IF YOU READ my March column, you should have a better sense of what the Health Insurance Portability and Accountability Act means -- and should know that home medical equipment providers are indeed covered by the Health Care Financing Administration's final HIPAA privacy regulations.

Now, it is time to develop a plan to comply with these rules.

The rules are long and complex, but they are manageable if you map out a plan to prepare for compliance. And the first step in the plan: Conduct a "readiness assessment."

One Step at a Time

The following checklist will help you evaluate how close your organization currently is to compliance. It can also help guide your thought process as you work to accommodate the different operational demands of the final privacy rules.

1. List your business associates, starting with your accounting department. Review the prior year's accounts payable to identify all contractors you have used, from consultants to auditors and attorneys.

2. Sort out all the business associates that might have access to protected health information.

3. Note which business associates already have written contracts with you.

4. Identify from whom and in what format your organization receives "protected health information." This can come from physicians, therapists, hospitals, insurance companies, labs and patients themselves. Note: PHI can be written, oral and electronic.

5. Check to see if you currently obtain a written and signed authorization from any and all individuals from whom your organization receives PHI.

6. Figure out how your organization uses PHI. Is it, for example, for treatment? Payment processing? Other internal operations or business functions?

7. Identify how PHI is communicated from one department to another in your organization. This should include movement from one function to another (from customer service to billing, for example) and in what form (via paper or electronically, for example).

8. Establish whether or not your organization currently has the capability to extract or segregate PHI from other information you receive and process.

9. Investigate your current operation to see if and how you limit access to any PHI your organization uses for the "treatment, payment or health care operations."

10. Check to see if and how your organization removes or otherwise makes anonymous the PHI it uses.

11.Identify whether or not your organization has any technology -- such as encryption software or firewalls -- in place to track the use and disclosure of PHI.

12. Identify whether or not your organization has any policies and procedures in place to protect patient confidentiality.

Heading for Compliance

These 12 steps will help you assess the organizational flow of PHI, both internally and externally. They can help you identify who in your organization has access to protected information and how that information is communicated.

This knowledge in hand, you then can assess your current policies and procedures to determine where existing procedures will satisfy the rules -- and where they must be modified to comply with the privacy rules.

Ready? It's time to get going.

********************

Reviewing the Basics

THE PRIVACY regulations drafted by the Health Care Financing Administration to implement the Health Insurance Portability and Accountability Act are extremely broad. They also set forth substantial requirements for all home care providers and payers that retain or transmit "individually identifiable health information."

For example, providers must obtain prior consent to use or disclose "protected health information" for patient treatment, payment or other health care operations. This consent can be combined with other types of legal permission (such as consent to assignment of benefits), but only if it is visually and organizationally separate and is signed separately.

The privacy standards also require authorizations for all uses and disclosures of PHI that are not connected to treatment, payment or health care operations.

To meet these standards, providers will need to develop policies and procedures to determine the "minimum necessary" information needed by each function and department in their organizations. Bottom line: Providers cannot use the entire medical record unless specifically justified.

What's more, the privacy standards require that providers ensure that "business associates" -- such as billing consultants, attorneys or other independent contractors that receive PHI in the course of providing services to a provider -- use appropriate safeguards. Not only must providers have written contracts with these business associates, but the contracts must include a provision that the business associates will maintain the confidentiality of PHI.

Home care providers that have a direct treatment relationship with an individual must provide notice of their privacy practices in "plain language" no later than the date of the first service delivery.

The privacy rules also require providers to implement an administrative structure by the compliance date of April 14, 2003. This includes designating a privacy officer, implementing policies and procedures to maintain the confidentiality of PHI, and training all employees who come in contact with PHI on the appropriate privacy policies.