Home Health & Hospice Week

With HIPAA's electronic transaction standard deadline fast approaching, some providers may be neglecting the privacy portion of their HIPAA compliance programs.

That could be a big mistake, especially for durable medical equipment suppliers that have some special Health Insurance Portability and Accountability Act considerations. The Centers for Medicare & Medicaid Services held a HIPAA teleconference aimed specifically at DME suppliers in July.

To ensure HIPAA privacy success, suppliers should follow these nine steps, advised Walter Suarez, executive director for the Midwest Center for HIPAA Education, in the call:

1) Appoint a HIPAA privacy officer. "We all at this point should have identified a person and had that person become very familiar with the regulations," Suarez said. This privacy officer should be the "point person" for HIPAA questions from both staff and patients.

2) Determine your covered entity status. DME suppliers may be standalone entities covered by HIPAA, or part of a larger organization such as a health system, Suarez noted.

3) Develop your privacy notice. "This perhaps is the single most important document in the whole privacy regulation," Suarez claimed. DME suppliers must furnish the notice to patients either the first time they come into the store or the first time the supplier delivers equipment. If the supplier runs a Web site, it must furnish the notice on there too, Suarez directed.

4) Develop policies and procedures on privacy rights implementation. Under HIPAA, patients have a number of privacy rights ranging from receiving the privacy notice to requesting restrictions on protected health information (PHI) to filing complaints. "We have to create a process and document how consumer patients have the ability" to exercise their HIPAA rights within your organization, Suarez instructs.

5) Develop policies and procedures on uses and disclosures of PHI. One commonly encountered but touchy DME scenario is disclosing PHI to the patient's family, and your policies should document your practices carefully.

6) Develop policies and procedures on minimum necessary uses and disclosures of PHI. "The intent in the regulations was ... to make sure that we only use what is minimally needed," Suarez explained. "We must develop policies and procedures around that" for both internal and external uses and disclosures.

7) Identify HIPAA business associates and secure agreements with them. Make sure you have your BA qualifications clear; billing services generally are BAs while other providers aren't, Suarez detailed.

8) Train employees on HIPAA. "This is an ongoing requirement," Suarez stressed. "Keep them informed about changes that we do in our policies and procedures related to privacy."

9) Establish safeguards. HIPAA requires "reasonable and appropriate administrative, physical and technical safeguards," Suarez pointed out. "Here is where the privacy regulations meet the security regulations."

But the privacy regs are much broader in scope and apply to all PHI, whether it is in electronic format or not, he noted.