Posts Tagged Protected health information


Introducing a New HIPAA Privacy Notice for Patients and Practices

HIPAA Notice of Privacy Practices

September 23, 2013 is the date that medical practices and other covered healthcare entities will roll out a new Notice of Privacy Practices to patients to be compliant with the HIPAA Omnibus rule enacted in March 2013.

What Does This Mean For Patients?

Patients should be aware that after September 23rd, their healthcare providers will have a new Notice of Privacy Practices (NPP) available. The new NPP should be posted in each office, on the website if one exists, and should be available as a handout for any patient requesting it.

The new notice will include:

    • Reasons that your Protected Health Information (PHI) can and cannot be disclosed to others.
    • Information for opting-out of communication related to fundraising activities, if your healthcare provider does any fundraising.
    • The ability to restrict your PHI from payer disclosure when you pay in cash instead of having the charges filed with your insurance plan.
    • Information about being contacted if there is a breach of your PHI due to unsecured records.

What Does This Mean For Practices?

    • A new Notice of Privacy Practices that is specialized to your practice must be developed.
    • The new NPP must be posted in your practice, on your website and available as a handout for any established patients who request them.
    • All new patients must be offered a copy of the new NPP and must sign an acknowledgement that they received it. (They may turn a copy of the NPP down, however.)
    • Policies that address the disclosure of information/records and notification of a breach, should one occur must be developed.
    • Old and new versions of the NPP should be on file in the practice, and patient acknowledgements should also be kept as long as the medical record is retained.

What else is required for compliance with HIPAA Omnibus?

One of our good friends, Steve Spearman at Health Security Solutions has posted great information on his site about the other requirements of the HIPAA Omnibus rule. His excellent posts help readers understand and comply with the new HIPAA guidelines in the following areas:

    • Business Associates Agreement (BAA) Update
    • Downstream Subcontractors Needing BAAs
    • New Breach Notification and Reporting Protocol
    • School Immunization Records Protocol
    • Electronic Fulfillment of PHI Request
    • Medical Record Protocols for Cash Payments

At Manage My Practice, we’ve offering a free sample Notice of Privacy Practices for your practice use. Please read the sample notice carefully, make changes specific to your practice and add your practice name. Note that language related to fundraising is NOT included, as it will not apply to most private practices. Insert fundraising language as follows if appropriate for your practice.

Fundraising Activities: We may use PHI to contact you to raise money. If  you wish to opt out these contacts, or if you wish to opt back in to these contacts, please contact our Privacy Officer.

Likewise, if your practice has a research function, insert relevant language:

Research: We may use and share your health information for certain kinds of research, however, all research projects are subject to a special approval process.

Check your state laws.

Your state law may require authorizations for certain uses and disclosures of PHI beyond those outlined in the sample notice. Be sure to amend your NPP to reflect any state-specific laws (resource hererelated to release of medical records. Remember to post your new NPP on your website and in your practice, and begin giving it to new patients September 23, 2013.

The new Notice of Privacy Practices is not required until September 23rd, but you can start using it as soon as you have yours ready.

For more on HIPAA, read my post “Three Big HIPAA Myths.”

(Photo Credit: hyku via Compfightcc)

Posted in: General

Leave a Comment (0) →

Clearing Up the Confusion Between Security, Privacy, HIPAA and HITECH: An Interview With Steve Spearman

Medical Provider HIPAA and HITECH

Mary Pat: Your business is called “Health Security Solutions.” People often confuse privacy with security. Can you clear up the confusion for us?

Steve: The Privacy rules refer to the broad requirements to protect the confidentiality of Protected Health Information (PHI) in all its forms. So for example, a physician talking loudly on the phone in the lobby of a restaurant about a patient by name is a violation of the privacy rules. PHI on paper records is covered under the privacy rules.

The security rules are specifically concerned about protecting the confidentiality (i.e. privacy), integrity and availability of electronic PHI, or PHI that exists in a digital form. So once you are dealing with electronic health records and information systems, violations tend to fall under the security rules. (more…)

Posted in: Compliance, Day-to-Day Operations, Electronic Medical Records, Headlines, Medicare This Week

Leave a Comment (0) →

50 Places Your Rejuvenated Practice Brochure Should Be and Yes! You Still Need a Practice Brochure

Brochure rack

I admit to being a great fan of electronic media for healthcare. My fandom, however, does not mean that I believe all paper and ink informational and marketing mediums are dead.

