In a small practice, the office manager should



1. studies the manual's entire content

2. tailors the Notice of Privacy Practices, authorization form,
staff training essay, and

employee confidentiality form to the particular practice, and

3. calls a meeting of the office staff.



At the staff meeting the staff training essay is read. Then staff are
asked to read and sign the

employee confidentiality form. The form is subsequently included in the
employee's personnel

record. The record of training progress is updated to note that staff
at the meeting have been

trained.



The office manager creates a folder in the front office and places the Privacy
Notice and

authorization forms there. The receptionist is told to check for each
registering patient whether or

not the patient has acknowledged receipt of the Notice of Privacy Practice.
If not, then the patient

should be given the Notice of Privacy Practices and asked to sign an acknowledgement
form. The

signed acknowledgement form is placed in the medical record beside the patient's
insurance

information.



The fax policy is posted beside the fax machine. Anyone engaged in email
with protected health

information is given the email policy. When issues of authorizations,
access, amendment,

accounting, or restrictions arise, the office manager is contacted.




The office manager will complete the table "Entities Receiving Protected Health
Information" to

record all entities that receive protected health information. Vendors that
are used for legal,

actuarial, accounting, consulting, management, administrative accreditation,
data aggregation,

transcription, or financial services, can be given individually identifiable
health information, if those

vendors sign business associate contracts with the practice. Otherwise,
the practice needs to get

authorization to release the information to the vendor. The office manager
will negotiate the

business associate contracts with the vendors. Completed contracts are
noted in the table of

business associate contracts.



For the ecommerce portion of HIPAA, the office manager should have applied by
October 16, 2002

for an extension to the compliance deadline. The enclosed letter to clearinghouse
or vendors

should be addressed and sent.



Every quarter the Office Manager should review the status of compliance. A spot
check of medical

records should be done to confirm that any new patients seen in the quarter
have acknowledged

receipt of the Notice of Privacy Practices. The various tables recording authorizations
and patient

rights are reviewed for timeliness. If any new staff have appeared in the quarter,
then they should

be trained. The table of entities receiving protected health information is
compared with the table

of business associate contracts, and any discrepancies are resolved.
This documentation of

performance must be continually maintained.



The implementation phase involves:

? Week 1: Chief reads Chief Awareness Essay, passes manual to Office Manager,
and

appoints Office Manager as Privacy Officer ? time 1 hour.

? Week 2: Office Manager studies manual and tailors forms and writes to

clearinghouse/vendors ? time 4 hours

? Week 3: Office Manager convenes 1 hour meeting of staff ? 2 hours of Office
Manager and

1 hour of everyone else.

? Week 4: Forms and policies placed in various folders in the practice and staff
specifically

trained on responsibility vis-?-vis the forms and policies ? 2 hours of Office
Manager and

half hour of everyone else.

? Week 5: Contracts with external entities are collected and assessed as to
whether protected

health information is involved and whether or not business associate contracts
are required ?

2 hours of Office Manager

? Week 6: Amend contracts that require business associate clauses ? 3 hours.




Total time invested in first 6 weeks:

? Chief: 1 hour

? Office Manager: 13 hours

? Assistants: 1.5 hours

For an entity with 2 senior providers (such as physicians) and 4 assistants,
this would mean a total

time commitment of (2 * 1) + 13 + (4*1.5) hours = 21 hours.



After implementation, the maintenance effort for privacy compliance depends
largely on the

frequency with which patient's request special actions. Experts agree that patients
are unlikely to

take advantage of the opportunities presented them under the Privacy Rule. If
a small entity has

1,000 patients, then one might speculate that 10 will ask for a copy of their
record in one year and

only 1 will request an amendment or an accounting of disclosures. The need to
create new or

different business associate contracts or train new employees should happen
infrequently. The

training of new employees can be a few minutes of the new employee orientation.
In total, one hour

per quarter may suffice for maintenance of privacy compliance. Thus, in the
first year the 21 hours

for implementation and the 3 hours of maintenance lead to a total in the first
year of 24 hours. In

subsequent years, maintenance of compliance would take 4 hours per year.

