Practice Management Alert

HIPAA Cheat Sheet for Billing Offices

For your practice to meet HIPAAcompliance, each employee has to pull her share of the work. Billers have their own tasks for meeting compliance.

Teena George, a certified HIPAAspecialist and owner of Humboldt Medical Solutions, provides the checkpoints on this cheat sheet for billing-office managers and billers who need to meet HIPAAprivacy and security compliance.

  • Lock your offices.
  • Lock your filing cabinets.
  • Lock your faxes in authorized offices and use privacy statement fax cover pages.
  • On your computer monitors, keep a security screen saver, accessible only by a password that a few select members in the office know, and put a timer on it so it will deactivate in 1 to 3 minutes.
  • Turn your computers away from heavily trafficked areas.
  • Inform your staff members of HIPAA.
  • Sign your business-associate contracts (see article 6).
  • Reduce the amount of people who look at patient files. Make sure cleaning crew can't access the files. Specify office positions that do and don't deal with patient files in a meeting with employees. Instruct physicians to look only at files of the patients with whom they're consulting, assisting or providing patient care.
  • Refrain from speaking about patient information to people who don't need it to do their jobs. Everyone in the office is on a "need-to-know basis only," she states.

    To find out more about how your office can reach HIPAAcompliance, check out this Web site: http://pages.prodigy.net/hummed/index.html.

    Privacy Policy for Patients,Employees

    You want patients to know you're taking care of HIPAAwhen you transfer patient information to payers. Create a policy to guarantee them that mum's the word their information isn't going to anyone who is not supposed to see it

    George's staff gives patients a form that outlines their privacy. The easy-to-understand one-page letter lets patients know that:

  • personal patient information is being shared on a need-to-know basis only.
  • personal patient information is shared only if medical staff need the information to do their jobs or if a medically or legally serious situation arises.
  • a full copy of the entire office privacy policy is available on demand if patients want more information.

    Make sure your patients sign the privacy form, says Stacy Burnett, at Medical Practice Management P.C. in Beaverton, Ore. And make a copy for the patient. (Store the original in your patient's file, George adds.)

    You should also retain the patient-signed form in the patient's medical chart, Burnett says. To do this, you can make the privacy notice a two-part copy, with the yellow copy underneath as proof the patient received and signed the notice, Burnett says. "It's a little more expensive, but the peace of mind is worth it."

    Update the form, and have the patient re-sign it every six months or if the patient changes insurance or personal information, George says. To see a sample introduction for a privacy notice, turn to the back of this issue.

    In addition to a patient privacy form, Burnett's office has created a master log for all PHI disclosures that require recording and installed software that will mark patients who have requested to have PHI restrictions placed on the release of their information.

    Also, make sure you check your state privacy laws. HIPAAis the bare-minimum regulation. State laws supercede HIPAAlaws, so if your state has the specific requirement to lock your cabinets, and HIPAAdoesn't, you must lock your cabinets, she says. $ $ $