for medical review, legal services, and auditing

functions, including fraud and abuse detection and compliance

programs; business planning and development; and business management

and general administrative activities, including data and information

systems management, customer service, resolution of internal

grievances, and sales, mergers, transfers, or consolidations with other providers or health plans or prospective providers or health plans. </pre> <p>But what does the language matter, since no one reads the forms? One 'covered entity' told me that in three years I was the second patient to ask for a copy of his HIPAA disclosure form.

Nor is any benefit to confidentiality worth any cost. Consider HIPAA's record-keeping requirements. One compels entities to offer patients 'an accounting of disclosures of protected health information made ... in the six years prior' to the request. The accounting must include the disclosure's date, the disclosee's name and address, a description of information disclosed, and the reason for the disclosure. The cost of keeping so many records in such detail for so long cannot be small; the people who will request, receive, and benefit from the information must be few. Have we no better uses for resources?

Not only does HIPAA impose extravagant costs for exiguous benefits. HIPAA's sour assumptions about human nature work positive harm. For instance, HIPAA assumes people (1) want to keep information from their families and (2) do not want to participate in research, even medical records research whose benefits can be great and whose threat to privacy tiny. HIPAA's rules are structured to serve patients who fit those assumptions.

HIPAA's assumptions are wrong. Most people want their families involved in their medical care. And in one study, 96 percent of the Mayo Clinic patients approached consented to medical records research. Instead of having the few patients who fit HIPAA's assumptions opt in to restrictive privacy rules, HHS requires the huge majority of patients who don't fit the assumptions to opt out of them. This burdens patients. Worse, most patients won't realize they need to act, and few will get around to it.

Most patients, then, will at least be harassed, and their preferences will regularly be thwarted. Patients who would cheerfully have acceded to medical records research may not suffer, but a crucial kind of research will (to say nothing of HIPAA's effect on research generally, a disturbing problem I lack space to consider). Patients who want families involved in their care may directly be harmed, for families are often denied information patients want them to have. Thus prudent patients are saddled with one more chore--having a lawyer draft a HIPAA release form.

The best defense of HIPAA I hear is that, favorably interpreted, it might not require entities to make overlong disclosures, deny families information, or thwart research. But pity the entities. HIPAA speaks in sweeping, vague, and menacing language. Terms like 'reasonable,' 'minimum necessary,' 'professional judgment,' and 'best interest' litter it. It deploys civil and criminal penalties. Recall the unspeakable sentence I quoted. You might speak unspeakably too in order to provide descriptions with 'sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law.' Surely cautious entities will tell patients too much, and everyone else too little.

Looking ahead by looking back: healthcare organizations can partially assess where their future HIPAA efforts lie by evaluating how they handled HIPAA requirements and mandates of the past year.(HIPAA)(Health Insurance Portability and Accountability Act of 1996) - Health Management Technology

The first two weeks of April 2003 will be remembered by many in healthcare as the last days of a mad dash toward compliance with HIPAA's privacy regulations. Copiers churned out Notices of Privacy Practices. Privacy policies and procedures were drafted and edited at a furious pace. Business associate agreements were negotiated and signed in droves. And April 14, 2003, came and went.

But unlike Y2K, HIPAA privacy is here to stay. Consequently, now is a good time to take stock of HIPAA privacy implementation efforts to date and to analyze issues and problems that are common among covered entities.

HIPAA Paralysis

There are plenty of recent examples in which covered entities have been slow to disclose or refused to disclose protected health information (PHI) even though disclosure may be permissible under HIPAA. The initial reaction of many covered entities to a request for PHI is, 'Sorry, I can't give it to you.'

Unfortunately, this approach can lead to frustrated customers, unflattering media coverage or, worst of all, injury to a patient. There have been well-publicized incidents of covered entities failing to disclose for purposes of treating a patient (when such disclosure is expressly permitted under HIPAA). For example, some 911 dispatchers refused to give emergency personnel the name of an individual in need of treatment, when the name would have helped the emergency personnel locate the individual.

HIPAA decision-makers must fight the initial urge to refuse to disclose PHI and examine the facts, considering both the practical and the HIPAA implications. HIPAA's privacy regulations allow for use or disclosure of PHI without an individual's authorization in a number of circumstances, including for treatment, payment and 'health care operations' purposes.

Common sense should play a role in the decision-making process for at least three reasons. First, although voluminous, the privacy regulations do not cover every situation, and common sense is a good guide for making determinations in the 'gray areas.' Secondly, part of the common-sense analysis should be the risk that the individual would object to the use or disclosure of his/her PHI, which may even impact disclosures that are permitted under HIPAA. For instance, it may be permissible under HIPAA for a hospital to disclose PHI to an unrelated counselor for follow-up treatment, but if it is treatment of a sensitive nature (e.g., family planning, venereal disease), an individual may be upset that a disclosure of PHI was made even though permitted under HIPAA.

Finally, the Office for Civil Rights of the Department of Health and Human Services (OCR) has indicated that its enforcement approach is largely complaint-driven and that it would rather help a covered entity become compliant through outreach and education than to levy fines. In this type of enforcement climate, covered entities (with their counsel, as necessary) can use common sense and reasonable judgment in interpreting the privacy regulations. As long as the covered entity takes a reasonable position and contemporaneously documents its reasoning, it seems unlikely that the OCR would be interested in pursuing fines and penalties, at least at this point in time.

Deceased Individuals' Records

The privacy regulations clearly state that a deceased person's PHI must he given the same level of protection as a living person's PHI. The tricky part of handling a deceased person's PHI is determining who will control the use and disclosure of the deceased person's PHI. The privacy regulations give an individual's 'personal representative' the same power over the use and disclosure that the individual would have. The privacy regulations state that if, under state law, an executor, administrator or other person has the power to act on behalf of the deceased's estate, the covered entity should treat that person as the deceased's personal representative.

If the deceased were alive, a covered entity could disclose PHI to a family member if the covered entity determined that it was in the best interest of the individual to do so. This flexibility is not available for a deceased individual. This dichotomy can put a covered entity in a difficult situation. For example, if an adult child is involved in the healthcare of his/her parent, a covered entity could disclose PHI to the child while the patient is living, but cannot disclose the same PHI to the child if that child is not the executor (or otherwise determined to be personal representative) for the deceased.

Handling PHI of deceased persons is best addressed through policies and procedures that require the person claiming to be a personal representative of the deceased to provide proof that he/she is legally entitled to control the use and disclosure of the deceased's PHI. Also, proper communication with the person who requests PHI is critical, especially in an emotionally charged atmosphere such as the recent death of a family member.

Business Associate Agreements

One of the most burdensome requirements of HIPAA's privacy regulations is the requirement that covered entities have written contracts with all of their business associates. These written contracts must have specific contractual obligations related to the handling of PHI. At great effort and expense, most covered entities have undertaken a campaign to enter into contracts with their business associates. Often, however, in the quest to obtain business associate agreements (or to include business-associate language in post-April 14 agreements), covered entities have lost sight of the nuances of a business associate relationship.

In some cases, covered entities have entered into business associate contracts with all vendors. While this practice is not necessarily harmful, it is important to note that requiring compliance with the business associate standards does not permit the disclosure of PHI unless that disclosure is otherwise permitted by HIPAA. For example, if a covered entity has a contract with a consultant, it cannot disclose PHI to that consultant simply because there are HIPAA-compliant business associate provisions in the contract. The covered entity must analyze whether the services provided by the consultant are 'business associate-type' services and the consultant needs PHI to provide the services.

A covered entity cannot simply rely upon the business associate provisions to allow a haphazard approach to disclosures to the business associate agreement. Disclosure to business associates must meet the minimum necessary standard of the privacy regulations. For example, if a covered entity uses a collection agency, it is appropriate for the covered entity to give information necessary to identify the claim (e.g., name and address of the patient, dates of service), but not other portions of PHI in the covered entity's possession (e.g., diagnosis, treatment).

