Risk Management

Practical Application of HIPAA Privacy Rules (Part 1)

Kimberly Wittchow, JD, OMIC Staff Attorney

Digest, Winter, 2003

The April 14, 2003 deadline to comply with the HIPAA Privacy Rules is fast approaching. OMIC enumerated the many components of compliance in its Guide to Implementation of the HIPAA Privacy Standards sent to insureds in November 2002. OMIC has since fielded many questions from insureds about the practical application of the Privacy Rules to their practices. The following are a sample of questions we continue to address.

Q  Can I avoid being a Covered Entity under HIPAA if I contract with a billing service to transmit all electronic claims submitted on my behalf?

A  No. Submitting even one electronic claim after April 14, 2003, whether directly or through a contracted service, will trigger application of the Privacy Standards to you.

Q  Do I have to comply with HIPAA if I am a physician in a small, rural practice?

A Your practice size and location generally do not affect your status under HIPAA. However, you are not a Covered Entity if you maintain either paper or electronic files but do not transmit PHI electronically and have not volunteered to be a Covered Entity by contract or certification. You should be aware though that as of October 16, 2003, Medicare will require practices with 10 or more employees to file claims electronically.

Q  Can I post a one page summary of my Notice of Privacy Practices in my office?

A  Yes. But in addition, you must post your entire Notice in a clear and prominent location in your office and make it available on your web site. If you make changes, you must post the amended Notice in your office and on your web site, but you do not need to redistribute it to your patients unless they ask for a copy.

Q  Can my office staff contact patients before we give them our Notice of Privacy Practices?

A  Yes. You must provide the Notice to each patient no later than the date of first service delivery or as soon as practicable in emergencies. Where you contact the patient by telephone to schedule an appointment or collect information in anticipation of a procedure, you can wait to provide the Notice until the patient comes into your office. When you do provide the Notice, you must make a good faith effort to obtain the individual’s written acknowledgment of receipt of the Notice or document your efforts to obtain the acknowledgment and the reason it was not obtained.

Q  Can I ask patients to sign a blanket HIPAA Authorization form for any use or disclosure of their PHI?

A  No. A HIPAA Authorization is required for certain specific, non-routine uses or disclosures of PHI. Its required use is best defined by the exceptions. You do not need Authorization to disclose PHI to the subject of the PHI, the Department of Health and Human Services, or to people in the patient’s “circle of care.” You also do not need Authorization to use or disclose PHI for payment, treatment, health care operations, as required by law, or for many public health-related activities. In most other situations, Authorization is required. For example, you need Authorization to disclose PHI if you want to sell cataract/IOL outcome data that includes patient identifiable information to IOL manufacturers. You also need Authorization to disclose PHI if the patient is applying for disability insurance and the insurer requests the patient’s medical record to make an underwriting decision.

Q  Do I have to enter into Business Associate Agreements with janitorial or other service providers?

A  No. Your Business Associates are persons or entities that perform certain functions or activities on your behalf or provide services to you that involve the use or disclosure of PHI. Certain service providers, such as janitors, electricians, and couriers of information, are not Business Associates because their services do not involve the use or disclosure of PHI.

Q  Are my patients’ health plan insurers my Business Associates?

A  No. When you submit a claim for payment to a health plan and it assesses and pays the claim, you are each acting on your own behalf as Covered Entities and not as Business Associates of one another.

Q  How do I find out if my state privacy laws are stricter than HIPAA’s?

A  Your state ophthalmic or medical society may have undertaken such an analysis for its members. You also may want to engage legal counsel to advise you on your specific responsibilities under both state and federal privacy laws.

The primary resource for this article was the OCR Guidance Explaining Significant Aspects of the Privacy Rule – Dec. 4, 2002.


Please refer to OMIC's Copyright and Disclaimer regarding the contents on this website

Leave a comment

Six reasons OMIC is the best choice for ophthalmologists in America.

Consistent return of premium.

Publicly-traded insurance companies exist to make profits for shareholders while physician-owned carriers often return profits to their policyholders. Don’t underestimate this benefit; it can add up to tens of thousands of dollars over the course of your career. OMIC has one of the most generous dividend programs for ophthalmologists and has returned more than $90 Million to our members through dividends.