In this month’s interview, Dr. Brendel does a wonderful job explaining what psychiatrists need to know in order to become HIPAA-compliant. In this article, TCR really gets down and dirty with HIPAA, taking you by the hand to tell you exactly what to do, what forms to use, and where to get them. The only thing we won’t do is to actually come to your office to post notices – but we can give you the number of Staples if you need to order some scotch tape!
Are you a “covered entity”?
Many psychiatrists do not have to comply with HIPAA guidelines because they are not HIPAA-defined “covered entities.” If you file any insurance claims electronically, you are a HIPAA provider; otherwise, you’re not.
The following psychiatrists are not HIPAA providers:
• Psychiatrists who don’t accept any insurance.
• Psychiatrists who accept insurance but file all their claims by old-fashioned paper mail.
• Psychiatrists who use their computer or Palm pilots for various aspects of their practice (like storing patient info, writing notes, or doing medline searches) but who never use their computer to communicate with insurance companies about anything.
• Psychiatrists in solo practice who see Medicare patents and file paper claims rather than electronic claims by special arrangement with Medicare.
There’s a fairly understandable flowchart from the government to help you decide if you’re a covered entity at http://www.hipaanews.org/Flowcharts.pdf.
What do you absolutely have to do under HIPAA?
Assuming that you are a covered entity, there’s a relatively short list of things you are absolutely required to do by law:
1. Create and post a Privacy Notice in your office.
2. Make a good faith effort to have your patients sign an acknowledgment that they have read it.
3. Obtain and sign a special HIPAA Business Associates Agreement with any company you do business with who must see patient information as part of their business (e.g., billing companies).
4. You should add a confidentiality statement to all faxes and emails.
5. You were supposed to have done all these things by April of 2003!
The Privacy Notice
How do you go about creating a privacy notice? Most of us will simply copy a colleague’s notice or download a copy from innumerable samples available for free on the internet. You should be aware, however, that the Government requires that notices be written in “plain language,” and that most of the samples you see (including the APA’s sample at http://www.psych.org in the “member’s area”) fail miserably in this regard.
In fact, in a study conducted by the Privacy Rights Clearinghouse, a nonprofit consumer group, six HIPAA privacy notice samples and 31 actual HIPAA privacy notices were downloaded and analyzed using readability software. They were all scored at the “difficult” reading level, with complicated vocabulary and grammar (http://www.privacyrights.org/ar/ HIPAA-Readability.htm), and they were judged to be non-compliant with HIPAA based on failing the plain language standard.
The other problem with most samples is that they include a lot of stuff that is not applicable to the typical small psychiatric practice, like statements that patient information might be used for marketing, fundraising, research, patient directories, etc., all of which is relevant mostly to hospitals and other large organizations. It’s overkill for solo practitioners, and you don’t have to include it in your own notice.
Because TCR was not able to find anything appropriate for most psychiatrists on the web, we wrote up our own sample, which you can access and download for free from our website (www.TheCarlatReport.com). Feel free to alter it as you see fit.
This is an easy one, being simply a one-pager saying something like, “I acknowledge that I have read Dr. X’s Privacy Notice,” with a place for a signature. You can download a sample at TCR’s website.
The Business Associates Agreement
If you contract with an outside company or individual to help you with your practice in such a way that they must see some patient information (for example, someone who does your billing), you both have to sign an official Business Associates Agreement. This just says that your billing company, or transcriptionist, or whoever, promises to keep patient information confidential. These contracts don’t have to be written in plain language (unlike the Privacy Notice) and a suitably legalistic sample is available for free at a continuing legal education site: http://contracts.onecle.com/ exult/prudential.svc4.2003.04.14.shtml.
Regular employees, like your secretary or other regular office staff, don’t have to sign this form, but you do have to document in their employment files that you’ve given them formal training in privacy practices.
Faxes and Emails
You can easily cut and paste a standard confidentiality disclaimer from a colleague’s email or download this language from TCR’s website. Again, this can be as legalistic sounding as you can stomach.
You’re very late, but don’t worry, you won’t get arrested – just get it done!