HIPPA Training

"No, it's not a female
Hippopotamus, anyone else
know?"
"You have 300 e-mails on
HIPAA compliance questions.
And you could use a haircut."
"I haven't heard of HIPAA,
but I can hip hop."
Training is Required!
All employees and members of your
work force who have access to
protected health information need
HIPAA training! This PowerPoint
presentation – and the many other
features and information available on
this web site – will assist you in
satisfying the training requirement!
The format…
We’ll try to present the
information in an easy to
understand (and sometimes
humorous) manner!
So….
Let’s Get Started!
By Now, You All Know what
HIPAA is…right?
Healthcare
In
Pain
And
Agony (again)
The Big Picture
HIPAA implementation of the
standards does not have to be any type
of major burden on the average
HME/Re-hab provider, especially not
an economic burden.
You’ll be OK!
The Privacy compliance date is now
effective (April 14, 2003). Many
providers are not yet compliant.
You’ll be OK. There is, effectively,
no enforcement (*). But, some of you
may need to get moving NOW.
(*) At this time, any OCR actions have been “patient complaint driver”, i.e., there is no
formal HIPAA auditing procedure. There have been a relatively small amount of
patient-initiated complaints (about 700 nationwide as of 7/17/03), most regarding a)
patient denied access to his or her medical records, b) no notice of privacy practices
provided to patients, and c) inadequate privacy safeguards in place in treatment settings
Although health care organizations
had more than 24 months to
implement HIPAA…
Much confusion and
misunderstanding persists…
Without doubt, there may be some
real barriers and glitches in the law…
But, at this stage it is important to
clear up the glaring misconceptions!!
To get us “warmed up” let’s
look at a few common
examples regarding “Myths”
and the facts about what the
law actually says. (We’ll
have more examples later.)
Myth
One provider cannot send
medical records of a patient to
another provider without that
patient's consent.
Fact:
No consent is necessary for one
provider to transfer a patient's medical
records to another provider's office for
treatment purposes. The Privacy
Regulation specifically states that a
provider “is permitted to use or
disclose protected health information”
for “treatment, payment, or health care
operations,” without patient consent.
Myth
A provider is prohibited from sharing
information with the patient's
family without the patient's express
consent.
Fact:
 FACT: Under the Privacy Rule, a provider
may “disclose to a family member, other
relative, or a close personal friend of the
individual, or any other person identified by
the individual,” the medical information
directly relevant to such person's
involvement with the patient's care or
payment related to the patient's care. If the
patient is present, the provider may disclose
medical information to such people if the
patient does not object.
Myth
A patient's family member can no
longer pick up supplies from an HME
provider or prescriptions from a
pharmacy for the patient.
Fact:
Under the Regulation, a family
member or other individual may act
on the patient's behalf “to pick up
filled prescriptions, medical supplies,
X-rays, or other similar forms of
protected health information.” The
Regulation permits the provider to
reasonably infer that doing so is in the
patient's best interest and in
accordance with professional
judgment and common practice.
Myth
Patients will sue health care providers
for not complying with the HIPAA
Privacy Regulation.
Fact:
Even if a person is the victim of an
egregious violation of the HIPAA
Privacy Regulation, the law does not
give people the right to sue. An
individual's only federal recourse is to
file a written complaint with the
Office of Civil Rights, and it is then
within the Secretary's discretion to
investigate the complaint.
(continued)
 And, According to the final rule, HHS
“intends to seek and promote voluntary
compliance” and “will seek to resolve
matters by informal means.” Therefore
enforcement “will be primarily complaint
driven,” and civil penalties will only be
imposed if the violation was willful, with
the standard being even higher for imposing
criminal penalties, so there is not a
likelihood of strict enforcement or severe
penalties.
Myth
Patients' medical records can no
longer be used for marketing.
Fact:
Use or disclosure of medical
information continues to be permitted
for health related marketing. The
2000 version of the Privacy Rule
required that patients be notified if the
health care provider was paid to
communicate about a health related
product, be given the opportunity to
opt out of future communications, and
be informed of the identity of the
source of the communication. The
Bush Administration eliminated all of
these requirements from the
Regulation.
Marketing, continued
 Currently, the only disclosure of medical
information for marketing that requires
prior authorization by the patient under the
Privacy Rule is that in which the provider
paid to recommend a product or service that
is not related to health. The Privacy
Regulation prohibits “marketing,” however
marketing is narrowly defined so that any
communication about health related
products or treatment is permitted even if
the health care provider is paid to encourage
the patient to use the product or service.
