HIPAA compliance with Scott C. Withrow

Scott C. Withrow is a founding partner of Withrow, McQuade & Olsen, LLP, in Atlanta, Georgia. He has practiced healthcare and corporate law for 15 years, representing clients that include hospitals, home health agencies, physicians and group practices, physician-hospital organizations, and physician practice management companies. He is a member of the American Bar Association's Health Law Section and the Georgia Academy of Healthcare Attorneys, serves on the editorial board of Aspen Publishers' Home Health Care Revenue Report, and has spoken frequently on the topic of healthcare compliance. Mr. Withrow has published articles in The Practical Lawyer, Leader Publications' Health Care Fraud & Abuse Newsletter, and elsewhere. He is also the author of the Health Administration Press books Managing Healthcare Compliance and the new release Managing HIPAA Compliance.

Click on a link below or scroll down to read the questions posted for Mr. Withrow as well as his responses:

• Identifyingpatients in waiting rooms
• HIPAA and home health
• HIPAA and the private office
• HIPAA and substance abuse counseling

davis - 12:39pm Nov 16, 2001
What options are available for identifying patients in patient waiting rooms? Can their name be called out? Is it a violation of the patient's privacy if their name is called out? Can a numbering or color system be used?

1. Withrow's response - 10:10pm Nov 28, 2001 (#1 of 1)
   Patients can still be called by name in the waiting room, although a numbering or color system would provide enhanced privacy.
2. In the spring of 2001, one speaker on the HIPAA lecture circuit demonstrated the possible breadth of the final privacy regulations by suggesting that physicians' offices could no longer call patients by name in the waiting room. While it made for an interesting example, regulators were quick to respond to explain their intent. In July 2001, regulators posted on the Administrative Simplification web site the following answer to general questions concerning oral communications:

ORAL COMMUNICATIONS [45 CFR §§ 160.103, 164.501]

