IT'S FEBRUARY. Have you developed an action plan for your organization to comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy regulations yet?

If not (and even if you have), you have about one year to develop policies and procedures specific to the HIPAA privacy rules and to train your employees on those policies and procedures. You also will have to sign contracts with business associates who have access to “protected health information.”

Are you still in denial? If you are a home health care provider — home medical equipment provider, home health agency, retail pharmacy or otherwise — that submits at least one electronic claim to a payer, your organization is required to comply with the federal government's privacy rules. Although the privacy rules were issued in final form in December 2000, the federal government has given the health care industry until April 14, 2003, to comply with the rules. Don't delay. Compliance will take time and resources. Develop an action plan based on this 12-step program.

1. KNOW YOUR HIPAA

   Familiarize yourself with the final HIPAA privacy regulation and the subsequent guidance documents issued by the Centers for Medicare and Medicaid Services. There are many useful Web sites, but start with the CMS site, www.hcfa.gov, which includes the final rule as well as a series of guidance documents and lots of other useful information.

2. SEEK SUPPORT

   Enlist the support of your organization's leadership in understanding and complying with the HIPAA privacy rules. As with any corporate policy, from-the-top-down leadership is important to ensure that the entire organization is onboard.

3. CEO, CFO AND … CPO?

   Appoint a Privacy Officer. Every health care provider must have a top-level employee responsible for the organization's compliance with the privacy rules. This likely will involve adding compliance responsibilities to the job description of an employee already in top management. Privacy rules will impact virtually every employee at a home health care business, so this person should have overall management authority.

4. KEEP UPDATED

   Track the progression of the privacy rule by reading articles and attending seminars, and check the CMS Web site for updates. It also may be beneficial to research the state laws for the state(s) in which you do business. Many states have privacy laws, which sometimes are more stringent than the federal requirements.

5. ASSESS YOUR RISK

   Develop a road map of how health information flows from order-intake through delivery, billing and other operational functions. This will help you identify who in your organization currently has access to individual health information, and who must have access to individuals' health information in order to perform a job. You may want to limit some employees' access to health information if access is not important to their job function if that would be easier than ensuring that those employees are properly trained on your privacy policies and procedures.

6. FROM HERE TO THERE

   Evaluate your organization's current information practices, policies and procedures. These should serve as a baseline to develop new policies and procedures for complying with privacy rules.

7. THE TRAINING TRACK

   Develop training materials for your employees and business associates. All employees who have access to individuals' health information will have to be trained on your new privacy policies and procedures. Business associates also will have to be trained on your policies to ensure that they maintain the confidentiality of patient health information.

8. UPDATE, UPDATE, UPDATE

   Develop a mechanism for updating your information policies and procedures. The Privacy Officer will be responsible for ensuring that your organization complies at all times.

9. PARTNER COMPLIANCE

   Review any agreements with business associates or entities with whom you contract to perform certain functions, such as a billing service, attorney or auditor, to see if those entities will have access to your patients' protected health information. If your partners do have access, the privacy rules mandate that you sign a contract by the compliance deadline with such entities requiring them to maintain the confidentiality of patients' protected health information.

10. TRACKING ACCESSIBILITY

    Establish a mechanism to track access to protected health information and allow only qualified individuals to have access to that information.

11. CUSTOMER SERVICE

    Establish a process to handle customer complaints about your privacy practices, from receipt through resolution.

12. HAND IN HAND

    The HIPAA security rules will go hand in hand with the privacy rules. Recognize the interplay between these two regulations, and coordinate your privacy activities with your security activities.

A specialist in health care legislation, regulations and government relations, Cara C. Bachenheimer is an attorney with the law firm of Epstein, Becker & Green in Washington. Bachenheimer previously worked at the American Association for Homecare and the Health Industry Distributors Association. You can reach her by phone at 202/861-1825 or e-mail at cbachenheimer@ebglaw.com.