???
The HIPAA Privacy Rule remains as
a source of great confusion among
providers and others within the health
care community.
We’ll review some of the more
confusing issues in a minute!
For governmental
information on HIPAA……
 e-mail your questions to
[email protected]
 Call the CMS HIPAA HOTLINE 1-866627-7748
 Log onto the CMS HIPAA web site:
http://www.cms.hhs.gov/hipaa
 For Privacy inquiries only:
 Log check out:
http://www.hhs.gov/ocr/hipaa
 Call : 1-866-627-7748
Let’s go back a little:
What Do I Really Have To
Do Now?
At a minimum (if you haven’t
done so yet!):
1. Appoint a Privacy Officer
(a person responsible for seeing that the privacy and
procedures are developed, adopted and followed)
2. Post a Notice of Privacy
Practices and provide a copy to the patients
about their privacy rights and how their
information can be used and how it will be
protected.
And…
 3. Create, adopt and implement your
policies and procedures for your facility.
 4. Train employees so they understand the
new privacy procedures (Use the VGM PPT
presentation!)
 5. Secure patient records that contain
protected health information so that they are
not readily available to those who don't
need them but are to those that do.
And, remember the Transaction
and Code Set Compliance date
is coming up!
You should now have begun testing
your updated software internally (or
make sure your clearinghouse or third
party biller is doing so) to ensure your
systems will be able to transmit
standardized transactions correctly
starting October 16,2003.
October 13, 2003
“All covered entities must be ready to
transmit and receive the covered
transactions they conduct
electronically in the new standardized
HIPAA format. The law also requires
all Medicare claims be submitted
electronically in the HIPAA standard
format starting October 16, 2003
(with the exception of those from small
providers and under certain limited
circumstances.)”
Test, test and test.
Test your systems early and often.
Call you payers and determine when
they will be ready to test with you (or
your billing service or clearinghouse.)
Continually monitor their progress
until you are satisfied that you are
compliant with the standards. Changes
to your software may also affect your
internal office procedures. Test your
office systems and be certain to train
your staff on any changes.
Quick Review of the Basics!
HIPAA Applies to Covered
Entities (you all knew that, right??)
 Health Plans
 Health care Clearinghouses
 Health care Providers
“TPO”
“TPO” = Treatment,
payment and certain health
care operations
The definition covers more
than you might expect!
Treatment
 “The provision, coordination, or
management of health care and related
services by one or more health care
providers, including the coordination or
management of health care by a health care
provider with a third party; consultation
between health care providers relating to a
patient; or the referral of a patient for health
care from one health care provider to
another."
Payment
 For health plans, to obtain premiums or to
provide reimbursement to providers of
health care services
 For health care providers, to obtain
reimbursement for such services.
 Includes billing, claims management,
collection activities, review of health care
services with respect to medical necessity,
coverage under a health plan,
appropriateness of care, or justification of
charges;
and also…
 utilization review activities, including
precertification and reauthorization of
services, concurrent and retrospective
review of services; and disclosure to
consumer reporting agencies of any of the
following protected health information
relating to collection of premiums or
reimbursement: name and address, date of
birth, social security number, payment
history, account number(s), and name(s)
and address(s) of health care provider(s)
and/or health plan(s).
Health care operations
HIPAA bundles a large number of
functions into the term "health care
operations." This expansive list is
important for many reasons, most
notably because HIPAA requires no
permission from patients for uses
Health care operations include:
 contacting of health care providers or
patients with information about treatment
alternatives
 case management and care coordination
 conducting quality assessment and
improvement activities, including
outcomes evaluation and development of
clinical guidelines or protocols (but NOT
general research)
 activities relating to improving public
health or reducing health care costs
and…
 reviewing the competence or qualifications
of health care professionals
 evaluating practitioner and provider
performance
 evaluating health plan performance
 conducting training programs for students,
trainees, or practitioners (health or nonhealth)
 accreditation, certification, licensing, or
credentialing activities
and…
 conducting or arranging for medical review,
legal services, auditing functions or other
compliance programs
 business planning and development, costmanagement and planning-related analyses
 development or improvement of methods of
payment or coverage policies
 business management and general
administrative activities of the entity
 business activities relating to compliance
with HIPAA
Wow! That Includes a Lot!
It sure does! So, you see that in most
cases in dealing with your patients you
do NOT need to worry about
obtaining any consent.