3. Background
   The Privacy Rule applies to individually identifiable health information in all forms, electronic, written, oral, and any other. Coverage of oral (spoken) information ensures that information retains protections when discussed or read aloud from a computer screen or a written document. If oral communications were not covered, any health information could be disclosed to any person, so long as the disclosure was spoken.
4. Providers and health plans understand the sensitivity of oral information. For example, many hospitals already have confidentiality policies and concrete procedures for addressing privacy, such as posting signs in elevators that remind employees to protect patient confidentiality.
5. We also understand that oral communications must occur freely and quickly in treatment settings, and thus understand the heightened concern that covered entities have about how the rule applies. Therefore, we are taking a two-step approach to clarifying the regulation with respect to these communications. First, we provide some clarification of these issues here, so that covered entities may begin implementing the rule by the compliance date. Second, we will propose appropriate changes to the regulation text to clarify the regulatory basis for the policies discussed below in order to minimize confusion and to increase the confidence of covered entities that they are free to engage in communications as required for quick, effective, and high quality health care. We understand that issues of this importance need to be addressed directly and clearly in the Privacy Rule and that any ambiguities need to be eliminated.
6. General Requirements
   Covered entities must reasonably safeguard protected health information (PHI) - including oral information - from any intentional or unintentional use or disclosure that is in violation of the rule (see § 164.530(c)(2)). They must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonably safeguard" means that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. However, we do not expect reasonable safeguards to guarantee the privacy of PHI from any and all potential risks. In determining whether a covered entity has provided reasonable safeguards, the Department will take into account all the circumstances, including the potential effects on patient care and the financial and administrative burden of any safeguards. Covered entities must have policies and procedures that reasonably limit access to and use of PHI to the minimum necessary given the job responsibilities of the workforce and the nature of their business (see §§ 164.502(b), 164.514(d)). The minimum necessary standard does not apply to disclosures, including oral disclosures, among providers for treatment purposes. For a more complete discussion of the minimum necessary requirements, see the fact sheet and frequently asked questions titled "Minimum Necessary." Many health care providers already make it a practice to ensure reasonable safeguards for oral information - for instance, by speaking quietly when discussing a patient's condition with family members in a waiting room or other public area, and by avoiding using patients' names in public hallways and elevators. Protection of patient confidentiality is an important practice for many health care and health information management professionals; covered entities can build upon those codes of conduct to develop the reasonable safeguards required by the Privacy Rule.
7. Frequently Asked Questions
   Q: If health care providers engage in confidential conversations with other providers or with patients, have they violated the rule if there is a possibility that they could be overheard?
   A: The Privacy Rule is not intended to prohibit providers from talking to each other and to their patients. Provisions of this rule requiring covered entities to implement reasonable safeguards that reflect their particular circumstances and exempting treatment disclosures from certain requirements are intended to ensure that providers' primary consideration is the appropriate treatment of their patients. We also understand that overheard communications are unavoidable. For example, in a busy emergency room, it may be necessary for providers to speak loudly in order to ensure appropriate treatment. The Privacy Rule is not intended to prevent this appropriate behavior. We would consider the following practices to be permissible, if reasonable precautions are taken to minimize the chance of inadvertent disclosures to others who may be nearby (such as using lowered voices, talking apart):
8. Health care staff may orally coordinate services at hospital nursing stations. Nurses or other health care professionals may discuss a patient's condition over the phone with the patient, a provider, or a family member. A health care professional may discuss lab test results with a patient or other provider in a joint treatment area. Health care professionals may discuss a patient's condition during training rounds in an academic or training institution. We will propose regulatory language to reinforce and clarify that these and similar oral communications (such as calling out patient names in a waiting room) are permissible.
9. Q: Does the Privacy Rule require hospitals and doctors' offices to be retrofitted, to provide private rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
   A: No, the Privacy Rule does not require these types of structural changes be made to facilities.
10. Covered entities must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI. "Reasonable safeguards" mean that covered entities must make reasonable efforts to prevent uses and disclosures not permitted by the rule. The Department does not consider facility restructuring to be a requirement under this standard. In determining what is reasonable, the Department will take into account the concerns of covered entities regarding potential effects on patient care and financial burden.
11. For example, the Privacy Rule does not require the following types of structural or systems changes: Private rooms. Soundproofing of rooms. Encryption of wireless or other emergency medical radio communications which can be intercepted by scanners. Encryption of telephone systems. Covered entities must provide reasonable safeguards to avoid prohibited disclosures. The rule does not require that all risk be eliminated to satisfy this standard. Covered entities must review their own practices and determine what steps are reasonable to safeguard their patient information.
12. Examples of the types of adjustments or modifications to facilities or systems that may constitute reasonable safeguards are: Pharmacies could ask waiting customers to stand a few feet back from a counter used for patient counseling. Providers could add curtains or screens to areas where oral communications often occur between doctors and patients or among professionals treating the patient.

Chinn - 08:33am Nov 18, 2001
What will be the expectations for those functioning in home health settings? Since medical record management will be more hard copy then electronic, what types of precautions would be recommended?

1. Withrow's response - 09:40pm Nov 28, 2001 (#1 of 1)
   Regulators recognize that the appropriate nature of privacy and security procedures will vary with the type of activities that the covered entity undertakes. Appropriate privacy and security procedures will be lessened when the healthcare services are physically delivered in the home, an inherently private setting. However, home health providers will need to adopt equally rigorous procedures for protecting health information in electronic form as other healthcare providers.
2. The posting suggests that some health health providers may rely more on paper than electronic records. However, if HIPAA applies at all (i.e. the provider transmits any health information in electronic form), then the provider must comply will all HIPAA requirements even though its electronic volume is small relative to other healthcare providers.
3. Required privacy procedures will include patient consent, notice of privacy practices, minimum necessary uses and disclosures, chief privacy officer, complaint process, patient right to access protected health information, and patient right to request amendment of protected health information. See Chapters 7, 8 and 9 of Managing HIPAA Compliance.

Alexander - 06:42am Nov 27, 2001
What are the guidelines for implementing the HIPAA for a private office setting? When will the HIPAA compliance take effect? How should we start preparing to become compliant?