3 Privacy

Compliance with the Privacy Rule is basically a matter of policy and procedures
which are

appropriately implemented through time to protect health information. The critical
concepts are:

? Covered Entity: A healthcare provider, a health plan, or a clearinghouse
is a covered entity. HIPAA compliance

is required of covered entities.

? Individually identifiable health information: Any health information
about a patient that includes the name,

phone number, address, social security number, or other such identifier is considered
`individually identifiable

health information'.

? Protected health information: `Individually identifiable health information'
in a covered entity that has at any

time had any such information in electronic form in a HIPAA transaction (such
as a claim or eligibility inquiry).

? Uses and Disclosures: `Use' occurs when a person within a covered entity
shares protected health information

with another person inside the same covered entity, whereas `disclosure' occurs
when the information goes from

one entity to another.



The following subsections provide the forms, policies, and procedures to support
a privacy

compliance program and can be seen from the perspective of a privacy gap analysis.




Privacy Gap Analysis

Do you have?

Yes

No

Patient Rights



Authorization Form





Notice of Privacy Practices





Access and Amend Policy





Account and Restrict Policy





Communication



Phone, Email, Fax Policy





Medical Record Use Guidelines





Administration



Privacy Officer





Business Associate Contract





Documenting Behavior







Safeguards



Staff Training





3.1 Patient

Rights

Editorial Note: Forms and policies, such as presented here, are mandatory
under the

Privacy Rule.

Patients should be given a `Notice of Privacy Practices' and should acknowledge
receipt of same.

Authorization forms should be completed for non-routine use of protected health
information.

Patients have the right to

? Access their health record,

? Request an amendment of their record,

? Receive an accounting of certain disclosures made of their record, and

? Request restriction on use and on method of communicating.

Forms and policies to support the aforesaid are next.

3.1.1 Notice of Privacy Practices

Editorial Note: Each entity must provide a notice of HIPAA privacy practices
to its

patients. The entity is required to demonstrate a good faith effort to get
the patient's signed

acknowledgement of receiving the Notice.



PROVIDER NOTICE

OF PRIVACY PRACTICES

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED

AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE

REVIEW IT CAREFULLY.

Key Issues

Uses and Disclosures: We use health information about you for treatment,
to obtain payment for

treatment, for administrative purposes, and to evaluate the quality of care
that you receive.

Continuity of care is part of treatment and your records may be shared with
other providers to

whom you are referred. We may use or disclose identifiable health information
about you without

your authorization in several situations, but beyond those situations, we will
ask for your written

authorization before using or disclosing any identifiable health information
about you.

Your rights: In most cases, you have the right to look at or get a copy
of health information about

you. If you request copies, we will charge you only normal photocopy fees. You
also have the right

to receive a list of certain types of disclosures of your information that we
made. If you believe that

information in your record is incorrect, you have the right to request that
we correct the existing

information.

Our legal duty: We are required by law to protect the privacy of your
information, provide this

notice about our information practices, follow the information practices that
are described in this

notice, and seek your acknowledgement of receipt of this notice. Before we make
a significant

change in our policies, we will change our notice and post the new notice in
the waiting area. You

can also request a copy of our notice at any time. For more information about
our privacy practices,

contact the person listed below.

Complaints: If you are concerned that we have violated your privacy rights,
or you disagree with a

decision we made about access to your records, you may contact the person listed
below. You also

may send a written complaint to the U.S. Department of Health and Human Services.
The person

listed below can provide you with the appropriate address upon request.

If you have any questions or complaints, please contact:

Office Manager: _________________

Address: _______________________________

Phone: ___________________________



Further Details

1. Uses and Disclosures of Protected Health Information

Following are examples of the types of uses and disclosures of your protected
health care

information that the provider is permitted to make. These examples are not meant
to be exhaustive,

but to describe the types of uses and disclosures.