But…… Information uses and
disclosures not falling within the TPO
trio, and not otherwise exempted by
other parts of the privacy regulations,
require a supplemental authorization.
Authorization
For some "extra" activities, the
patient must provide an
authorization. There are four areas
where authorizations are likely to
come into use.
The Four Areas
The first is for psychotherapy notes,
but these are probably not applicable
to most HME/Re-hab providers!
The second important area is research.
HIPAA defines research as any
"systematic investigation, including
research development, testing, and
evaluation, designed to develop or
contribute to generalizable
knowledge."
Authorizations, cont’d
 The third major area for authorizations is a
marketing activity that fails to meet certain
criteria for exception.
 Under HIPAA regulations, marketing is
defined as "making a communication about
a product or service that encourages the
recipients of the communication to purchase
or use the product or service."
Authorizations, cont’d
The fourth area is in general requests
for, and release of, protected health
information, such as information
required as part of an insurance
coverage application.
For HME/Re-hab providers, this area is
the most likely in which you will need
to obtain the authorization.
Some Better News About
Authorizations
The final Privacy Rule eliminates the
requirements to have separate and
different authorization forms. A
single authorization form is to be used
for all authorization purposes.
Other Important Features
of the Final Privacy Rule
Notice of Privacy
Practices
Must be presented at “time of first
service” (usually for treatment)
This does NOT mean providers have to
mail the NPP to their entire patient data
base (more discussion will follow…)
 Model Forms are readily available for
specific HME, Home Care & Hospice
applications!
Tips on the NPP
 Use dual “layered” Notices (post a shorter
version that briefly summarizes the
individual's rights, as well as other
information)
 “Revised” Notices must be redistributed to
patients (Web site posting is OK!)
 Direct treatment providers must still hand
out the full notice-with or without a
summary-and obtain an acknowledgement
of receipt in writing or make a good faith
effort to obtain one.
What about this NPP
acknowledgement?
HIPAA does NOT specify a format
nor content to the Acknowledgement
of the NPP, except that the document
is "a written acknowledgement of
receipt" or "documentation of good
faith efforts to obtain such written
acknowledgment".
More NPP & Acknowledgment
If the good faith effort fails to
obtain an acknowledgment (e.g., the
patient refuses to sign), the reason(s)
why should also be documented in
writing.
A health care provider whose first
treatment encounter with a patient is
over the phone satisfies the
requirements by mailing the notice to
the individual no later than the day of
that service delivery.
More NPP & Acknowledgment
Providers may include a tear-off sheet
or other document with the notice that
requests the acknowledgment be
mailed back to the provider.
In some cases, “electronic” (e.g.
email) delivery is OK.
Questions about the NPP?
Pharmacy & NPP ?
We just added DME to our pharmacy.
Is our pharmacist permitted to have
customers acknowledge receipt of the
notice by signing or initialing the log
book that they already sign when they
pick up prescriptions??
 Yes, provided that the individual is clearly
informed on the log book of what they are
acknowledging and the acknowledgment is
not also used as a waiver or permission for
something else that also appears on the log
book (such as a waiver to consult with the
pharmacist). The HIPAA Privacy Rule
provides covered health care providers with
discretion to design an acknowledgment
process that works best for their businesses.
Consent
 (Remember….now optional)
• Providers may obtain patient consent
prior to use or disclose PHI for
treatment, payment or healthcare
operations
Individual (Patient) Rights,
Training and Use &
Disclosure
Many providers don’t realize there
is much more to the Privacy Rule
than the NPP and Business
Associate regs. You should be
aware of (at least) these issues.
Let’s review some of them!
Individual (Patient) Rights
 Right to request restrictions on
certain uses and disclosures
 Right to receive confidential
communications of PHI
 Right to review and copy PHI
Individual (Patient) Rights
 Right to amend and correct PHI
 Right to receive an accounting
of how PHI has been used or
disclosed
 Right to receive written notice
of how PHI will be used and
disclosed
Training


The regs require that you “provide
training to members of the work
force”
This does NOT necessarily mean
you have to expend many $$ for the
many “tools” now on the market.
Training
Rather, the guidance states, it depends
on your size and complexity of your
operation.
In many cases, the training can be
simply having your staff read the
appropriate sections of your
compliance materials, and sign that
they understand your policies and
procedures (!)