How IT Can Help

Information technology can and should be part of the HIPAA privacy compliance solution. For example, technology can be applied to training and compliance monitoring.

IT can assist in training, not only by providing traditional online HIPAA programs describing HIPAA's privacy regulations and quizzes that test employees' knowledge of the covered entity's privacy policies and procedures but also through HIPAA informational e-mails, bulletin boards and FAQ pages. Consistent reinforcement of privacy obligations will help keep the issue of protecting PHI in the forefront of the minds of covered entities' employees.

Many covered entities that operate on a large scale have found that similar HIPAA privacy compliance questions arise across their enterprise. By creating and, more importantly, maintaining a readily accessible FAQ page, personnel can save time and resources by not requiring that every HIPAA privacy question be directed to the privacy officer or the legal department. In this time of shrinking HIPAA budgets and personnel resources, wisely applied information technology can he used to stretch thinning HIPAA resources.

Many covered entities have successfully applied information technology to assist them in complying with specific requirements under HIPAA's privacy regulations. For example, HIPAA's privacy rule requires that covered entities provide individuals with an accounting of certain disclosures of the individual's PHI. Many entities have automated the process of accounting.

IT can also be used to monitor and track compliance. Compliance monitoring and tracking can take the form of electronic monitoring of access to and disclosures of medical records, establishing a method for anonymously reporting suspected HIPAA violations, tracking and documenting training efforts, and monitoring vendor contracts to ensure business associate agreements are in place.

Covered entities can use IT to document their commitments to HIPAA compliance efforts. The OCR has indicated it will look for bad actors when bringing enforcement actions. Therefore, if a covered entity can respond to an OCR inquiry with specific information about how a particular disclosure was handled, and provide evidence of its training efforts, handling of prior complaints and mitigation efforts, that covered entity will be in a better position to deal with the OCR. By showing its good-faith compliance effort, a covered entity can paint a more favorable and accurate picture of its commitment to protecting the PHI of its patients or enrollees.

Since April 14, 2003, covered entities have learned that although the focus on HIPAA privacy compliance may have diminished, HIPAA privacy will not go away. That has been a lesson for all of us.

Providers rush to lock patient records as HIPAA deadlines loom - Northeast Pennsylvania Business Journal

With less than a year remaining until the first in a series of new federal healthcare information standards takes effect, a survey of healthcare professionals nationwide shows that only about half of those affected will be ready.

The survey, taken in the first weeks of 2002 by Phoenix Health Systems, a healthcare information technology and outsourcing firm, polled the industry on its readiness to conform to new industry-wide standards for the protection of confidentiality and security of personal healthcare information and for the improved efficiency of healthcare information exchange via electronic data interchange (EDI) mandated under the Health Insurance Portability and Accountability Act (HIPAA).

Darlene Kauffman, associate director of medical economics for the Pennsylvania Medical Association and dubbed the 'HIPAA guru' by her colleagues, says the compliance readiness numbers are probably about the same locally as nationally.

Before HIPAA, healthcare providers protected patients' confidentiality following a patchwork of state laws that often left gaps in the protection of patients' privacy and confidentiality.

Personal health information could be distributed - without either notice or consent - for reasons having nothing to do with the patient's medical treatment or healthcare reimbursement, according to the Department of Health and Human Services (DHHS) Office for Civil Rights (OCR).

Currently, patient information held by a health plan may be passed on to a lender who may use it to deny the patient's application for a home mortgage or credit card, or to an employer who may use it in personnel decisions.

The HIPAA Privacy Rule establishes a federal floor of safeguards to protect the confidentiality of medical information. State laws which provide stronger privacy protections will take precedence over the new federal standards.

Pennsylvania has strong privacy laws in place, according to Kauffman. Determining which law to follow is under study by a task force of the E-PA Alliance, a nonprofit volunteer organization of technology users which is involved in improving Pennsylvania's economic competitiveness and quality of life.

'We are determining, almost phrase by phrase, where state law will pre-empt HIPAA laws,' explains Kauffman, who co-chairs the E-PA Alliance Education and Communications Working Committee. The DHHS, which drafted the new regulations, is in the process of tweaking the new standards based on public input after the final law was published in April of 2001.

Kauffman warns that waiting for possible changes or clarifications to begin working on compliance is not a good strategy.

'To implement this 1,500 page law, everyone is going to need a lot of education,' Kauffman says.

To meet the April 2003 privacy standards implementation deadline, healthcare providers should be in the process of, or have completed, an analysis of their current privacy policies, Kauffman adds.

'They need to go through every procedure in their practice, everything that involves patient information, document how they do it now, evaluate how it has to change, and how they're going to make that change,' Kauffman explains.

Each organization is required to appoint a privacy officer. In smaller organizations, these duties may be assigned to an existing employee, such as office manager. Larger and more complex organizations may need to establish a new position with support staff to ensure compliance.

Necessary changes may be as simple as keeping patient sign-in sheets out of view from the general public. Front-desk personnel will need to watch that discussions of patients' private information can't be overheard by others.

Richard English, M.D., director of the Family Practice Residency Program for the Wyoming Valley Health Care System (WVHCS), says his office will be moving computer screens away from the public eye, eliminating such simple things as sign-in sheets and protecting fax machines from casual observers.

In general, English says physicians usually have policies on privacy and disclosure for their employees in place, so not much will change.

'This whole issue is not new,' explains James Rakshys, director of advanced technology and newly appointed chief of privacy and security for WVHCS,' but the intensity is going to change.'

While hospitals won't be required to provide each patient with a privateroom, doctors and nurses will be expected to do what they can to keep bedside consultations private.

Conversations at the nurses' station will need to be kept as private as possible. Michelle Cibio, administrator of Health South Diagnostic Center, Camp Hill, expects very few changes at her facility.

'We're accredited by the joint Commission on Accreditation of Health Care Organizations

(JCAHO) so we already have a written policy in place,' Cibio explains. Cibio points out that the new law requires that 'reasonable' changes be made to protect patients' privacy. For example, the Center will not be required to put privacy glass around the receptionist's desk to protect information at the desk, but they will be expected to take common sense steps to keep information private.

They will eliminate the sign-in sheet that was left on the desk and included a patient's name, the referring doctor, and reason for the diagnostic study.

HealthSouth has also written a policy that determines who has access to patient information, that person's job description, and what information they need to complete their job. Only the minimum amount of healthcare information necessary to perform a task may be disclosed from a patient's file.

Employees must be educated about the company's privacy policy. This may be as simple as providing each employee with a copy of the privacy policy, or may include extensive training seminars. The size and complexity of an organization will most likely determine the method of education.

A patient must be provided with an organization's privacy policy up front, and told how their information can be used.

A record of who has received patient information must be kept in writing and available to the patient.

Adherence to the new privacy standards will be backed up with severe civil and criminal penalties for non-compliance.

The fines go as high as $25,000 for multiple violations of the same standard in a calendar year, and fines of up to $250,000 and/or imprisonment for up to 10 years for knowing misuse of individually identifiable health information. DHHS has delegated enforcement responsibilities to the DHHS Office for Civil Rights.

The cost of implementing the new privacy standards is difficult to determine, according to Kauffman. An organization's size and the amount of change necessary to become compliant will determine how much they spend.

Respondents to the Phoenix Health System survey, which included hospitals, physician practices of varying size, insurance companies and vendors, estimated that their organizations will spend upwards of $1 million to become compliant, however, most will spend less than $100,000.

Much of this funding will go to meeting the new electronic requirements of HIPAA, Originally scheduled to go into effect in October of 2002, the healthcare industry now has until October of 2003 to conform to the new electronic health transaction standards. A plan for attaining these standards must still be in place by October of this year.

The new standards are designed to establish one national electronic format for processing health claims, health plan eligibility, enrollment and disenrollment, payments for care and health plan premiums, claim status, first injury reports, coordination of benefits, and related transactions.

Up until now, health providers and plans have used many different electronic formats, each requiring its own software. Kauffman says this software was often quite expensive. The various formats were also unable to communicate with each other, slowing down the healthcare claims process.

