Newsroom

Legal Alert: HIPAA Privacy Standards Deadline: April 14, 2003

DATE:      JANUARY 27, 2003

TO:           CLIENTS & FRIENDS

FROM:     MARK A. COEL, ESQ. , TRANSACTIONAL AND REGULATORY DIVISION

RE:           HIPAA PRIVACY STANDARDS DEADLINE: APRIL 14, 2003

The deadline for complying with the Privacy Standards set forth in the Health Insurance Portability and Accountability Act ("HIPAA") is fast approaching. By April 14, 2003, health care providers must be compliant with the Standards for Privacy of Individually Identifiable Health Information or risk civil and potentially criminal penalties. Health plans have been given until April 14 of the following year to comply.

The following are among the issues that must be considered and addressed prior to the April 14 deadline:

1.   Designate Your Compliance Committee. Depending on the size of your practice or association, you must designate a privacy officer to oversee compliance with HIPAA. If you have a larger organization, a committee may be more appropriate to oversee the implementation of new policies regarding HIPAA.

2.   Evaluate Your Privacy Policy Documentation. Evaluate existing consents, privacy policies, and procedures to determine compliance with the Privacy Standards.

3.   Notice of Privacy Practices. The Privacy Standards require preparation of a Notice of Privacy Practices. These are designed to communicate policies and procedures regarding the use and disclosure of Protected Health Information of patients. Covered entities must make a good faith effort to obtain written acknowledgment of patient receipt of this notice.

4.   Examine Your Business Associate Contracts. Any Business Associate that will have access to PHI must execute a Business Associates Contract. A Business Associate is defined as a "person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity."

5.   Policies and Procedures Staff Training. Policies and procedures should be adopted and implemented with regard to the maintenance and disclosure of PHI. Employees should be informed of the privacy practices that will be adopted under the new HIPAA compliant guidelines. The "Minimum Necessary 6. Requirement" should be addressed in each type of request so that you have a standard policy for disclosure of medical records information. Specific training based on divisions and job designation may be appropriate depending on the size of your organization.