A Few Training Details
On-going training is required
New staff, volunteers and temporary
hires are required to have HIPAA
training
Business Associates are an option
 For larger organizations, make
training a part of orientation and reorientation
Common Use & Disclosure
Questions/Topics
 Use & Disclosure regulations
are quite long (and some think
very boring!) So, we’ll use some
common Q&As and a few reallife situations to keep you a little
more interested…Deal?
Use & Disclosure
Patient Medical Record: We have a
patient's medical record that contains
older portions of a medical record that
were created by another/previous
provider (such as a physician). Will
the HIPAA Privacy Rule permit us to
disclose a complete medical record
even though portions of the record
were created by other providers?
Answer…
Yes, the Privacy Rule permits a
provider who to disclose a complete
medical record including portions that
were created by another provider,
assuming that the disclosure is for a
purpose permitted by the Privacy
Rule, such as treatment.
Use & Disclosure, cont’d
Do patients have the right to access
and/or amend their records that
created prior to the effective date of
the Privacy Rule (4/14/03)?
Use & Disclosure
YES!
Use & Disclosure, cont’d
Would an authorization be necessary
for a patient to take records, for
treatment reasons, to another
provider? And/or, can a family
member pick-up records for the
patient for the same reason?
 Authorization is not be required under
HIPAA but it may be required under your
state law.
 Consider obtaining an authorization from
the patient even if your state law does not
require it. It is your proof that you allowed
access to those records and your proof that
you verified the identity of the person
making the request for copies of the record.
You could document all that information,
which is time consuming, or you could have
the patient complete an authorization and
use that for your documentation.
Use & Disclosure, cont’d
(Actual VGM Question): “I HAD A
PHONE CALL FROM ANOTHER
DME SUPPLIER ASKING ABOUT
A COMMON PATIENT. HOW DO I
HANDLE SUCH A REQUEST AS IT
PERTAINS TO HIPAA AND PHI
DISCLOSURE? THANK YOU
 The final Privacy Rule (August 2002
amendments) eased many of the privacy
regulations, including TPO Disclosures:
 “Clarifies disclosures from one provider to
other providers for treatment are permitted,
and the CE can disclose PHI to another CE
to facilitate the recipient’s Payment and
aspects of Health Care Operations, i.e.,
quality assurance, population based health
activities, case management, training,
accreditation, certification, licensing, or
credentialing.
Use & Disclosure, cont’d
 If my patient suggests that I am not
complying with the Use and
Disclosure regulations, and/or that
his privacy rights have been
violated, where would he submit a
complaint?
 The Office of Civil Rights. However, CEs
have until April 14, 2003, to comply with
the HIPAA Privacy Rule. Activities
occurring before April 14, 2003, are not
subject to OCR enforcement actions. After
that date, a person who believes a CE is not
complying with a requirement of the
Privacy Rule may file with OCR a written
complaint, either on paper or electronically.
This complaint must be filed within 180
days of when the complainant knew or
should have known that the act had
occurred.
Use & Disclosure, cont’d
If patients request copies of their
medical records as permitted by the
Privacy Rule, are they required to pay
for the copies?
The Privacy Rule permits you to
charge reasonable, cost-based fees.
The fee may include only the cost of
copying (including supplies and labor)
and postage, if the patient requests
that the copy be mailed. If the patient
has agreed to receive a summary or
explanation of his or her PHI, the you
may also charge a fee for preparation
of the summary or explanation. The
fee may not include costs associated
with searching for and retrieving the
requested information.
Use & Disclosure, cont’d
Can I FAX patient medical
information to another provider’s
office (such as the primary care
physician)?
 Yes.
Providers can disclose PHI to another health
care provider for treatment purposes. This can be
done by fax or by other means. You must have in
place reasonable and appropriate administrative,
technical, and physical safeguards to protect the
privacy of PHI that is disclosed using a fax
machine.
Examples of measures that could be reasonable
and appropriate in such a situation include the
sender confirming that the fax number to be used is
in fact the correct one for the other provider’s
office, and placing the fax machine in a secure
location to prevent unauthorized access to the
information
Use & Disclosure, cont’d
 The section concerning "Amendment
of Health Information" gives no
examples of what types of
information a patient may want to
amend in his/her PHI. What is this all
about? I can see someone needing to
change insurance information or
similar items, but surely the actual
medical condition or circumstances of
the event cannot be changed!
The government's intent with the Amendment rule is
to make sure the record is complete and accurate.
The Amendment rule limits those items to be
amended to those in the designated record set,
which is determined by the provider, usually the
medical and billing record.