Treatment: We will use and disclose your protected health information to provide,
coordinate, or

manage your health care and any related services. For example, your protected
health

information may be provided to a doctor to whom you have been referred to ensure
that the

doctor has the necessary information to diagnose or treat you.

Payment: Your protected health information will be used, as needed, in activities
related to

obtaining payment for your health care services. For example, obtaining approval
for a hospital

stay may require that your relevant protected health information be disclosed
to your health

insurance company or governmental plan to obtain approval for the hospital admission.


Healthcare Operations: We may use or disclose, as-needed, your protected health
information in

order to support our business activities. For example, when we review employee
performance,

we may need to look at what an employee has documented in your medical record.


Business Associates: We may share your protected health information with a third
party `business

associate' that performs various activities (e.g., billing, transcription services).
Whenever an

arrangement between us and a business associate involves the use or disclosure
of your

protected health information, we will have a written contract that contains
terms that will protect

the privacy of your protected health information.

Marketing: We may use or disclose certain health information in the course of
providing you with

information about treatment alternatives, health-related services, or fund-raising.
You may

contact us to request that these materials not be sent to you.

Written Authorization

Other uses and disclosures of your protected health information will be made
only with your written

authorization, unless otherwise permitted or required by law as described below.
You may revoke

your authorization, at any time, in writing.

Opportunity to Object

We may use and disclose your protected health information in the following instances.
You have

the opportunity to object. If you are not present or able to object, then your
provider may, using

professional judgment, determine whether the disclosure is in your best interest.


Facility Directories: Unless you object, we will use and disclose in our facility
directory your

name, the location at which you are receiving care, your condition (in general
terms), and your

religious affiliation. All of this information, except religious affiliation,
will be disclosed to

people that ask for you by name. Members of the clergy will be told your religious
affiliation.

Others Involved in Your Healthcare: Unless you object, we may disclose to a
member of your

family, a relative, a close friend or any other person you identify, your protected
health

information that directly relates to that person's involvement in your health
care.

Emergencies: In an emergency treatment situation, we will provide you a Notice
of Privacy

Practices as soon as reasonably practicable after the delivery of treatment.


Communication Barriers: We may use and disclose your protected health information
if we have

attempted to obtain acknowledgement from you of our Notice of Privacy Practices
but have

been unable to do so due to substantial communication barriers and we determine,
using

professional judgment, that you would agree.

Without Opportunity to Object

We may use or disclose your protected health information in the following situations
without your

authorization or opportunity to object:

Public Health: for public health purposes to a public health authority or to
a person who is at risk of

contracting or spreading your disease.

Health Oversight: to a health oversight agency for activities authorized by
law, such as audits,

investigations, and inspections.

Abuse or Neglect: to an appropriate authority to report child abuse or neglect,
if we believe that

you have been a victim of abuse, neglect, or domestic violence.

Food and Drug Administration: as required by the Food and Drug Administration
to track products.

Legal Proceedings: in the course of legal proceedings.

Law Enforcement: for law enforcement purposes, such as pertaining to victims
of a crime or to

prevent a crime.

Coroners, Funeral Directors, and Organ Donation: for the coroner, medical examiner,
or funeral

director to perform duties authorized by law and for organ donation purposes.


Research: to researchers when their research has been approved by an Institutional
Review Board

or Privacy Board.

Soldiers, Inmates, and National Security: to military supervisors of Armed Forces
personnel or to

custodians of inmates, as necessary. Preserving national security may also necessitate


disclosure of protected health information.

Workers' Compensation: to comply with workers' compensation laws.

Compliance: to the Department of Health and Human Services to investigate our
compliance.



In general, we may use or disclose your protected health information as required
by law and limited

to the relevant requirements of the law.

