Develop privacy policies and procedures. As I’ve already mentioned, you’ll need to identify someone to serve as your privacy officer. The privacy officer will need to learn about HIPAA, develop privacy policies and procedures for the practice, educate staff, and make sure the privacy policies and procedures are being followed. HIPAA also requires that you have a process in place for staff to register complaints about your practice’s policies and procedures as well as sanctions for staff who violate the privacy rule.
Identify business associates. You should also think about all the ways you use and disclose PHI to determine who meets the definition of a business associate. These people and organizations will need to sign business associate agreements.
Develop a privacy notice. Once you have thought about how you use PHI, you will need to develop a privacy notice informing patients of your policies and procedures You may want to obtain some examples from other practices to guide you, but don’t simply copy someone else’s notice without carefully analyzing how it applies to you. If you think you need to, have a lawyer or consultant help you refine a notice so that it reflects the specifics of your practice. In the last analysis, though, only your practice will know all the ways in which it uses PHI.
Decide how you will give notice. Will the receptionist provide the notice to the patient when he or she checks in for an office visit? Will the acknowledgement that the patient received notice be signed then? And will the receptionist be equipped to answer questions the patient may have? These are just some of the things to consider.
Determine authorization needs. Does your practice use PHI for any purpose (e.g., marketing) that will require patients to sign a special authorization form? The privacy regulation gives patients the right to revoke or limit the authorization. You will need to determine how your practice will document these refusals or modifications.
Decide how you will handle requests for PHI. You will need to develop basic policies regarding the disclosure of PHI. For example, who will review denied requests for access? It’s likely that as you begin to think about these issues your staff will have many questions that can help you determine how to proceed. For example, what information can be provided to a caller who asserts he or she is a family member or to a caller who says he or she represents a provider or health plan? What information can be faxed and to whom? What types of messages can be left on patients’ answering machines? How should billing information containing PHI be handled? Should clinical information be handled the same way? Who will be allowed to access the medical record?
Develop a system for managing restrictions on PHI. Think about how you will handle PHI when patients restrict its use and disclosure. How will you proceed if you don’t agree to the patient’s request for restrictions? For example, suppose a patient says, “Don’t tell my husband anything about me.” If you agree to the patient’s request, you will have to make sure you abide by it. How will your staff know the restriction exists? Where will you document it? One solution may be to color-code charts that have restrictions associated with them so everyone is aware they should receive special handling.
Develop a procedure for logging disclosures. Under the privacy rule, you must be able to provide an accounting of disclosures (other than for TPO) to patients who request it. You will also have to decide how you will allow patients access to their information and establish a procedure for patients to request amendments to their records. If you refuse to provide a patient access to his or her PHI for the very limited and specific reasons identified in the regulation or refuse to make the amendment to the record, how will you handle the appeal process? When you agree to amend a patient’s record, you’ll also have to notify anyone else who has the information. This is a real dilemma.