If you visited your doctor or another health care provider recently, you probably were given a HIPAA form that you had not seen before and which explained your privacy rights. For some people, this form may come across as just one more piece of paper that must be signed before they get the medical services they seek. It is doubtful that most people will take the time necessary to carefully read and understand all of the technical jargon and legal nuances. But the new federal rights described in this HIPAA form are substantial and represent years of regulatory work. For your pregnancy center, the new rules regarding patient privacy must be reviewed to determine their applicability to your practices.
The federal Health Insurance Portability and Accountability Act (HIPAA) was passed in 1996 to ensure that people with special medical needs would not lose their health insurance when they changed jobs. With this new law, Congress also directed the Department of Health and Human Services to develop national standards for electronic health care transactions, including new federal rules to protect the privacy rights of patients.
The Department of Health and Human Services spent several years developing these privacy rules. In April 2003 the new HIPAA privacy rules went into effect. Key provisions of the new privacy standards include:
Adoption of internal privacy procedures: Covered health care providers are required to appoint a designated privacy officer to implement appropriate internal procedures relating to maintaining patient privacy and to offer training to all employees about patient privacy rights.
Notice of privacy practices: Covered health care providers must provide written notice to patients about how they as health care providers may use medical information and about the rights of patients.
Access to medical records: Patients have the right to see and obtain copies of medical records and to request corrections if they identify errors or mistakes.
Limitations on the use of personal medical information: Health care providers generally still may share health information as may be necessary to provide treatment. When sharing personal medical information in connection with providing health care, health care providers may only share the minimal amount of information as may be reasonably needed for the particular purpose. A patient must sign a written consent to authorize the release of medical information to outside parties for purposes unrelated to his health care.
HIPAA's relation to state laws: The new provisions do not affect state laws that offer additional privacy rights to patients. Rather, these rules set a national "floor" of privacy standards to protect all Americans.
The good news for pregnancy centers is that most are not covered by these new federal requirements. If your pregnancy center is not a health care provider, the new HIPAA privacy rules should have no application to your procedures and practices. Moreover, even if your center offers limited medical services such as ultrasounds or STD testing, it may be exempt from the requirements of HIPAA so long as it does not engage in electronic transactions related to insurance claims and payments.
Under the new HIPAA privacy rules, only health care providers that engage in "standard electronic transactions" are covered. The relevant statute defines these to include such transactions as computer-to-computer transmissions relating to healthcare claims, payment and remittance information, and information relating to eligibility for a health plan. Therefore, if your center is offering free medical services to patients without engaging in any electronic transmissions relating to health insurance claims, health insurance payments, or eligibility for health plans, it may not be subject to the new HIPAA privacy requirements.
If your center is a health care provider and is processing Medicaid claims for clients, it is most likely covered by the new HIPAA requirements. Whether your center's patients pay for these medical services is not the controlling factor. Rather, what is relevant is whether your center is engaging in "standard electronic transactions." The new regulations define such transactions to include: "a request to obtain payment, and necessary accompanying information, from a health care provider to a health plan, for health care."
Even if your center is not a covered health care provider, there are several reasons that warrant voluntary compliance with at least some of the requirements in the new HIPAA rules. Affording patients privacy protection and adopting sound internal procedures to ensure these protections should be a goal of every pregnancy center without regard to specific legal requirements. Moreover, as patients become accustomed to being notified about their HIPAA rights from other health care providers, pregnancy centers that offer limited medical services will enhance their professional image by offering similar notifications. Finally, moving in the direction of voluntary compliance will ease the burden of transition that will be required if changes in either the law or the center's practices make compliance mandatory.
Care Net has adopted a sample Privacy of Patient Health Information policy and a sample Notice of Privacy Practices that may be used by centers for voluntary compliance with HIPAA. These forms can be found within the Care Net Forms Manual. Free copies of these two forms may be obtained from Care Net by calling 703-478-5661, ext 37.
If you have additional questions about the new HIPAA privacy rules and their application, the Department of Health and Human Services has created a special web site to address these issues (www.hhs.gov/ocr/hipaa).
Kurt Entsminger, an attorney, is president of Care Net and has been a leader in promoting standards of excellence for all pregnancy centers and in drafting proposed legislation to make ultrasounds more accessible to pregnancy center clients. Kurt previously served as a U.S. Attorney during the Reagan and Bush administrations.