The new rules require the use of specific electronic formats developed by the American National Standards Institute (ANSI) for most transactions.

Virtually all health plans will have to adopt these standards, even if a transaction is on paper or by phone or fax.

Standard code sets will be developed to be used in all transactions. For example, the coding systems that describe diseases, injuries and other health problems, as welt as their causes, symptoms and actions taken must become uniform. An parties to a particular transaction will have to use and accept the same coding,

These standards are intended to reduce mistakes, duplication of effort and costs.

What frontline staff need to know about HIPAA: a "plain English" version of some of the highlights. (Cover Story).(Health Insurance Portability and Accountability Act) - Behavioral Health Management

The Privacy Rule of the Health Insurance Portability and Accountability Act (HIPAA) goes into effect on April 14, 2003. One of its many stipulations is that all staff in a 'covered healthcare entity' must receive training on HIPAA. Do frontline workers need to know all the legal aspects of HIPAA? No, they do not. Do they need to know the intent of HIPAA? Yes, they do.

Why? On one hand, the maintenance of privacy and security of patient/client/consumer data is one of the primary ways that we, in healthcare, build a relationship of trust with our clients. On the other hand, the failure to adhere to HIPAA requirements carries the possibility of both civil fines ($100 fine for each violation up to $25,000 a calendar year) and criminal prosecution, with a possible prison sentence of up to 10 years and a $250,000 fine--good reasons for frontline staff to understand, with as much clarity as possible, just what they're getting into with HIPAA. This is a complex law, with many ramifications, and you should by all means seek professional counsel to guide your organization's particular response to it. The basic requirements, though, can be expressed in fairly straightforward language--my intent with this article.

It's conceivable that you've already engaged in some HIPAA-related activity pertaining to the Privacy Rule. Someone in your organization has probably already determined by now that your agency/practice is a covered entity. Someone has probably already been named as your organization's HIPAA privacy officer. Someone has probably analyzed your agency's policies and practices regarding HIPAA and has revised existing or written new required policies. Someone has probably written the privacy notices that must be clearly displayed in your practice by April 14, 2003, and given to all patients/clients/consumers.

Furthermore, someone has probably written and/or obtained business associate agreements with any other businesses your agency/practice has relationships with, as appropriate. Someone has probably created a mechanism to track information releases that do not require authorization (e.g., coroner's requests). Someone has probably modified or created a HIPAA-compliant authorization (the HIPAA term for the signatory form that allows the release of protected health information [PHI]).

What exactly is PHI? It is denoted by a specific set of personal identifiers that any healthcare operation has or will ever have on a patient/client/ consumer, for example: name, address, names of relatives, name of employer(s), birth date, telephone or fax number, e-mail address, Social Security number, health plan beneficiary number, vehicle or other device serial number, finger--or voice prints, photographs, and any other unique identifying number, characteristic, or code.

If PHI is requested by the individual receiving treatment (and the right of the individual to his or her own treatment information is acknowledged by HIPAA) or by those involved in that treatment or related operations, an authorization is not required. For other releases of PHI, a signed authorization is required. This is really nothing new for frontline staff in behavioral healthcare organizations--state laws have long required this. Moreover, a stricter state rule always takes precedence over the HIPAA rules. Authorizations, however, might be unfamiliar territory for new employees just entering the field, and they must be brought up to speed quickly. The following example may help new staffers to understand the concept:

If Mary Jones calls the practice, clinic, or hospital to inquire about her neighbor Sally Smith's diagnosis, it is reasonable to expect that a receptionist, secretary, or healthcare professional would not release the information without an authorization. HIPAA, however, takes this further: If Mary Jones calls the practice to inquire if her neighbor, Sally Smith, is present at the office, this information also could not be given without ensuring that Sally Smith has signed an authorization for release of PHI to Mary Jones. Or, a more likely scenario: If a pharmaceutical company requests names and addresses of everyone receiving a certain prescription, authorizations for the release of these names and addresses would have to be obtained beforehand.

If, on the other hand, a radiologist's office calls and seeks Mary Jones's address for billing purposes after her x-ray has been read, an authorization is not required. Similarly, if the radiologist calls and wants to discuss the reading of the x-ray with Mary Jones's personal physician, an authorization is not required, nor is it required if the practice calls the radiologist to schedule an appointment for Mary Jones. However, if the radiologist's office calls a behavioral healthcare practice and wants to discuss Mary Jones's prognosis, state laws (which, as mentioned, tend to be stricter than HIPAA) will most likely require an authorization.

It is important to note that educational records and student health records are excluded as PHI.

Reception staff and telephone operators, as well as practitioners, must be very careful to ensure that authorizations have been completed before any information is released, other than for treatment or treatment-related purposes. Neglecting to do so is to truck with the possibility of fines and imprisonment.

Who Are 'Personal Representatives'?

Of particular interest to many behavioral healthcare providers might be the fact that HIPAA has a special set of regulations that relates to parents, referred to in HIPAA language as 'personal representatives.' (This term also applies to other adults who might have a caretaker relationship with a client/patient/consumer, and includes consumers who are developmentally disabled or otherwise incapacitated.) Generally, parents do have the right to receive PHI regarding their children, but there are exceptions, e.g., to prevent serious harm or threats to a child. Furthermore, professional staff may elect not to treat a parent (or spouse) as a personal representative if there is a reasonable belief that abuse, domestic violence, or neglect is taking place and might ensue with release of PHI. Again, as with a system for authorizations, some mechanism should be developed whereby frontline reception staff is quickly notified if any of these hazardous situations exist so they can respond appropriately and quickly to requests for PHI.

Emergencies and 'Accidents'

HIPAA continues to permit the release of PHI during emergencies or in cases of imminent threat to a person or to the public at large.

What about 'accidental sightings' of PHI on case records, physician's notes, etc.? Would these be considered violations of the HIPAA Privacy Rule? Although this is not explained in HIPAA regulations as clearly as one might like, we should consider it a best practice, in any event, to prevent this kind of accidental disclosure to the extent possible. Many practices are adopting the 'facing the wall/face down on the desk' rule to avoid this type of accidental disclosure. Simply put, any notes, bills, or other papers containing PHI should be left face down on the desk. All charts, if left in door or hallway containers, should face the wall. In this manner, one adheres to the spirit, if not necessarily the letter, of the law.

This gets back to the initial point made in this article: Adhering to the spirit of HIPAA is of overriding concern.

HHS issues new HIPAA rule.(HEALTH RECORDS) - Information Management Journal

The Department of Health and Human Services (HHS) recently issued a proposed rule that modifies the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule's standard for the accounting of disclosures of protected health information (PHI).

This proposed rule addresses changes mandated by the Health Information Technology for Economic and Clinical Health (HITECH) Act, which requires HIPAA-covered entities and business associates to account for PHI disclosures made through an electronic health record for the purpose of treatment, payment, and healthcare operations.

[ILLUSTRATION OMITTED]

The proposed rule divides the accounting rights into two distinct individual rights. The first follows the long-standing accounting of disclosure rules, modifying the existing rule to require an accounting for three years before an individual's request instead of the current six years. The second offers individuals a new right to receive a written 'access report' that describes uses and disclosures of their PHI made through an 'electronic designated record set.'

This report would include information on a covered entity's workforce members who have accessed information and would apply to information in an electronic designated record set, not only information in an electronic health record, as required by HITECH.