2. Your Rights

You have the right to:

inspect and copy your protected health information. However, we may refuse to
provide access to

certain psychotherapy notes or information for a civil or criminal proceeding.


request a restriction of your protected health information. You may ask us not
to use or disclose

certain parts of your protected health information for treatment, payment or
healthcare

operations. You may also request that information not be disclosed to family
members or friends

who may be involved in your care. Your request must state the specific restriction
requested

and to whom you want the restriction to apply. We are not required to agree
to a restriction that

you may request, but if we do agree, then we must act accordingly.

request to receive confidential communications from us by alternative means
or at an alternative

location. We will accommodate reasonable requests. We may also condition this


accommodation by asking you for information as to how payment will be handled
or

specification of an alternative address or other method of contact. We will
not request an

explanation from you as to the basis for the request.

ask us to amend your protected health information. You may request an amendment
of protected

health information about you. If we deny your request for amendment, you have
the right to file

a statement of disagreement with us, and your medical record will note the disputed


information.

receive an accounting of certain disclosures we may have made. This right applies
to disclosures

for purposes other than treatment, payment or healthcare operations. It excludes
disclosures we

may have made to you, for a facility directory, to family members or friends
involved in your

care, or for notification purposes. You have the right to receive specific information
regarding

these disclosures. The right to receive this information is subject to certain
exceptions,

restrictions and limitations.

obtain a paper copy of this notice from us, upon request, even if you have agreed
to accept this

notice electronically.



END of Notice of Privacy Practices

.....................................................................................................................


Acknowledgement of receipt of Notice of Privacy Practices:

Please sign your name and print your name and date on this acknowledgement form.
Then detach

the form from the Notice along the dotted line and return your signed acknowledgement
to the

receptionist.



Signature: _______________________

Printed name: _______________________

Date: _____________________



3.1.2 Authorization Form

AUTHORIZATION for RELEASE of INFORMATION

I hereby authorize the use or disclosure of my individually identifiable health
information as

described below. I understand that this authorization is voluntary. I understand
that if the

organization authorized to receive the information is not a health plan or healthcare
provider, then

the released information may no longer be protected by federal privacy regulations.


Patient name: __________________

ID number: _______________

Persons/organizations providing the information: ____________________

Persons/organizations receiving the information: ____________________

Specific description of information (includes dates): ___________________

What is the purpose of the use or disclosure? _________________________________


I understand that my healthcare and the payment for my healthcare will not be
affected by my

signing this form.

I understand that I may see and copy the information described on this form
if I ask for it, and that I

get a copy of this form after I sign it.

I understand that this authorization will expire on __/__/__ (DD/MM/YR)

I understand that I may revoke this authorization at any time by notifying the
providing organization

in writing, but if I do, it won't have any affect on any actions they took before
they received the

revocation.

Signature of patient or patient's representative: ___________________

Date: ________________

Printed name of patient's representative: _________________

Relationship to the patient: __________________

You may refuse to sign this authorization

END of AUTHORIZATION



3.1.3 Access and Amendment Policy

Editorial Note: This policy and procedure would be part of the entity's documentation.


Some of the choices made in the following are not mandatory. For instance,
the entity could

require that requests be only in writing. The intent here is to be as accommodating
to the

patient as practical.

Access Right

We give patients access to their health information whether we or our business
associates hold that

information and whether or not we were the source of the information. Exceptions
to this access occur rarely,

such as when disclosure of the information to the individual is deemed dangerous.
If we feel we need to deny

access, we provide an explanation. Sometimes the patient can contest this denial,
and then we will have a

third party review the situation.

The patient may request access in person or in writing, and we will record the
request in a log book. We

typically have 30 days in which to provide the information. We will charge the
patient the cost of photocopying.



Amendment Right



The patient may request in person or in writing that we amend our records about
the patient. We will log the

patient request and reply within 60 days. We may deny the patient request, if
we were not the originators of

the information or we believe the information is accurate.



When we make an amendment, we add a note to the record to indicate the change
but do not delete the

original information. If we deny the patient request, then we provide an explanation
to the patient and in the

record. The patient may contest our denial and among other things we will document
the patient concerns in

the record.

