 About AAEM
Membership
Benefits
Resident/Student
Education
EM Issues/Topics
Advocacy
Job Bank
Media
| |
|
Regulatory IssuesEmergency Medicine Practices and the HIPAA Privacy Standardsby Ralph L. Glover II, Esq. On December 20, 2000, the United States Department of Health and Human Services released its Standards for Privacy of Individually Identifiable Health Information (the "Privacy Standards"). The Privacy Standards apply to health plans, health care clearinghouses and those health care providers which transmit health information, in connection with certain standard transactions,1 in electronic format (collectively defined in the Privacy Standards as "Covered Entities"). Physician practices are included within the definition of Covered Entities. The Privacy Standards protect all individually identifiable health information in any form that is held or transmitted by a Covered Entity, including individually identifiable health information that is transmitted in paper or electronic format or that which is transmitted through oral communication ("protected health information"). All health care providers including physician practices that are covered under the Privacy Standards ("Providers") must be in compliance with the privacy standards by April 14, 2003. There can be significant civil and criminal penalties imposed on anyone who violates the Privacy Standards. Because of the potential need for computer systems upgrades, revisions to policies and procedures, staff education and preparation of new documents and contracts, all physician practices should begin the compliance process as soon as possible. The most significant documentation changes will be the requirement that Providers prepare and utilize four specific documents in accordance with criteria set forth in the Privacy Standards, the "Consent", the "Authorization", the notice of privacy practices (the "Notice") and the "Business Associate Agreement". In addition to documentation changes, each Provider will have to revisit its policies and procedures with regard to the use and disclosure of protected health information about the patients of the Provider. Providers will have to determine what limits as to the amount and to whom it disseminates protected health information. This may include imposing limitations on employee access to patient protected health information. Consent and Authorization Notice of Privacy Providers Providers are required to provide such Notice on the request of any person regardless of whether the person is a current patient. Additionally, Providers must provide the Notice to all patients as of the first service delivery after the effective date of the Privacy Standards. In addition, Providers that wish to contact patients for the following activities must list such activities in the Notice: provide appointment reminders, describe or recommend treatment alternatives, provide information about health-related benefits and services that may be of interest to the patient, or solicit funds to benefit the Provider. If such activities are not included in the Notice, the Provider is prohibited from using or disclosing an individual's protected health information for such purposes without obtaining an Authorization. Minimum Necessary Information Common Questions and Answers A: There are a couple of possible exceptions in this situation. Under 45 CFR § 164.506(a)(3), a physician may use or disclose protected health information without a patient's Consent for treatment, payment or health care operations purposes (i) in emergency treatment situations, if the covered health care provider attempts to obtain such Consent as soon as reasonably possible after delivery of such treatment; or (ii) when the physician is required by law to treat the patient, and the physician attempts to obtain such Consent but is unable to obtain such Consent. Q: How will a Provider know when the situation is an "emergency treatment situation" and, therefore, is exempt from the Privacy Standards' prior Consent requirement? A: Providers must exercise their professional judgment to determine whether obtaining a Consent would interfere with the timely delivery of necessary health care. If, based on professional judgment, a Provider reasonably believes at the time the patient presents for treatment that a delay involved in obtaining the patient's Consent to use or disclose information would compromise the patient's care, the Provider may use or disclose protected health information that was obtained during the emergency treatment, without prior Consent, to carry out treatment, payment or health care operations. The Provider must attempt to obtain Consent as soon as reasonably practicable after the provision of treatment. If the Provider is able to obtain the patient's Consent to use or disclose information before providing care, without compromising the patient's care, the Privacy Standards require the Provider to do so. Q: If hospitals and emergency physicians are separate Providers, must the hospital and emergency physician have patients sign separate Consents? A: Not necessarily. Hospitals and medical staff physicians can be considered participants in an Organized Health Care Arrangement ("OHCA") under the Privacy Standards. An OHCA was designed to take into account various relationships such as that between physicians and hospitals whereby the Provider participants are separate entities, however they are clinically integrated and need to share health information about patients not only for treatment purposes, but for the benefit of their joint operations. OHCAs must have joint Consents and joint Notices in accordance with the Privacy Standards. Therefore, the patient need only sign one Consent which will cover all of the participants in an OHCA. Q: Can