HIPAA Notice of Health Information Breaches Must be Submitted by February 29, 2012.(Health Insurance Portability and Accountability Act of 1996)(Brief article) - Mondaq Business Briefing

Healthcare providers and other HIPAA covered entities have until Wednesday, February 29, 2012 to submit notice of breaches of unsecured Protected Health Information which affected fewer than 500 individuals during 2011. Notice must be submitted electronically to the Secretary of Health & Human Services, and separate forms are required for each data breach occurring in the course of the calendar year. This action is mandated by the Interim Final Rule for Breach Notification for Unsecured Protected Health Information which became effective on September 23, 2009. A breach is defined under federal law as the unauthorized acquisition, access, use, or disclosure of Protected Health Information (PHI) in a manner that violates the HIPAA Privacy rule and compromises the privacy or security of the PHI. Determining whether a breach has occurred, however, requires the analysis of a number of additional factors. Under the Interim Final Rule, breaches affecting fewer than 500 individuals must be reported to the Secretary within 60 days of calendar year end. Covered entities must document data breaches affecting fewer than 500 individuals in their breach logs when the breaches occur throughout the year, but they are not required to publicly report these breaches until 60 days after the end of the calendar year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mr Stephen Page

Waller Lansden Dortch & Davis

Nashville City Center

511 Union Street

Nashville

TN 37219 1790

UNITED STATES

Tel: 6152446380

Fax: 6152446804

E-mail: info@wallerlaw.com

URL: www.wallerlaw.com

Click Here for related articles

HIPAA enforcement 'limited'.(Policy & Practice)(Health Insurance Portability and Accountability Act of 1996)(Brief article) - Family Practice News

The Centers for Medicare and Medicaid Services has not provided effective oversight and has taken only 'limited actions' to ensure that covered entities adequately implement patient privacy regulations contained in the Health Insurance Portability and Accountability Act of 1996, according to a report from the Health and Human Services Department's Office of Inspector General. The OIG found that the CMS had not conducted any compliance reviews of covered entities, and instead relied on complaints to target investigations. However, the CMS has received very few complaints about violations, the report said. 'As a result, the CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA security rule' or that electronic health information was being adequately protected, the report concluded. CMS has taken steps to begin conducting compliance reviews in an effort to identify security problems and vulnerabilities under HIPAA, the OIG said.

HIPAA enforcement 'limited'.(POLICY & PRACTICE)(Health Insurance Portability and Accountability Act )(Report)(Brief article) - Internal Medicine News

The Centers for Medicare and Medicaid Services has not provided effective oversight and has taken only 'limited actions' to ensure that covered entities adequately implement patient privacy regulations contained in the Health Insurance Portability and Accountability Act of 1996, according to a report from the Health and Human Services Department's Office of Inspector General. The OIG found that the CMS had not conducted any compliance reviews of covered entities, and instead relied on complaints to target investigations. However, the CMS has received very few complaints about violations, the report said. 'As a result, the CMS had no effective mechanism to ensure that covered entities were complying with the HIPAA security rule' or that electronic health information was being adequately protected, the report concluded. CMS has taken steps to begin conducting compliance reviews in an effort to identify security problems and vulnerabilities under HIPAA, the OIG said.

Encryption for HIPAA not necessarily a given: change in final rule eliminates blanket requirement.(Health Insurance Portability and Accountability Act of 1996) - Rehab Continuum Report

Medical Banking Project founder John Casillas says one of the changes in the final Health Insurance Portability and Accountability Act of 1996 (HIPAA) security rule eliminated any requirement to encrypt electronically transmitted protected health information, even over the Internet or other open networks. Encryption is now an 'addressable' implementation specification, which means a provider or payer organization must determine whether it is appropriate to use the technology. Encryption was one of many required procedures or technologies in the proposed rule that now are addressable as the Department of Health and Human Services seeks to make the final rule more scalable for health organizations of all types and sizes.

Casillas says many providers implementing the security rule likely will decide encryption is a reasonable and appropriate way to protect data, but their trading partners may not agree. One area providers will have to consider is the electronic transmission of payment information, including protected health information, between providers, payers, and financial institutions.

Encryption still a good idea

For instance, an insurer may electronically transmit to its bank a payment file containing payment instructions for a batch of claims from multiple providers. The bank will transmit the file to the banking industry's automated clearinghouse network, which transmits the payments to the appropriate banks serving the providers listed in the payment file. The individual banks then will transmit electronic remittance advices that contain protected health information to their provider customers.

CMS implementing a grace period for HIPAA deadline. - Medical Device Daily

CMS implementing a grace period for HIPAA deadline

By KEVIN NEW

Medical Device Daily Washington Editor

WASHINGTON Officials who run the nations Medicare program assured providers not prepared for a looming regulatory deadline that cash flow would not be interrupted.

The Centers for Medicare & Medicaid Services (CMS; Baltimore, Maryland) said earlier this week that it would implement a contingency plan to accept non-compliant electronic transactions after Oct. 16 of this year, the deadline date for complying with the regulations of the Health Insurance Portability & Accountability Act (HIPAA).

The contingency plan will ensure that claims will continue to be processed for what CMS estimates to be thousands of providers not able to meet the deadline, it said. Otherwise, the claims would be rejected.

Implementing this contingency plan moves us toward the dual goals of achieving HIPAA compliance while not disrupting providers cash flow and operations, so that beneficiaries can continue to get the healthcare services they need, said CMS administrator Tom Scully.

The decision to establish a contingency plan was made due to statistics showing unacceptably low numbers of compliant claims being submitted, CMS said. CMS gained the authority to implement the contingency plan based on guidance it received from the U.S. Department of Health and Human Services (HHS; Washington) in late July.

The grace period will allow providers additional time to complete testing processes for new systems. CMS will regularly reassess the readiness levels of providers to determine how long to keep the contingency plan in effect, according to Tom Grissom, CMSs director of the Center for Medicare Management, the division responsible for administering reimbursement.

Medicare is able to process HIPAA-compliant transactions, Grissom said, but we need to work with our trading partners to increase the percentage of claims in production.

Because transactions often involve the participation of two covered entities, non-compliance from one could put the other party in a difficult position, CMS said. And covered entities making a good-faith effort to comply with HIPAA standards can implement their own contingency plans to maintain operations and cash flow, according to the HHS guidance document.

We encourage other plans to assess the readiness of their trading partners and implement contingency plans if appropriate, Grissom advised.

Device manufacturers are affected by HIPAA regulations only if they conduct standard transactions, John Bentivoglio, a partner at the Washington office of Arnold & Porter, told Medical Device Daily. Bentivoglio represents several medical device manufacturers and noted that his clients biggest concerns deal with research and marketing regulations in HIPAA.

Only the biggest device companies that interact directly with patients would be considered a covered entity, he said.

HHS clarified its definitions of standard transactions and healthcare in its HIPAA preamble from December 2000, Bentivoglio noted. Standard transactions are financial and administrative in nature relating to claims and billing matters, and most device manufacturers dont interact directly with patients, he explained.

Covered entities may use or disclose protected health information for research purposes without authorization under very limited circumstances, Bentivoglio added. Device manufacturers involved in research should work with institutional review boards to ensure that authorizations for disclosing information is included in an informed consent form, he said.

Recruiting patients with breast cancer and their families to behavioral research in the post-HIPAA period.(Health Insurance Portability and Accountability Act)(Clinical report) - Oncology Nursing Forum

Recruiting patients from clinical settings into cancer clinical trials is a difficult but essential element of the success of the National Cancer Institute's efforts to reduce cancer mortality. Overall, less than 50% of patients with cancer participate in treatment trials nationwide (Beskow, Sandler, & Weinberger, 2006; Elting et al., 2006; Gotay, 1991; Heiney et al., 2006). Even institutions with appropriate trials available that are dedicated to recruiting patients for clinical and behavioral trials often reported that recruitment rates are modest, varying from 19%-53% (of clinically eligible patients older than age 35) (Hunter et al., 1987; Lee, Marks, & Simpson, 1980; Spiro, Gowera, Evans, Facchini, & Rudd, 2000). Low recruitment yields into clinical trials commonly are reported among patients with cancer (Ashing-Giwa, 2005; Ashing-Giwa, Padilla, Tejero, & Kim, 2004; Hunter et al.; Hutchins, Unger, Crowley, Coltmant, & Albain, 1999; Sears et al., 2003). Recruitment yields in those studies have ranged from 16%-36%. Modest rates of recruitment occur for several reasons. Key barriers to patient participation in clinical trials often are provider-related, including the time commitment involved, obtainment of informed consent, and intrusion of the study on the physician-patient relationship (Benson et al., 1991; Lovato, Hill, Hertert, Hunninghake, & Probstfield,1997; Newcomb, Love, Phillips, & Buckmaster, 1990; Taylor, Margolese, & Soskoline, 1984).

