Q. I am a psychiatrist with a small private practice and have heard that there are new federal privacy regulations that will affect my practice. Should I be doing anything right now?
A. Yes. Although the regulations addressing the privacy portion of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) do not require compliance by providers until April 2003, you should be taking several steps now to ensure that you will be “HIPAA compliant” in time. You will be subject to the privacy regulations if you transmit any protected health information in electronic form.
The first step is to familiarize yourself (and your colleagues and employees in the office, if any) with HIPAA’s specific requirements. For your assistance, you may find a “Summary of the Final Privacy Regulations Under HIPAA” on the Web at www.crowell.com/health by clicking on the heading “Publications and Resources.” Additional information is available from the federal government at www.hhs.gov/ocr/hipaa.
Second, you should appoint a privacy officer. You may designate your office manager or yourself as the privacy officer. Larger group practices may also form a privacy task force to handle a number of tasks in the coming months. These tasks will include review of existing policies and procedures on release of information and patient access to records, as well as updating “consents” and “authorizations,” which are different terms with different requirements and uses under the HIPAA regulations. The privacy officer will need time to become fully educated on privacy requirements and to assess current practices, so it is crucial that you designate someone to handle this task now.
Third, you or your designated privacy officer should review all existing contracts with your “business associates” with whom you share protected health information. These contracts will include those made with outside vendors such as billing service companies, legal and accounting professionals, practice management consultants, and quality assurance or utilization review entities. You may need to amend such contracts to specify how each business associate will protect certain health care information, as well as limit certain uses and disclosures. This is especially important since you, the provider, may be subject to criminal or civil penalties under HIPAA for releasing information to a business associate without first obtaining the necessary assurances that the business associate will protect the health care information.
Fourth, you will need to compare relevant state laws governing confidentiality, privilege, privacy, and records access with the HIPAA statute and regulations. HIPAA does not totally preempt, or supersede, state law in all cases. If a state law is more stringent or more protective of patients’ rights and patients’ privacy, the state law will apply. For example, the District of Columbia’s Mental Health Information Act allows access to “personal notes” to be limited to the mental health professional. “Personal notes” are narrowly defined to include information disclosed to mental health professionals in confidence by other persons on condition that such information not be disclosed to the patient or other persons; the definition also includes the mental health professional’s speculations. The HIPAA regulations allow “psychotherapy notes” to be released to third parties if an “authorization,” as defined by the regulations, is signed by the patient. These psychotherapy notes are defined in a somewhat broader fashion than the “personal notes” as defined by D.C. law. Therefore, psychiatrists in the District of Columbia will need to compare the D.C. and federal requirements and ascertain how they will keep notes of psychotherapy sessions. Similar analyses will apply in other states.
Finally, you should talk with colleagues, your local district branch, and HIPAA experts to ascertain how others are beginning to tackle the requirements of HIPAA. Where direct conflicts between state and federal law exist, state organizations may wish to call upon the governor or his or her designee to request a “preemption exception” from the secretary of Health and Human Services.
Although we may see some modifications to the HIPAA regulations in the future, it appears certain that the regulations are here to stay. The time to begin the compliance process is now.
This information was prepared by Anne Marie “Nancy” Wheeler, J.D., an attorney with the Washington, D.C., law firm of Crowell and Moring LLP. Wheeler is the coordinator of the APA Legal Consultation Plan. APA members who would like further help with HIPAA privacy compliance, or other legal issues pertaining to the practice of psychiatry, may request an application for the 2002 APA Legal Consultation Plan by calling (202) 508-8721 or sending a request by e-mail to [email protected]. ▪