Because most practices have some portion of their patient population depending on paper for information and may also market to that population (whether patients or referrers), my opinion is that the practice brochure remains a viable and important piece of paper. You might want to give yours an update, though, to make it more usable and meaningful to everyone.

Using your brochure for your patients – new, established and future


  • ABOUT – a brief sentence or two making it clear what ages, genders and types of problems your practice works with. You might also want to note if you do not see your patients in the hospital.  A Mission Statement is a waste here – the reader wants facts. A history of the practice is also a waste here – save this for your website. You don’t even really need to itemize your providers here.  Think of someone who knows nothing at all about you. Their first question is “Is this a practice I need and want?”

Your ABOUT could even be on the front of the brochure, so the patient doesn’t have to spend time reading the entire brochure if they are not a fit for your practice.  Here’s an About Example: Main Street Urology helps men and women ages 18 and older with problems such as urinary infections, kidney stones and prostate problems. We see patients in our two offices, as well as at XXX and XXX hospitals.


  • NEW & ESTABLISHED PATIENTS – Answer the second most common question next, which is “How do I get services?” Try to make this brochure as applicable to as many people as possible, so do not assume that the person reading the brochure has already signed on as a new patient. Consider the person that knows nothing about you and briefly describe all ways people can contact you to become a patient.
    • Your website – do people complete their registration electronically and you call them to set the appointment or do they request an appointment and you email a response? How is it done?
    • Your phone number – hopefully you are in step with the modern world and know that people don’t always think about establishing or following up on medical care during office hours. Do you have a way besides your website for patients to request appointments that are not urgent? Can they call and leave a message or do they get your answering service asking them to call back during office hours?
    • Stop by the office – largely discouraged by most offices, patients in the rural communities I’ve worked in know that stopping by the office is the quickest way to get service. Do you welcome that “interruption”?
    • Walk-in hours, work-ins, or same-day sick visits – what is appropriate for a same-day visit? When should patients go to the emergency room or call 911?


  • PRESCRIPTIONS – The third most-common question is about getting new prescriptions and refills. With most people hoping to get a prescription without an office visit charge (who doesn’t want to save that co-pay?), requests for prescriptions are one of the primary reasons most specialties are struggling to keep the phones answered (read my post on phones here.) If you are not going to prescribe a new medication without an office visit, put it in writing. If all refills are obtained by calling the pharmacy, say so, and state how long it typically takes to get an existing prescription refilled.  If you require a visit every 6 months for chronic illness medications, and a visit every month for chronic pain medications, say so. For practices with large numbers of chronic pain patients, spell out your terms including pain medication contracts and periodic laboratory tests.


  • PAYMENTS – Now is a good time to state your payment policy. What is due at time of service? What kinds of payments do you accept? Do you require a credit card on file? Do you collect deductibles and co-insurance? Surgery or procedure deposit? Fee for no-shows? Fee for forms completion? Fee for NSF checks? Do you give discounts for self-pay patients? Do you have a sliding scale for financial need patients? Do you send statements? One of my big management philosophies is: Don’t Surprise The Patient. Don’t think it indelicate to discuss money before the visit. It is a business transaction and it is only fair to let the one paying the bill know and understand your policy upfront before the service has been rendered. Read my post on developing your financial policy here.


  • COMMUNICATION -This is where most misunderstandings take place. How can you provide as many straightforward means of communication between the practice and the patient as efficiently and productively as possible?
    • Main practice number – should get the patient to a real person during office hours and give an alternative after hours. Malpractice companies will tell you that patients should not be able to leave a message on the main practice number as they may assume it is monitored and your practice may have liability. For routine questions, let your answering service take a message to be passed along on the next business day, or have voice mail box for the answering service to utilize.
    • Automated attendant number – some patients will prefer the automated attendant, especially if your options are published on the website or in the practice brochure and patients can call any time to leave a message.
    • Website – should have detailed information about contacting the practice during and after office hours. If you allow or encourage non-medical emails from patients, let the writer know how and when a response will come. Make clear what types of questions are appropriate in non-encrypted email and use a secure portal or encrypted email for emails with protected health information (PHI.)