Furthermore, clinical data now are more difficult to incorporate into research activities. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 described how clinical entities can use or disclose protected health information, including for research purposes. The regulations affect how researchers interact with participants and hospitals, physicians, and other organizations that provide access to participants and their data. Covered entities can disclose protected health information to researchers only if the study has obtained direct consent from patients, signed HIPAA authorization forms from patients, or a waiver of authorization from an institutional review board (IRB). Study recruitment materials and consent forms also must provide clear information to participants about who will have access to their medical information and how it will be used (HIPAAdvisory, 2003; Sands, 2003; U.S. Department of Health and Human Services, 2003). In November 1999, the U.S. Department of Health and Human Services published proposed regulations to guarantee patients new rights and protections against the misuse or disclosure of their health records. After extensive comments from thousands of individuals and organizations, the revised rules took effect on April 14, 2001.

The new rules resulted in confusion and concern at most academic research facilities. Ambiguities in interpretation and appropriate implementation left researchers unable to use standard procedures and forms for informed consent. Similarly, clinical facilities had to interpret the new laws and adjust approved procedures for providing researchers access to patients for research purposes.

Behavioral intervention research for patients with cancer and their family members includes psychosocial interventions to improve coping (Andersen, 1992; Baum & Andersen, 2001; Sears et al., 2003) and dietary and exercise changes as methods of preventing recurrence or improving physical functioning and quality of life (Chlebowski et al., 1993; McTiernan et al., 1998; Pierce et al., 1997). Behavioral research with patients and families also involves interventions to improve the health and coping of caregivers of patients with cancer (Donnelly et al., 2000). Obtaining high response rates is important in such studies because psychological and behavioral differences between responders and nonresponders limit generalizability.

Concerns were raised that complications of the HIPAA regulations would result in low response rates (Wolf & Bennett, 2006) or costly recruitment procedures (Friedman, 2006). Other investigators proposed that implementing HIPAA-based procedures would make recruitment of patients and families more confusing to potential study participants (Shalowitz & Wendler, 2006). As a result, a plan was created for approaching patients with breast cancer and their family members for research using rules based on implementation of the HIPAA regulations; the plan was implemented to determine eligibility and interest for future intervention research. The aim of this article is to assess the potential recruitment yields for patients and family members into behavioral research using a planned approach. Specifically, the article reports on the eligibility of patients with breast cancer and their family members to enter a set of behavioral intervention trials, their interest in participating in the trials, and the willingness of patients to provide contact information of spouses or partners and female firstdegree relatives for entry into separate research projects.

Recruitment Process

Participants in the present study were recruited from the Seattle Cancer Care Alliance in Washington, a multi-institution National Cancer Institute-designated comprehensive cancer center that includes the Fred Hutchinson Cancer Research Center, the University of Washington Medical Center, and the Children's Hospital and Regional Medical Center of Seattle. The Seattle Cancer Care Alliance's Breast Center offers various clinical, diagnostic, and treatment services to patients in a multidisciplinary setting. Patients, their spouses or partners, and their female first-degree relatives were to be recruited for separate randomized trials to reduce risk of recurrence (patient) or first primary cancer (others). The research received human subjects review approval from the Fred Hutchinson Cancer Research Center IRB.

The Seattle Cancer Care Alliance maintains a computerized database that tracks patient information, including age, gender, name, address, phone number, cancer diagnosis, and dates of clinic visits. Using the database, the Seattle Cancer Care Alliance Breast Center staff generated a list of the 100 patients with breast cancer most recently seen for treatment by a practicing oncologist in the year prior to initial study contact. After removal of duplicate or invalid contact information, 91 patients were available for contact. All participating patients were recruited from the contact list with a passive consent letter for initial contact. Eligible patients were at least 18 years old, diagnosed only with primary breast cancer, and (for one study) reporting high levels of depressive symptoms.

Recruiting male spouses or partners and female first-degree relatives to participate in studies of health behavior change and risk reduction also was attempted. Eligible spouse or partner participants were male and living with previously recruited patients. Eligible female first-degree relative participants were at least 18 years old and never diagnosed with breast cancer. Payment was not offered to participants as an incentive for completing the study survey or for agreeing to participate in future research.

Recruiting Procedures in a Specific Clinical Setting

One of the major barriers to recruitment is moving contact information from a clinical setting to a research setting in a legal and ethical way. Figure 1 presents the flow chart for study recruitment. HIPAA regulations focus on protecting participant privacy at several points of contact but do not specify the means of protection. The present study was performed shortly after the regulations were in effect, so procedures had to be defined to ensure the protection of participant privacy. Specifically, research teams could no longer access patient information and obtain initial consent from patients to be contacted about a potential research project. Therefore, a clinical contact step was included to allow patients to opt out of the recruitment process. Once patients had a chance to refuse participation, contact information could flow to the research team, who directly contacted nonrefusing patients to describe the study, collect eligibility and initial interest data, and invite participants for more intensive consent and data collection activities. Participants could refuse to participate further at each step of the process.

[FIGURE 1 OMITTED]

The research team worked closely with clinical staff to implement the new recruitment procedures. Clinical staff sent the initial approach passive consent letter that described the survey and was signed by the principal investigator of the study and patients' treating oncologist to the 91 patients identified as potential study participants. The letter requested patients' permission to contact them via the telephone and provided a toll-free study telephone number to call if they did not wish to be contacted. During the subsequent survey, the interviewers asked each patient if she had a male spouse or partner or living female first-degree relative(s). If the patient reported a male spouse or partner or living female first-degree relative(s), the interviewer asked whether the patient would be willing to allow the researcher to contact her spouse or partner or female relative(s) to participate in a survey about possible future research studies. Patients were not asked to call the relatives to obtain separate consent.

Seven days after initial consent, research interviewers called the nonrefusing patients and asked them to complete a 30- minute telephone survey covering questions about their health history, depression, sensitive psychosocial history, height and weight history, age, relatives' cancer history, and interest in potential research studies. If patients provided their consent to contact relatives, they were asked to supply the contact information for those family members.

Spouses or partners and female first-degree relative(s) for whom patients provided contact information were approached first by a letter stating that permission had been obtained from the patient to get in touch with them about the study and that they would be called to provide more information and were under no obligation to participate in the study. A telephone number was provided in the letter that family members could call if they did not wish to be contacted via telephone.

Six months later, data were collected on the spouses or partners and female first-degree relatives of the patients. The wait period was six months to minimize interaction between research staff and families during their loved ones' acute therapeutic period. Research interviewers contacted nonrefusing family members to explain the study further, obtain verbal consent, and complete the survey if they chose to participate.

Table 1 shows the recruitment yields for patients, spouses or partners, and female first-degree relatives in the present study. Seventy-seven percent of patients, 95% of spouses or partners, and 88% of female first-degree relatives provided survey data. The proportion of participants lost because of the researchers' inability to locate them was low; 10% of patients and no spouses or partners or female first-degree relatives were unable to be contacted, and fewer had nonworking phone numbers. Only 7% of patients, 2% of spouses or partners, and 2% of female first-degree relatives personally refused the survey offer.

 Table 1. Survey Approach Results for Patients and Relatives  Survey       Patients  Yield  Spouses   Yield    First-    Yield Approach                (%)     and      (%)     Degree     (%)                               Partners           Female                                                Relatives  Approach           91      -        41      -         85       - letters mailed  Letters            11    111        12    115         12     112 remailed  Incorrect           -      -         -      -          -       - address  Call               91    100        41    100         85     100 records fielded  Unable to          19    110         -      -          -       - contact  Nonworking         14    114         -      -          -       - phone number  Refused            16    117        11    112         12     112 personally  Refused via        12    112         -      -         13     114 family member  Deceased            -      -         -      -          -       -  Unable to           -      -        11    112         15     116 speak with  Total              70    177        39    195         75    188 completed surveys 

Patient Consent to Contact Relatives

At first contact, patients were asked about their willingness to allow researchers to contact their spouses or partners and female first-degree relatives regarding future research studies. At recontact, patients gave consent by confirming their initial willingness to allow the interviewer to contact a spouse or partner or female first-degree relative(s). Consenting patients also provided the contact information.

