With less than a year left until the April 13, 2003, Health Insurance Portability and Accountability Act compliance deadline, it's time to look at where you and your organization are in preparing for the privacy regulations.

First, a quick quiz: Do you know what the following acronyms and technical terms mean? PHI, contrary laws, notice of privacy practices, disclosures, IIHI, and BA?

The terms above are integral to the Department of Health and Human Services' December 2000 final regulation and HHS' March 27, 2002, proposed rule — both of which detail the new health privacy regulations. When issued in final form later this year, the March 2002 proposed rule will modify the December 2000 final regulation. While some details of the privacy regulation are not yet set in stone, the basic structure of the privacy rules — including the April 14, 2003, compliance deadline — likely will not change.

Below, you'll find definitions of the acronyms and terms from our “quiz.” Use these terms and the following task descriptions to chart your organization's steps toward compliance.

Protected Health Information

Develop policies and procedures governing your organization's treatment of protected health information, or PHI.

First, appoint a privacy officer who will be responsible for ensuring your organization's compliance with the federal privacy regulations. For smaller providers, this person will likely be the president.

Next, design privacy policies and procedures that ensure the confidentiality of PHI. Your organization already may have in place policies that govern the treatment of PHI.

Once your privacy procedures are in place, train your employees on the practices. All employees who deal with PHI in performing their job responsibilities must be trained on your organization's privacy practices.

Contrary Laws

Find out if your state has any “contrary,” or more stringent, health privacy laws or regulations than those required by the federal government. The federal privacy law says that federal law preempts any contrary state law, unless the state law is more stringent. In other words, the federal privacy law is designed to create a national “floor,” or standard, for health privacy requirements, but your organization must comply with any more rigorous state laws governing the privacy of patients' health information.

Notice of Privacy Practices

Develop a “notice of privacy practices,” which fully describes, in plain English, how your organization maintains the privacy of PHI. Your organization will be required to issue this notice to all new patients — including patients who rent equipment after April 14, 2003. You also will be required to make a “good faith” effort to secure each new patient's written acknowledgement of receipt of your notice of privacy practices.

Disclosures

Create a process by which to respond to individuals who request an account of your organization's disclosures of their PHI. The privacy regulation is focused on the rights of the health care consumer. Patients who believe that your organization may have violated their health privacy rights can file a complaint directly with HHS' Office of Civil Rights.

Individually Identifiable Health Information

Secure patients' records with individually identifiable health information, or IIHI. This means each employee with access to computer-maintained PHI will have to have his or her own password — no more global or sharing passwords will be permitted. In addition, paper records must be secured in files that can be locked.

Business Associates

Identify any contractors who must have access to protected health information to perform their responsibilities as business associates, or BA. You're required to have a written agreement with these individuals or entities to ensure they maintain the confidentiality of protected health information. BAs could include such non-employees as accountants, attorneys and consultants.

Bonus Question

Do you know the answer to this question: What happens if I fail to comply with federal or state standards governing HIPAA privacy regulations? Answer: You may be subject to civil and criminal penalties for noncompliance. Civil penalties can range from $100 to $25,000 per person, per violation of a single standard in a calendar year. Criminal penalties incur fines of up to $250,000 and/or prison terms of up to 10 years.

Remember, the new federal privacy regulations are not Medicare or Medicaid issues. These privacy rules apply to your organization regardless of your payor source. As long as you submit at least one electronic claim to any payor, your organization is considered a “covered entity,” and therefore is subject to these federal regulations. And, as home medical equipment providers, you're not being singled-out: All health insurance companies and other providers are covered by these federal privacy regulations. The HIPAA privacy rules will impact virtually every organization in the United States health care delivery system.

For more information about HIPAA, go to the federal government's Web site at http://aspe.hhs.gov/admnsimp/index on the Internet.

A specialist in health care legislation, regulations and government relations, Cara C. Bachenheimer is an attorney with the law firm of Epstein, Becker & Green in Washington. Bachenheimer previously worked at the American Association for Homecare and the Health Industry Distributors Association. You can reach her by phone at 202/861-1825 or e-mail at cbachenheimer@ebglaw.com.