1. Withrow's response - 08:57pm Nov 28, 2001 (#1 of 1)
   Regulators recognize that the appropriate nature of privacy and security procedures will vary with the size of the covered entity and the type of activities that the covered entity undertakes. For example, a PC-based small physician office may rely on virus checking software furnished on new computers and internal auditing capabilites of its practice management software to satisfy HIPAA's administrative security procedures. It may satisfy workstation security requirements by locating equipment in areas that are generally populated by office staff and have some degree of physical separation from the public, without constructing a separate locked-off area. See Sections 8.8 and 10.3 of Managing HIPAA Compliance.
2. The compliance deadlines are presently October 16, 2002 for electronic transaction standards, April 14, 2003 for privacy and early 2004 for security (assuming the final security regulations are issued soon, as promised). Small health plans (<$5 million in annual receipts) get an extra 12 months to comply. The U.S. Senate passed a bill (S. 1684) this week that would delay the deadline for electronic transaction standards by one year, but leave the privacy deadline unchanged. There is no assurance that the House will pass a similar bill, or the President would sign such a bill. CMS (formerly HCFA) Chief Tom Scully has publicly disapproved of any further delay in implementing HIPAA. Covered entities should begin preparations immediately.

ratledge - 11:46am Nov 20, 2001
Dr. Withrow -- I have been in hospital administration for 18 years. I am now administrator for an outpatient substance abuse counseling organization. This is a 501(c)3 free standing organization--NOT a subsidy of any hospital. We do have "medical records," which are basically therapist's notes. Does HIPAA apply to us? Please advise and thank you.

1. Withrow's response - 09:17pm Nov 28, 2001 (#1 of 1)
   Yes, an outpatient substance abuse counseling organization is a healthcare provider that would be a covered entity under HIPAA if it transmits any health information in electronic form. See Sections 3.1 and 7.1 of Managing HIPAA Compliance.
2. The preamble to the privacy regulations specifically addresses substance abuse counseling:
3. "Covered entities subject to these rules are also subject to other federal statutes and regulations. For example, federal programs must comply with the statutes and regulations that govern them. Pursuant to their contracts, Medicare providers must comply with the requirements of the Privacy Act of 1974. Substance abuse treatment facilities are subject to the Substance Abuse Confidentiality provisions of the Public Health Service Act, section 543 and its regulations.
4. "The federal confidentiality of substance abuse patient records statute, section 543 of the Public Health Service Act, 42 U.S.C. 290dd-2, and its implementing regulation, 42 CFR Part 2, establish confidentiality requirements for patient records that are maintained in connection with the performance of any federally-assisted specialized alcohol or drug abuse program. Substance abuse programs are generally programs or personnel that provide alcohol or drug abuse treatment, diagnosis, or referral for treatment. The term "federally-assisted" is broadly defined and includes federally conducted or funded programs, federally licensed or certified programs, and programs that are tax exempt. Certain exceptions apply to information held by the Veterans Administration and the Armed Forces.
5. "There are a number of health care providers that are subject to both these [HIPAA] rules and the substance abuse statute and regulations. In most cases, a conflict will not exist between these rules. These privacy rules permit a health care provider to disclose information in a number of situations that are not permitted under the substance abuse regulation. For example, disclosures allowed, without patient authorization, under the privacy rule for law enforcement, judicial and administrative proceedings, public health, health oversight, directory assistance, and as required by other laws would generally be prohibited under the substance abuse statute and regulation. However, because these disclosures are permissive and not mandatory, there is no conflict. An entity would not be in violation of the privacy rules for failing to make these disclosures.
6. "Similarly, provisions in the substance abuse regulation provide for permissive disclosures in case of medical emergencies, to the FDA, for research activities, for audit and evaluation activities, and in response to certain court orders. Because these are permissive disclosures, programs subject to both the privacy rules and the substance abuse rule are able to comply with both rules even if the privacy rules restrict these types of disclosures. In addition, the privacy rules generally require that an individual be given access to his or her own health information. Under the substance abuse regulation, programs may provide such access, so there is no conflict.
7. "The substance abuse regulation requires notice to patients of the substance abuse confidentiality requirements and provides for written consent for disclosure. While the privacy rules have requirements that are somewhat different, the program may use notice and authorization forms that include all the elements required by both regulations. The substance abuse rule provides a sample notice and a sample authorization form and states that the use of these forms would be sufficient. While these forms do not satisfy all of the requirements of the privacy regulation, there is no conflict because the substance abuse regulation does not mandate the use of these forms."