Most of the patients were willing to allow the interviewer to contact spouses or partners and female first-degree relatives and to provide the necessary contact information. At first contact, 55 and 68 patients reported the existence of a living spouse or partner and a living and eligible female first-degree relative, respectively. A total of 52 (95%) of the patients with spouses or partners stated that they would allow the interviewer to contact their spouses or partners, and 61 (87%) allowed the interviewer to contact female first-degree relatives. At recontact, 49 of the patients initially allowing spouse or partner contact were contacted. Forty-three (88%) of those patients provided consent and contact information for their spouses or partners. Fifty-eight patients who initially allowed at least one female first-degree relative to be contacted were reached; 48 (83%) provided consent and contact information for at least one female first-degree relative.

Eligibility for Future Studies

Age and self-reported height and weight were obtained from patients and first-degree female relatives. In addition, because one of the planned future studies required the recruitment of depressed patients with breast cancer, the nine-item depression scale found in the Patient Health Questionnaire (PHQ) was administered (Kroenke, Spitzer, & Williams, 2001; Spitzer, Kroenke, & Williams, 1999). Items include questions about the presence of different symptoms of depression.

Relatives' Assistance Needs

Spouses, partners, and female first-degree relatives were asked about their need for information about nine specific breast cancer topics (risk factors, risk in relatives, screening, treatment, healthful foods and exercise behaviors for prevention, coping with feelings, hearing others' experiences, and ways to talk with healthcare providers). For each topic, spouses and partners were asked about how much assistance in receiving information on that topic they would like in dealing with their wives' or partners' breast cancer. Female relatives were asked about how much assistance in receiving information on that topic that they would like for themselves. Answer choices were 'not at all,' 'a little bit,' 'some,' and 'very much.' Participants who responded 'very much' were considered as reporting a high need for information. Table 2 presents data on the specific needs reported by spouses and partners and female relatives. The most frequently self-reported needs in both groups were learning about cancer treatments, healthful foods, exercise, and breast cancer risk factors. No apparent differences existed in frequency of responding between the two groups.

 Table 2. Assistance Needs of Relatives of Patients With Breast Cancer                                   High Need (%)  Assistance Need             Spouses and  Female First-Degree                               Partners          Relatives  Breast cancer risk factor            46                   37 information  Information on risk in               33                   47 relatives  Information on screening             36                   53  Learning about cancer                67                   48 treatments  Learning about healthful             64                   63 foods  Learning about exercise              64                   52  Coping with feelings about           33                   39 cancer  Hearing others'                      18                   27 experiences  Help with talking to                 41                   36 providers 

Interest in Participating in Future Studies

Patients were asked about their interest in participating in (a) a research project on the possible benefits of exercise for patients in recovery from initial cancer treatment, (b) a research project involving possible benefits of social support, relaxation, and other psychosocial coping skills during recovery from initial treatment, and (c) a clinical trial of the antidepressant sertraline as a treatment for depression in patients with breast cancer. Spouses and partners were asked whether they would be interested in hearing more about a study in which they would learn ways to help their wives or partners with breast cancer. They also were asked whether they would be interested in participating in such a study. Spouses and partners were asked whether specific appointment schedules for the research would be manageable. To assess female first-degree relatives' interest in research, researchers asked them whether they would like to participate in a study designed to help female family members of patients with breast cancer understand their own breast cancer risk and learn ways to cope with their risk.

Interest in the research studies was high among all three groups. A total of 57 of 69 responding patients (83%) reported interest in participating in an exercise intervention study. Even if participation meant being assigned to a group not receiving an exercise intervention, 49 patients (70%) still reported that they would be interested in such a study. Of 69 responding patients, 53 (76%) reported interest in participating in a coping skills training study. If participation included the possibility of being assigned to a group without special coping skills training, 56 patients (81%) agreed to participate. Patient interest in a trial to test the efficacy of an antidepressant medication also was high, with 47 of 66 (71%) respondents reporting interest in participation. Fourteen patient participants (20%) had a probable presence of moderate depression based on the data from the PHQ depression screening, indicating eligibility for a behavioral study to treat depression in patients with cancer. Those participants reported particularly high rates of interest in the relevant research studies compared to nondepressed participants. Eleven of the 14 (79%) participants with moderate depression reported interest in the antidepressant clinical trial. In comparison, 36 participants (69%) who were not likely depressed reported interest.

Among the spouse and partner participants, 37 (95%) reported interest in hearing more about a study to help their wives or partners with breast cancer, and 34 (87%) reported interest in actually participating. In addition, 30 (77%) spouses or partners reported that a six-month, biweekly research clinic appointment schedule was manageable and 32 (82%) spouses or partners reported that a three-appointment and two-telephone session schedule was manageable. Among female relatives, 64 (85%) reported willingness to be contacted about a study to help family members understand their risk for breast cancer, and 49 (65%) reported actual interest in participating.

Discussion

The data indicate that procedures to contact, recruit, and obtain consent from patients and family members for behavioral research activities complementary to their primary cancer treatment can be implemented sucessfully in the era of new stringent privacy regulations, even during the acute diagnosis and treatment period. Research staff working together with clinical staff to plan and conduct the initial consent resulted in very few refusers at the initial contact point. Several strategies were identified for making the relationship functional; the strategies have received support from similar studies (Albert & Levine, 2005; Wolf & Bennett, 2006). In the present study, strategies that reduced cost while improving yield included discussions between clinical staff and research staff, financial support of clinical staff by the research team, and the addition of the clinical director to the key personnel of research grants. This IRB-approved process will serve as a model for the recruitment of participants for future studies.

Researchers screened 100% of eligible participants via telephone, making calculating the overall yield on a population basis easier. The screening results differ from the percentage of eligible participants identified in previous research (Sears et al., 2003). The initial positive response to the approach via telephone likely would be replaced by lower yields when participants are faced with actually attending a visit to determine eligibility and obtain consent, although increasing the burden on participants by scheduling a visit would be a good strategy to establish which participants actually would adhere to the study protocol.

The interest rates of spouses or partners and female firstdegree relatives approximately were equal, and a relatively large proportion of patients provided contact information for both. Getting a high yield of intact families, then, is possible, providing that the initial interest leads to actual participation. In another study of family recruitment (Helmes, Bowen, Bowden, & Bengel, 2000), initial interest clearly was related to participation in study activities; therefore, contacting potential participants to glean interest most likely will assist with overall recruitment yield.

In addition to assessing interest over the telephone, researchers were able to estimate eligibility for certain characteristics (e.g., body mass index) in the survey. The approach may not be the most accurate way to assess eligibility criteria but certainly provided a prevalence estimate for important variables.Confirming eligibility during an in-person data collection session would be necessary to obtain the accuracy required for an intensive intervention study. Using a computerized database to identify potential patients and to perform much of the initial screening for eligibility can reduce the amount of time physicians need to spend on research study activities to allow their patients to participate (Newcomb et al., 1990). Similarly, having research staff instead of clinical personnel handle informed consent for studies in which such procedures would be appropriate also reduces the amount of time physicians need to spend on study enrollment. This allows patients to participate in research while continuing their usual medical care with their physicians uninterrupted, thus minimizing interference with the physicianpatient relationship.