It is not, however, meant for any correction to be
made as medical records are legal documents. It is
also not meant to be an administrative burden on
the provider. So by checking and making sure
records are complete and accurate, a provider can
minimize the amount of "amending" needed to be
done.
The provider is also not responsible for records not
originating within his office. The patient should be
directed to the source of the record for those
amendments.
Use & Disclosure, cont’d
I read that “incidental” use and
disclosure is OK. I presume that
means things like if I’m overheard
discussing patient treatment with
another therapist. What’s the actual
definition?
 Customary communications and practices play an
important and essential role in ensuring that
patients receive prompt and effective health care.
Due to the nature of the communications and the
various environments, the potential exists for a
patient’s PHI to be disclosed incidentally. HIPAA
does not intend to impede these communications
and practices and does not require that all risk of
incidental use or disclosure be eliminated to satisfy
the standards.
 Incidental uses and disclosures are permitted if they
occur as a by-product of another permissible use or
disclosure, as long as the CE has applied
reasonable safeguards and implemented the
minimum necessary standard.
Use & Disclosure, cont’d
How about collection agencies?
Disclosure of PHI to a collection
agency used by CEs is acceptable
under HIPAA as a Business Associate
arrangement. Under HIPAA rules the
CE may disclose protected health
information as necessary to obtain
payment for health care, and does not
limit to whom such a disclosure may
be made
SECURITY
(If this doesn’t confuse you,
nothing will!)
Security Rule: FYI!
The Security Rules were recently
finalized and published in the Federal
Register on February 21.
Rules will be effective April 21, 2005.
Security and Privacy Rules intertwine.
Even with a 2005 compliance date, the
time to prepare is now!
What? There is “security” in
the “Privacy Rule” ?
 Yes. There is there is a "minisecurity rule" (in section 164.530 for
any HIPAA-nerds) that requires
providers and their business associates
to implement "appropriate
administrative, technical and physical
safeguards" for PHI in all forms, nonelectronic and electronic…requiring
compliance by April 14, 2003
The Final Security Rule
The final standards are defined in
rather generic terms emphasize being
“scalable, flexible, and generally
addressable through various
approaches or technologies”. So, the
final rule is essentially a model for
information security, with less specific
guidance on how to implement it.
What about some model
forms like we have for the
Privacy Rules???
Good question!. HHS has promised
more specifics in the future and to
provide model guidance documents.
As the compliance date is not until
2005, we have some time.
OK, in the meantime, what’s
in this final Security Rule???
The new rules, just like the Privacy
rules, have "standards" - what must be
done; and "implementation
specifications" - how to do it. The
standards are separated into three
groups - Administrative Safeguards,
Physical Safeguards and Technical
Safeguards.
“Implementation Specifications”
Most of the standards have
“implementation specifications”, that
describe the actions that should be
taken to ensure compliance with the
standards. However, only 13 of these
implementation specifications are
required; the majority of the
specifications are termed
"addressable."
HHS introduced this concept of
"addressable implementation
specifications" (AIS) to provide
you “additional flexibility with
respect to compliance with the
security standards.”
“Addressable”??
“Addressable specifications” are
variable approaches to meeting
specific standards, any of which may
not be relevant to you. For example,
the Rule requires training on security
issues for the workforce, but identifies
training in passwords only as an
"addressable" specification.
So, “addressable” gives us a
little wiggle room, huh?
You might say that. But you
still must be reasonable!
What is reasonable?
The decision about the “reasonable
and appropriate” nature of these
“addressable specifications” is up to
you, the provider! It should be based
on your overall technical environment
and security framework. This
decision may rely on many things,
including the measures you already
have in place, and the cost of
implementing new measures.
What’s “Required”
“Required implementation” is just
what is says - the provider will need to
implement this specification to be in
compliance.
 The list includes many workstation
use and security procedures.
Give me an example of some
“required” workstation procedures!
OK!: “Implement policies and
procedures that specify the proper
functions to be performed, the manner
in which those functions are to be
performed, and the physical attributes
of the surroundings of a specific
workstation or class of workstation
that can access electronic protected
health information.”
That’s HIPAA-Babble and pretty
vague, isn’t it?
 Yes, I agree. Again, we’ll be seeing
plenty of “how to” security
compliance manuals and tips.
Remember the procedures will be
scalable to the size and complexity of
your provider organization. In the
meantime, just try to understand the
concepts!
Let’s Be Reasonable: Flexible
and Scalable Security
Most important: Use common sense
and reason securing your data,
systems, facility and personnel!