More tips for your brochure

  • To be as inclusive as possible, do not use medical terminology, abbreviations or jargon and aim for a readability level of 6th grade. Use the active voice and simple, short declarative sentences, a font of 12 or more and use as few multi-syllabic words as possible. If you wonder how your brochure readability stacks up, you can paste your text here for a free analysis. Microsoft Word 2007 and newer has a function you can turn on for a readability score at the conclusion of your spelling and grammar check.
  • Use as little text in paragraphs and use as many headings and bullets as possible.
  • Don’t cram the brochure with every little detail you can think of – keep it simple with plenty of white space.
  • A map is always a good idea.
  • Your practice name, website, phone numbers and office hours should appear at least twice – maybe on the inside and the outside. Having the basics on both sides is helpful to patients who place your brochure on their refrigerator or tape it inside the kitchen cupboard for easy reference.
  • This article assumes a tri-fold brochure, but your brochure could be bigger or smaller. A tri-fold is not only easy to fold in half and stick in a pocket or a purse, it is also feasible to produce yourself.
  • A digital copy should be available on your website for patients to print out, either in the tri-fold style, or on standard 8 1/2″ x 11″.

Using your brochure as a marketing tool

Make your practice brochures do double duty by providing them to:

  1. The Welcome Wagon
  2. The Chamber of Commerce
  3. Real Estate offices
  4. Rental Agency offices
  5. Hotels
  6. Any location with a display of brochures of local events and services
  7. Libraries and Museums
  8. Hospitals
  9. Urgent Cares
  10. Campgrounds, RV sites, theme parks
  11. Sporting event locations
  12. Spas
  13. Hairdressers and nail salons
  14. Malls and shopping centers
  15. Daycares
  16. Continuing Care Communities
  17. School nurses
  18. Gyms and sports clubs
  19. Parish Nurses
  20. Churches
  21. Any place you give a talk or program
  22. Correspondence you send welcoming a new business to the area
  23. Chiropractors
  24. Complementary Care Practitioners (accupuncture, meditation, etc.)
  25. Convention Centers
  26. The Health Department
  27. Employers
  28. The State Welcome Center
  29. State Rest Stops
  30. Service Clubs (Rotary, Kiwanis, Jaycees)
  31. Medical office programs in local schools (high schools, technical schools, vocational schools, community colleges)
  32. Nursing programs
  33. Other medical offices in your building or medical park
  34. Medical employment agencies
  35. Home Health agencies
  36. The Red Cross
  37. Durable Medical Equipment and Supply Stores
  38. Dentists
  39. Community Centers
  40. Afterschool programs
  41. Pharmacists and Pharmacy Technicians
  42. Physical Therapists
  43. Massage Therapists
  44. Parks and Recreation Centers
  45. Airports
  46. Train stations
  47. Bus stations
  48. Rental car agencies
  49. Any business or individual you buy goods or services from
  50. Radio and television stations

Bonus #51: Give them to your new staff so they understand the fundamentals about your practice very quickly.

Image by S.C. Asher via Flickr

Enhanced by Zemanta

Posted in: Day-to-Day Operations, Practice Marketing, Social Media

Leave a Comment (1) →

CMS Releases Record Retention Guidelines

A updated post on record retention with a simple record retention schedule can be found here.

State laws generally govern how long medical records are to be retained.

However, the Health Insurance Portability and Accountability Act (HIPAA) of 1996  administrative simplification rules require a covered entity, such as a physician billing Medicare, to retain required documentation for six years from the date of its creation or the date when it last was in effect, whichever is later. HIPAA requirements preempt State laws if they require shorter periods. Your State may require a longer retention period.

While the HIPAA Privacy Rule does not include medical record retention requirements, it does require that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of medical records and other protected health information (PHI) for whatever period such information is maintained by a covered entity, including through disposal.

The Centers for Medicare & Medicaid Services (CMS) requires records of providers submitting cost reports to be retained in their original or legally reproduced form for a period of at least 5 years after the closure of the cost report.

CMS requires Medicare managed care program providers to retain records for 10 years.

A medical record folder being pulled from the ...

Image via Wikipedia

Additional information:

  1. Providers/suppliers should maintain a medical record for each Medicare beneficiary that is their patient.
  2. Medical records must be accurately written, promptly completed, accessible, properly filed and retained.
  3. Using a system of author identification and record maintenance that ensures the integrity of the authentication and protects the security of all record entries is a good practice.
  4. The Medicare program does not have requirements for the media formats for medical records. However, the medical record needs to be in its original form or in a legally reproduced form, which may be electronic, so that medical records may be reviewed and audited by authorized entities.
  5. Providers must have a medical record system that ensures that the record may be accessed and retrieved promptly.
  6. Providers may want to obtain legal advice concerning record retention after CMS-required time periods.
Enhanced by Zemanta

Posted in: Electronic Medical Records, Medicare & Reimbursement

Leave a Comment (53) →