Little has been published about the health promotion or physical needs of family members of patients with cancer. The reported needs of potential family participants in the present study were diverse, but most wanted to learn about cancer and cancer treatments, dietary change, and exercise behavior change. The interest in prevention activities was exciting because of the new options for testing prevention and survivorship interventions. Participants interested in prevention would be eligible for many behavioral studies designed to change cancer risk. Risk reduction strategies often require hundreds of thousands of participants to achieve adequate power to identify differences in endpoints. Strategies developed in the present study would be helpful in recruiting the large samples needed for risk reduction studies.

Complaints about obtaining proxy consents or family contact information to the IRB or to clinical or research staff were not received from patients, their relatives, or their healthcare providers during this study. Modifying procedures to meet the current regulations was a straightforward process. The exercise improved clinical and research staff relationships because the roles of each were clearly delineated. Collaboration between overburdened clinical staff and eager research team members to modify and pilot procedures worked well in the present study. Procedures were designed by clinical investigators and staff, and the clinic procedures already in practice were considered in how best to organize the large amount of material for contact, mailing, and consent. When possible, the research staff shouldered any burden; otherwise, procedures were developed as a team that were easy to follow and did not deviate considerably from regular clinic procedures. Implementing a joint strategy to meet current guidelines and new ones as they come into play will be necessary.

References

Albert, S.M., & Levine, C. (2005). Family caregiver research and the HIPAA factor. Gerontologist, 45, 432-437.

Andersen, B.L. (1992). Psychological interventions for cancer patients to enhance the quality of life. Journal of Consulting and Clinical Psychology, 60, 552-568.

Ashing-Giwa, K.T. (2005). Can a culturally responsive model for research design bring us closer to addressing participation disparities? Lessons learned from cancer survivorship studies. Ethnicity and Disease, 15, 130-137.

Ashing-Giwa, K.T., Padilla, G.V., Tejero, J.S., & Kim, J. (2004). Breast cancer survivorship in a multiethnic sample: Challenges in recruitment and measurement. Cancer, 101, 450-465.

Baum, A., & Andersen, B.L. (2001). Psychosocial interventions for cancer. Washington, DC: American Psychological Association.

Beskow, L.M., Sandler, R.S., & Weinberger, M. (2006). Research recruitment through US central cancer registries: Balancing privacy and scientific issues. American Journal of Public Health, 96, 1920-1926.

Benson, A.B., Pregler, J.P., Bean, J.A., Rademaker, A.W., Eshler, B., & Anderson, K. (1991). Oncologists' reluctance to accrue patients onto clinical trials: An Illinois cancer center study. Journal of Clinical Oncology, 9, 2067-2075.

Chlebowski, R.T., Blackburn, G.L., Buzzard, I.M., Rose, D.P., Martino, S., Khandekar, J.D., et al. (1993). Adherence to a dietary fat intake reduction program in postmenopausal women receiving therapy for early breast cancer. The women's intervention nutrition study. Journal of Clinical Oncology, 11, 2072-2080.

Donnelly, J.M., Kornblith, A.B., Fleishman, S., Zuckerman, E., Raptis, G., Hudis, C.A., et al. (2000). A pilot study of interpersonal psychotherapy by telephone with cancer patients and their partners. Psycho-Oncology, 9, 44-56.

Elting, L.S., Cooksley, C., Bekele, B.N., Frumovitz, M., Avritscher, E.B., Sun, C., et al. (2006). Generalizability of cancer clinical trial results: Prognostic differences between participants and nonparticipants. Cancer, 106, 2452-2458.

Friedman, D.S. (2006). HIPAA and research: How have the first two years gone? American Journal of Ophthalmology, 141, 543-546.

Gotay, C.C. (1991). Accrual to cancer clinical trials: Directions from the research literature. Social Science and Medicine, 33, 569-577.

Heiney, S.P., Adams, S.A., Cunningham, J.E., McKenzie, W., Harmon, B., Hebert, J.R., et al. (2006). Subject recruitment for cancer control studies in an adverse environment. Cancer Nursing, 29, 291-299.

Helmes, A.W., Bowen, D.J., Bowden, R., & Bengel, J. (2000). Predictors of participation in genetic research in a primary care physician network. Cancer, Epidemiology, Biomarkers and Prevention, 9, 1377-1379.

HIPAAdvisory. (2003). HIPAA primer. Retrieved November 20, 2003, from http://www.hipaadvisory.com/regs/HIPAAprimer.htm

Hunter, C.P., Frelick, R.W., Feldman, A.R., Bavier, A.R., Dunlap, W.H., Ford, L., et al. (1987). Selection factors in clinical trials: Results from the Community Clinical Oncology Program Physician's Patient Log. Cancer Treatment Reports, 71, 559-565.

Hutchins, L.F., Unger, J.M., Crowley, J.J., Coltmant, C.A., & Albain, K.S. (1999). Underrepresentation of patients 65 years of age or older in cancertreatment trials. New England Journal of Medicine, 341, 2061-2067.

Kroenke, K., Spitzer, R.L., & Williams, J.B. (2001). The PHQ-9: Validity of a brief depression severity measure. Journal of General Internal Medicine, 16, 606-613.

Lee, J., Marks, J., & Simpson, J. (1980). Recruitment of patients to cooperative group clinical trials. Cancer Clinical Trials, 3, 381-384.

Lovato, L.C., Hill, K., Hertert, S., Hunninghake, D.B., & Probstfield, J.L. (1997). Recruitment for controlled clinical trials: Literature summary and annotated bibliography. Controlled Clinical Trials, 18, 328-352.

McTiernan, A., Ulrich, C., Kumai, C., Bean, D., Schwartz, R., Mahloch, J., et al. (1998). Anthropometric and hormone effects of an eight-week exercisediet intervention in breast cancer patients: Results of a pilot study. Cancer Epidemiology, Biomarkers and Prevention, 7, 477-481.

Newcomb, P.A., Love, R.R., Phillips, J.L., & Buckmaster, B.J. (1990). Using a population-based cancer registry for recruitment in a pilot cancer control study. Preventive Medicine, 19, 61-65.

Pierce, J.P., Faerber, S., Wright, F.A., Newman, V., Flatt, S.W., Kealey, S., et al. (1997). Feasibility of a randomized trial of a high-vegetable diet to prevent breast cancer recurrence. Nutrition and Cancer, 28, 282-288.

Sands, G. (2003, January 24). Welcome to privacy and security policies.Retrieved November 20, 2003, from http://www.fhcrc.org/admin/planning/ hipaa

Sears, S.R., Stanton, A.L., Kwan, L., Krupnick, J.L., Rowland, J.H., Meyerowitz, B.E., et al. (2003). Recruitment and retention challenges in breast cancer survivorship research: Results from a multisite, randomized intervention trial in women with early stage breast cancer. Cancer Epidemiology, Biomarkers and Prevention, 12, 1087-1090.

Shalowitz, D., & Wendler, D. (2006). Informed consent for research and authorization under the Health Insurance Portability and Accountability Act privacy rule: An integrated approach. Annals of Internal Medicine, 144, 685-688.

Spiro, S.G., Gowera, N.H., Evans, M.T., Facchini, F.M., & Rudd, R.M. (2000). Recruitment of patients with lung cancer into a randomised clinical trial: Experience at two centres. On behalf of the Big Lung Trial Steering Committee. Thorax, 55, 463-465.

Spitzer, R.L., Kroenke, K., & Williams, J.B. (1999). Validation and utility of a self-report version of PRIME-MD: The PHQ primary care study. Primary care evaluation of mental disorders. Patient Health Questionnaire. JAMA, 282, 1737-1744.

Taylor, K.M., Margolese, R.G., & Soskoline, C.L. (1984). Physicians' reasons for not entering eligible patients in a randomized clinical trial of surgery for breast cancer. New England Journal of Medicine, 310, 1363-1367.

U.S. Department of Health and Human Services. (2003, November 10). HIPAA privacy rule information for researchers. Retrieved November 20, 2003, from http://privacyruleandresearch.nih.gov/pr_08.asp

Wolf, M.S., & Bennett, C.L. (2006). Local perspective of the impact of the HIPAA privacy rule on research. Cancer, 106, 474-479.