 Many of the requirements are
probably already in place (e.g., locks
on the doors, fire and theft alarms for
the facility…you get the idea, right?)
Summary of the HIPAA Security Rules
 Establish and document policies and
procedures relating to information
security
 Establish physical safeguards of computer
systems, equipment and buildings
 Technical security to protect the
confidentiality and integrity of
information and control and monitor
access
 Safeguard systems against external threats
The Bottom Line:
Remember!
“Scalability – the Privacy and Security
rules are the same no matter what size
the entity”…however implementation
requirements for small providers are
much less than what is expected from
large providers
Important!
You should not panic and think
Security is going to cost you a
fortune. Think before you buy and
let common sense and reason be
your other guide!
Fact or Fiction?
Fact or Fiction?
 Patient: My respiratory therapist needs to
discuss my treatment with other doctors.
But the Privacy Rule prohibits doctors and
other providers from discussing private
health information if there is a possibility
that someone will overhear. What if my
therapist needs to discuss my condition with
a doctor, or with me over the phone from
someplace other than a private office? The
privacy rule prevents these discussions!
Fiction!
False! The Privacy Rule is not
intended to prohibit providers from
talking to each other and to their
patients. HHS has developed new
regulatory language to clarify this
issue.
Fact or Fiction?
Patient: The privacy rule will create a
government database with all of my
personal health information (including
data from my home health care
providers.
Fiction!
False! The rule does not require a
provider or any other CE to send
medical information to the
government for a government
database or similar operation.
Fact or Fiction?
Patient: My HME also has a
pharmacy. But, the privacy rule
prevents the pharmacist from filling
my prescription before I show up and
sign that consent. Now, instead of
having the prescription waiting for
me, I’ll have to come to the pharmacy,
sign a consent, and then wait around
while the prescription is filled.
Fiction!
False! The Privacy Rule allows permit
CEs, including HMEs and
pharmacists, to use identifiable health
information for treatment, payment, or
health care operations without prior
patient consent. HHS developed new
regulatory language to fix this
potential problem.
Fact or Fiction?
HME or Re-hab Provider: The
privacy rule requires me to monitor
the activities of my business
associates.
Fiction!
False! CEs are not required to monitor
or oversee the means by which the
business associate carries out
safeguards or the extent to which the
business associate abides by the
requirements of the contract.
Fact or Fiction?
The Privacy Rule will require me to
redesign my office.
Fiction!
False! The Privacy Rule does not
require these types of structural
changes be made to facilities. Under
the proposed Security Rules, however,
covered entities must have in place
appropriate administrative, technical,
and physical safeguards to protect the
privacy of PHI.
Fact or Fiction?
All Providers: The privacy rule
allows HME staff, therapists,
practitioners, and others to review a
patient’s entire medical record if they
think they need it to do their jobs.
Fact!
True! The Privacy Rule does not
prohibit use or disclosure of, or
requests for an entire medical record.
The CE must document in its policies
and procedures that the entire medical
record is the amount reasonably
necessary for certain identified
purposes
Fact or Fiction?
HME/Re-hab Provider: The privacy
rule requires covered entities to
purchase expensive computer
equipment.
Fiction!
False! The Privacy Rule requirements
do not require any particular
technologies or types of technologies.
They are flexible and scalable to the
CE’s information needs and
information systems.
Fact or Fiction?
Billing Service, Clearinghouse or
Payer: How are we supposed to do
business under this Rule? It would
prohibit providers from faxing
information to us, or to each other, or
to their patients.
Fiction!
False! The Rule does not prohibit
faxing of individually identifiable
health information. Covered entities
must have in place appropriate
administrative, technical, and physical
safeguards to protect the privacy of
PHI.
Fact or Fiction?
The Privacy Rule is delayed by the
Administrative Simplification
Compliance Act (ASCA) that was
passed in December 2001 and allowed
for an extension to October of 2003 by
submitting a compliance plan.
Fiction!
False! This law delays compliance
with the Transaction and Code Set
standards for covered entities that file
a compliance plan. This law does not
apply to the Privacy Rule. The
compliance date for the Privacy Rule
is still April 14, 2003.
Fact or Fiction?
Patient: When my family member
comes to pick me up from my Re-hab
facility, they will still be able to
explain my condition and tell him
what to expect when I return home.
Right?
Fact!
True! The Rule permits providers to
discuss a patient’s condition with
family or friends involved in the
person’s care, unless the patient
objects.
References
Mark J. Higley, MBA
Vice President - Development
The VGM Group