HIPAA, Schmippa !

Mike Pulaski, FACMPE

Physicians Practice, The Business Journal for Physicians, Fall 2002, Vol. 12 No. 7, p. 60.

Over the past year, I have received a flurry of mailings from “consultants” who want me to pay to hear their latest insights on the HIPAA monster, which is due to begin wreaking its havoc on clinic medicine next April.  Some of the headings on these mailings look as if the same people who write for grocery store tabloids wrote them.

This cult of consultants seems to be quite competitive, trying to out-scream each other while hocking their wares.  The more they employ scare tactics in the name of creating business for themselves, the more these consultants seem to have created their own havoc among us working-stiff administrators.

Today’s medical business environment demands the administrator’s fulltime attentions to such matters as controlling overhead, managed care contract analyses, receivables management, customer service, and ensuring physician and non-physician personnel have all the proper tools to perform maximally.  Traditionally, we have relied on outside consultants to give us the “Readers’ Digest” version of various legislative initiatives so that we could in turn implement necessary changes in clinic procedures without having to go to law school.  That is not happening anymore.

Remember all the hubbub surrounding Stark I and Stark II?  There were so many changes and interpretations regarding this legislation, compounded by the half-cocked presentations of “consultants” that a significant number of groups around the country found themselves frozen with inertia when attempting to change compensation formulae, forge alliances, or purchase ancillary service equipment.

Well, it’s déjà vu all over again.

It has been six years since Congress mandated the protection of patient medical information, and we still do not have the final version of the law.  It seems that every month HHS publishes changes to original facets of the developing law due to “unintended consequences” or “clarification” issues.  Meanwhile, at each turn of the law-making process, the cult of consultants picks up pieces of information that may or may not make it into the final version of the law, then turns around and criss-crosses the country, telling their paying audiences of the “latest” HIPAA changes we need to incorporate into our daily working lives or suffer intolerable consequences.

Here’s what I think I’ll do for a cheap and easy way toward compliance:  I’ll have a stack of brown paper shopping bags outside the door to our reception areas.  Each bag will be serially numbered and have cutouts for eyes and mouth.  Then each patient will be required to put a bag over his or her head before proceeding into the reception area.  Voila!  Half our HIPAA compliance woes are solved.

OK.  Let’s get serious and now use some common sense.

First, don’t panic, as the cultists would have you do.

Now examine a few of the simple and inexpensive ways that get you on the pathway toward compliance in the absence of a final version of the law, keeping in mind that the foremost tenet of the law is preserving the patient’s confidentiality.

1. Most all suppliers of computer billing packages have already developed the necessary encryption software, so that when installed, the insurance forms that are sent electronically are sufficiently protected.  Make sure you have this software installed on your system and make sure you receive a written statement from your vendor that the software is HIPAA compliant.

2. Ensure that all employees and vendors (who are given access to the clinic areas) of your group have signed a confidentiality statement that has been specifically developed for HIPAA purposes.  Your attorney should be able to furnish you a “boilerplate” copy of one.  File these signed statements in the employee’s personnel file or vendor file.

3. Edit your new patient demographic questionnaire to include the solicitation of which phone numbers your office is permitted to use when attempting to contact the patient.

4. Employ the use of new two part sign-in sheets that provide tearing off the strip that the patient uses to sign in.  The bottom sheet (protected on top by a blank sheet) will serve as a record of all who had visits that particular day.

5. Take it upon yourself to continually emphasize to your staff and vendors the importance of keeping patient information confidential.

There are a number of inexpensive avenues to acquire practical information regarding HIPAA compliance.  Most law firms have developed brochures for their healthcare clients that are devoted to compliance issues and they are free.  If your law firm doesn’t have one, then ask around among your colleagues.  Your malpractice carrier most likely has developed written compliance information.  Ask for it.   And don’t forget HHS’ website: www.hhs.gov .  You will be surprised to find a number of condensed articles regarding compliance.

Please remember this:  if you demonstrate that your group has an on-going genuine effort to be compliant, then in reality, you will be compliant.  By this I mean that in the low probability event of a compliance audit, if you demonstrate to the auditors your diligence toward compliance, the only consequence you will suffer is that you will be given a certain time period to “cure” those items in which you are found to be deficient.

So do not fall prey to the doom and gloom cultists.  Use your common sense, and realize that HIPAA is a good thing for us all as patients, and really doesn’t have to be the administrative monster, as some would have you believe.