emergency physicians disclose protected health information with consulting or other physicians? A: Health care providers can disclose protected health information, for treatment, payment or health care operations purposes, once a Consent has been signed or if one of the exceptions apply. Q: Do the minimum necessary standards prohibit Providers from maintaining patient medical charts at bedside, require that Providers shred empty prescription vials, or require that X-ray light boards be isolated? A: No. The minimum necessary standards do not require that Providers take any of these specific measures. Providers must, in accordance with other provisions of the Privacy Standards, take reasonable precautions to prevent inadvertent or unnecessary disclosures. For example, while the Privacy Standards do not require that X-ray boards be totally isolated from all other functions, it does require Providers to take reasonable precautions to protect X-rays from being accessible to the public. Q: If Providers engage in confidential conversations with other Providers or with patients, have they violated the rule if there is a possibility that they could be overheard? A: The Privacy Standards are not intended to prohibit Providers from talking to each other and to their patients. There are provisions of the Privacy Standards that require Providers to implement reasonable safeguards that reflect their particular circumstances. These requirements are intended to ensure that Providers' primary consideration is the appropriate treatment of their patients. In a busy emergency room, it may be necessary for Providers to speak loudly in order to ensure appropriate treatment. The Privacy Standards are not intended to prevent this appropriate behavior. Q: Does a physician have to get a Consent from a patient every time the patient visits the emergency department? A: No. A Provider need only get one signed Consent from a patient for the current and future uses and disclosures of protected health information for treatment, payment and health care operations purposes unless the patient at some point revokes the Consent in accordance with the Privacy Standards. If a patient revokes a Consent to the extent the Provider has not relied on the Consent prior to being revoked, a new Consent must be signed before the Provider can make any subsequent use or disclosure of protected health information. Q: Will the Privacy Standards affect communications between emergency physicians and ambulance providers? A: Yes. However, in many cases hospitals and ambulance providers will be considered a part of an Organized Health Care Arrangement in particular if the hospital and ambulance provider are members of a coordinated emergency medical services (EMS) system. As discussed above, participants in an OHCA may share protected health information for purposes of treatment, payment or health care operations once the joint Consent is signed. The emergency situation exception also applies here if Consent cannot be signed by the patient. Q: Must emergency physicians enter into a Business Associate Agreement with the hospital with which they have staff privileges? A: Physicians on a hospital's medical staff are not considered business associates and therefore do not need to execute business associate agreements. Q: Are there any additional requirements placed on physicians that contract with practice management companies or third party billing companies? A: Most likely yes. If the management or billing company meets the business associate definition, in that the company performs services on behalf of the physician practice or provides specific services to the physician practice involving the use, disclosure or creation of protected health information, then a business associate agreement must be executed between the parties or existing agreements must be modified. Q: What are the penalties for violating the Privacy Standards? A: Significant civil and criminal penalties may be imposed on a person for violating the Privacy Standards. A person who violates the Privacy Standards may be assessed a fine of up to $100 per violation, not to exceed $25,000 for violations, by any one person in a calendar year, of any single provision of the Privacy Standards. Additional penalties include: a fine of up to $50,000 and up to one year in prison for a knowing misuse of a unique health identifier or obtaining or disclosing individually identifiable health information; a fine of up to $100,000 and up to 5 years in prison for offenses committed under false pretenses; and a fine of up to $250,000 and/or up to 10 years in prison if the offense is committed with the intent to use individually identifiable health information for commercial advantage. Q: Can patients bring private lawsuits against physicians for violating the Privacy Standards? A: No. At this point, only the Government can enforce and penalize patients for violations of the Privacy Standards. In addition, there are no qui tam provisions to the Privacy Standards. For additional guidance and definitions of some of the above terms, see the comprehensive memorandum prepared by Mr. Glover on the Privacy Standards at the following web address www.chuhak.com/hipaa In addition, the memorandum can be accessed from AAEM's website at www.aaem.org 1. The standard transactions include 1) health claims or equivalent encounter information, 2) health claims attachments, 3) enrollment and disenrollment in a health plan, 4) eligibility for a health plan, 5) health care payment and remittance advice, 6) health plan premium payments, 7) first report of injury, 8) health claim status, and 9) referral certification and authorization.
|
|
© 1997-2008 American Academy of Emergency Medicine. All rights reserved. AAEM Website Disclaimer |