HIPAA compliance requires facilities to have privacy policy: with HIPAA's compliance date for the privacy standard on April 14, 2003, each facility must have a detailed privacy policy. A preparation guide - Feature Article - Health Insurance Portability and Accountability Act compliance calls for facilities to have privacy policy

Nursing Homes, March, 2003 by Sandra K. Battaglia

The Health Insurance Portability and Accountability Act (HIPAA) requires that all covered entities (most nursing facilities meet the definition of covered entity) provide a notice to patients (or residents) detailing the ways in which the covered entity will use or disclose the patient's protected healthcare information (PHI). PHI is defined as individually identifiable health information that relates to the past, present, or future physical or mental health of, or the provision of healthcare to, a patient or resident.

With the arrival of HIPAA's compliance date for the privacy standard on April IA, 2003, each facility must have a detailed privacy policy in place. This article describes the elements of the privacy policy and discusses how facilities should prepare such policies so a final product is available for use on the compliance date.

Beginning April 14, a notice of the facility's policy with respect to PHI is required to be presented to the resident on or before the first time services are delivered to that resident. For a nursing facility, that generally would be at the time of admission. The receipt of the privacy notice must be acknowledged in writing, but the facility does not have to explain the notice or otherwise elaborate on its contents. Facilities also must post a copy of the privacy notice in a prominent location where it is reasonable to expect that the residents will see it. Copies of the notice also must be provided to anyone who requests one; the notice must be posted and available on the facility's Web site, if the facility has one.

If there is a material change to any part of the privacy policy, the notice must be revised, the new version posted, and information provided to residents that the new notice is available upon request. Facilities must provide the revised notice to the residents, but do not need to have residents who received an earlier version of the privacy policy acknowledge the receipt of the revised notice.

For record-keeping purposes, the facility must put a copy of the current notice in every resident's file and maintain a copy of each version of the notice in the facility's business files.

To assist in preparing the privacy policy, the regulations provide an outline to follow. Following is a list of the elements required by the HIPAA privacy regulations, along with commentary on each element.

* A statement as a header and prominently displayed must declare: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."

This requirement is easily followed, but note that the statement must be in all caps and worded exactly as set forth above.

* A facility's privacy policy must include information relating to the uses and disclosures of the individual's PHI, including a description and one example for each of the types of uses and disclosures that the facility is permitted to make for the purposes of treatment, payment, and healthcare operations; a description of each of the other purposes that the facility is permitted or required to perform without consent, such as public health, governmental health oversight, judicial and administrative proceedings, law enforcement, and work-related illness or injury; and enough detail to clarify the uses and disclosures that are permitted or required by the Privacy Rule or other applicable laws.

This section may be lengthy because it will list the multiple ways that PHI is used and disseminated. You may want to consider for inclusion in the privacy policy: treatment purposes including creation of the healthcare records at the facility and for referrals to other healthcare providers, payment purposes, or healthcare operations such as quality improvement, business associates, facility directory, notifications to family members, marketing, fundraising, public health requirements, law enforcement requirements, and reports required by health oversight agencies, including your survey and certification office.

* Information that other disclosures and uses will be made only with the resident's written authorization and that he or she may revoke this authorization.

This information can be placed anywhere in the document and can state that revocation is possible, and the request for revocation must be in writing.

* Statement that describes the resident's rights concerning his or her PHI and how those rights maybe exercised, such as (i) to request restrictions concerning certain uses and disclosures of PHI, (ii) to receive confidential communications of PHI, (iii) to inspect and copy PHI, (iv) to amend PHI, (v) to receive an accounting of disclosures of PHI, and (vi) to obtain a paper copy of the privacy notice on request even if the individual has agreed to receive the notice electronically.

Again, this provision will result in a lengthy disclosure. Under section i, the facility wants to make clear that while the resident can request that PHI not be disclosed, the facility is under no obligation to grant the request. Medicare and Medicaid facilities can state that there are times when the request cannot be honored-including emergencies, if the resident is being transferred to another healthcare facility, or the disclosure is required by law. Under section iii, remember to indicate that if the resident wants copies of his/her medical record, HIPAA allows the facility to charge a reasonable copying fee. Section iv indicates that amending PHI is allowed, and requests for amendment should be made in writing with information to support the requested change. The accounting provisions listed under section v should be conditioned, and the policy should state that an accounting can only go back six years, and that no accounting will be given for disclosures for reason of treatment, payment, or healthcare operations; for disclosures made to the resident, the resident's legal representative, or any other individual involved in the resident's care; for disclosures to law enforcement officials; or for disclosures for national security purposes.