3.1.4 Accounting and Restrictions Policy

Editorial Note: Again, the Privacy Rule provides options not all detailed
here. For

instance, under `disclosures' the policy here allows the patient to request
in writing or

verbally, but the Privacy Rule would allow the entity to require that all
requests are in

writing.



Accounting of Disclosures



The patient has a right to receive an accounting of certain disclosures of the
patient's protected

health information. The patient's request must be in writing. We have 60 days
to respond. Our

accounting to the patient will:

? Be in writing,

? Include the dates of disclosure and to whom the information was sent,

? Describe what information was sent, and

? State the purpose of the disclosure.

Not subject to the accounting requirement are disclosures:

? made to the individual,

? for treatment, payment, or health care operations,

? made with patient authorization,

? covered by a business associate agreement,

? for national security or intelligence purposes, or

? to correctional institutions or law enforcement officials.

Disclosures remaining in the `Notice of Privacy Practices' under the heading
`Without Opportunity

to Object' need to be tracked, and those are disclosures for Public Health,
Health Oversight, Abuse

or Neglect, Food and Drug Administration, Legal Proceedings, Coroners, Research,
Workers'

Compensation, or Compliance. In any given 12-month period, we will provide one
accounting at

no cost. The accounting only covers disclosures since Privacy Rule Compliance
was required.



Restrictions on Use and Disclosure



The patient may request restrictions on our use or disclosure of the patient's
protected health

information beyond those restrictions already imposed by the government. We
may elect to accept

the restriction or not. However, if we accept the request, then we must abide
by it and could only

reverse our position after notifying the patient appropriately first.



Restrictions on Communication Method



We will accommodate a request that we communicate with the patient by alternative
means, if we

can reasonably and practically implement such an alternative. The patient is
not required to explain

why he or she wants such an alternative means of communication. Our agreement
with the patient

for an alternative communication channel will be documented and included in
the patient's medical

record.

3.2 Communication

Editorial Note: The policies suggested here are NOT mandatory. The Privacy
Rule

requires that an entity handle communication carefully and document that
care. The

communication policies in this subsection are simply illustrative.

The Privacy Rule requires a policy on dealing with protected health information
but is not specific.

An entity might have policy on how it handles correspondence in email, fax,
phone, or face-to-face

mode. The medical record is an important medium of communication, and `minimum
necessary'

sharing should occur.

3.2.1 Phone and Face-to-Face

When patients are brought into the consulting room to see the doctor or nurse
their consultation is

private -- behind closed doors. However, in the reception area the patient is
in the presence of

others who do not have a need to know the patient's private details. Staff should
not give

information about a patient to another person without the patient's permission.
The same principle

applies to the phone. When staff contact the patient for reminders about appointments
they should

take reasonable steps to avoid conveying protected health information to any
individual other than

the patient or patient guardian.



3.2.2 Email Policy (Optional)

Editorial Note: An email policy is not required by the Privacy Rule. This
draft policy

indicates what an email policy could be. For an entity that does not use
email, having an

email policy is of course NOT necessary.

Ownership and User Privacy of E-Mail

Use of electronic mail is a part of business processes. All e-mail
originating within or received into

is the property of .

Confidentiality of Electronic Mail

When e-mail is used for communication of individually identifiable health information:


? A notation referring to the confidential nature of the information should
be made in the subject line.

? The information is to be distributed only to those with a legitimate need
to know.

Retention of Electronic Mail

Often, e-mail messages are non-vital and may be discarded routinely. However,
some e-mail may be

considered a formal record and should be retained. For instance, all clinically
relevant e-mail messages,

including the full text of a patient's query, as well as the reply, should be
stored in the patient's medical record.

Provider/Patient Use of E-mail

The patient should acknowledge these conditions for email use:

? E-mail communication is a convenience and not appropriate for emergencies
or time-sensitive issues.

? No one can guarantee the privacy of e-mail messages. Employers generally have
the right to access any

e-mail received or sent by a person at work.