Deborah J. Bowen, PhD, Jesse R. Fann, MD, MPH, M. Robyn Andersen, PhD, Isaac C. Rhew, MPH, Julie R. Gralow, MD, Frances M. Lewis, PhD, RN, Julie R. Hunt, PhD, Melanie Palomares, MD, MS, Carol M. Moinpour, PhD, and Donna P. Ankerst, PhD

Deborah J. Bowen, PhD, is a joint member at the Fred Hutchinson Cancer Research Center in Seattle, WA; Jesse R. Fann, MD, MPH, is an associate professor in the School of Medicine at the University of Washington (UW) in Seattle; M. Robyn Andersen, PhD, is an assistant member of the division of Public Health Sciences at the Fred Hutchinson Cancer Research Center; Isaac C. Rhew, MPH, is a predoctorate research associate in the Department of Epidemiology at UW in Seattle; Julie R. Gralow, MD, is an associate professor in the School of Medicine at UW in Seattle; Frances M. Lewis, PhD, RN, is a professor in the School of Nursing at UW in Seattle; Julie R. Hunt, PhD, is a senior staff scientist in the Division of Public Health Sciences at the Fred Hutchinson Cancer Research Center; Melanie Palomares, MD, MS, is an assistant professor in medical oncology in the Division of Population Sciences, a staff physician for the Cancer Screening and Prevention Program, and a member of the Comprehensive Cancer Center at the City of Hope in Duarte, CA; Carol M. Moinpour, PhD, is an associate member of the Fred Hutchinson Cancer Research Center; and Donna P. Ankerst, PhD, is an associate research professor in the Health Science Center at the University of Texas in San Antonio and a research scientist at the University of Munich in Germany. This research was supported by a grant (CA82894) from the National Cancer Institute and by Fred Hutchinson Cancer Research Center developmental research funds. (Submitted March 2007. Accepted for publication April 3, 2007.)

Digital Object Identifier: 10.1188/07.ONF.1049-1054

Understanding new HIPAA privacy standards for hospitals and other providers.(HIPAA) - Healthcare Strategic Management

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted by Congress in an attempt to bring 'administrative simplification' to the health care industry. One aspect of HIPAA is the privacy rule, issued by the Department of Health and Human Services (HHS) in December of 2000. The intent of this privacy rule is to protect patients' privacy rights with respect to certain of their health care information while also improving the efficiency and effectiveness of electronic transmissions of this information. The privacy rule states that covered health care providers may not use or disclose certain health information unless such use or disclosure is specifically permitted or required by the rule. This rule is predicted to have a major, widespread effect on the use and disclosure of information throughout the health care industry. With that in mind, this article will attempt to familiarize covered providers with the rule and set forth several important points to consider as providers work towards HIPAA compliance.

Who is covered by the HIPAA privacy rule?

* Health care clearinghouses (including billing services, other health care information management entities)

* All health care providers (including private physicians) who electronically transmit certain health care information (including claims and other encounter information, payment information, health plan enrollment information, health plan eligibility, health plan premiums, referral authorization and related information, first report of injury, health claims attachments, etc.)

* All providers who use billing services, clearinghouses, hospitals, or any other person or entity to electronically transmit such claims and other information on the provider's behalf

* Health plans (including HMOs, most group plans, health insurance issuers, employee welfare benefit plans, etc.).

What information is covered by the HIPAA privacy rule?

Protected health information includes information (oral, written and electronic) which identifies, or reasonably could be used to identify, a patient and is relating to the patient's past, present or future physical or mental health or condition; history of health care treatments received; and past, present or future payment for the provision of health care.

Key points to consider

These are just a few of the important considerations covered providers will face as they attempt to become HIPAA compliant. All covered providers must review the privacy rule carefully, preferably in consultation with legal counsel, to ensure compliance.

Know the compliance deadline and the penalties for non-compliance. Most health care providers covered by the privacy rule must be compliant by April 14, 2003 (April 14, 2004, for small health plans or providers). Violations of the HIPAA privacy rule may carry hefty penalties. Violators may face civil fines of up to $25,000 per person per violation per calendar year, and criminal penalties including a fine of up to $50,000, $100,000 or even $250,000 for certain violations, and possibly even imprisonment of up to 10 years. In addition, non-compliance with the privacy rule may expose covered providers to negligence claims.

Draft written policies and procedures

Covered providers must draft written policies and procedures regarding the use and disclosure of protected health care information. Examples of items to be included in a well-drafted policy statement include:

Allowing patients access to their health records (with some exceptions), and providing patients with a six-year accounting of most health information disclosures.

Allowing patients to amend their health information (with some exceptions).

Allowing patients to request that the health provider use alternate communication means for protected health information (for example, sending specified information to a patient's alternate address). Also allowing patients to request that the provider restrict disclosure of certain information.

Provide notice to all patients

All covered health care providers must provide to patients written, plain language notice (during office visits, through postings at premises and on Web sites, etc.) of the provider's procedures on the use and disclosure of patient health information and a description of the patient's rights and the provider's legal duties under the privacy rule.

The covered provider must designate and train a 'privacy official' to implement its policy, and a responsible person to receive and process inquiries and complaints in accordance with the rule. These persons must provide HHS with compliance reports and copies of certain records upon request to demonstrate compliance.

Train personnel

Training a covered provider's workforce as to how to store, use and disclose protected health information is crucially important, not only to ensure that the covered provider's policies and procedures are understood and followed, but also because HHS requires that covered providers document such training and produce such documentation upon request.

Obtain Patient Consents and Authorizations (and Understand the Difference). Covered Providers must understand when patient 'consent' is required (for health care providers, for the use and disclosure of protected health information specifically for purposes of treatment, payment and health care operations) and when specific patient 'authorization' is required (for all other covered providers and for all other disclosures of protected health information). Also, physicians must understand that certain authorizations are required to use information about research subjects. Covered providers must carefully draft such consents and authorizations to ensure they are in compliance with the privacy rule. (Covered providers must also understand the rule's restrictions on whether they may condition treatment on getting a consent or authorization, and whether they may administer certain health care treatments without prior consent or authorization.)

Understand business associate liability

A covered provider may allow a 'business associate' to gain access to protected health information, but the provider must first receive 'satisfactory assurance' (in the form of a 'business associate contract') that the business associate will protect the information in accordance with the privacy rule (and that the business associate will require the same compliance from its subcontractors and agents). A business associate's violation of HIPAA's privacy rule may expose a covered provider to liability as well, so covered providers must understand this aspect of the rule. In general terms, a 'business associate' is a person or entity who either:

* Receives protected health information from the covered provider in the performance of its service (legal, actuarial, accounting, consulting, data aggregation, management, administration, financial services, etc.), or

* Performs a function or service involving the use or disclosure of protected health information on the behalf of the covered provider (a clearinghouse, hospital, etc.).

Understand the 'minimum necessary' rule.

The privacy rule requires covered providers to use and disclose protected health information only to the 'minimum necessary' to accomplish the purpose of such use or disclosure (with exceptions).

Modify use of e-mail. Covered providers must pay particular attention to their use of e-mail in transmitting protected health information to patients and to others to ensure they do not violate the privacy rule.

The privacy rule affects the ways in which covered providers may use patient protected health information to engage in fundr aising and marketing efforts. Providers must understand what types of patient consents and authorizations are needed for them to engage in such efforts, and in what ways such efforts must be modified to ensure compliance.

Understand how this rule interacts with state and federal laws

The HIPAA privacy rule is complicated and wide-reaching. This rule will change the way certain health information is stored, used and disclosed throughout the health care industry. Even though most covered health care providers are given until April of 2003 to comply with the rule, providers should commence their efforts to become compliant, because their task is potentially a large one. Providers must determine what information may be disclosed, how it may be disclosed, and to whom it may be disclosed. They must draft policies, procedures, patient notices, consents, authorizations and business associate contracts. They also must begin training their personnel. These are large undertakings and must be done correctly--and preferably in consultation with experienced legal counsel to guide such providers through the rule.