"Update on Health Care Privacy Regulations"

By: Roni Glaser rglaser@mlg.com

The U.S. Department of Health and Human Services has issued regulations, effective on April 14, 2001, which are designed to protect the privacy of patients' medical information. Health care providers who are covered by these new privacy regulations--hospitals, nursing homes, home care agencies and others, if they transmit health information electronically--now have two years to come into compliance with the extensive requirements of the privacy regulations concerning the use and disclosure of medical information which they obtain in the course of rendering health care services to patients.

How will these regulations effect the small business health care provider? The regulations require specific language in your consent forms for the release of health care information. Even greater detail is required if you intend to disclose the information for purposes other that treatment, payment or health care operations, e.g. if you will use the patient's information for marketing, fund raising, etc. Providers should compare their existing consent forms with the new regulatory requirements, and modify their forms as needed.

Also, the regulations introduce a new requirement, that patients must be provided with notice of the uses and disclosures of health information, of their rights and of the provider's duties with respect to the privacy of this information. This notice must contain specific language prescribed by regulation, and providers will need to draft such a notice.

Providers should also begin to look at their policies and procedures, as well as their employee handbooks to ensure that they cover all aspects of patient privacy required by the regulations. A privacy official must be designated, whose responsibility it is to develop and implement privacy policies and procedures of the provider. A person must also be designated who will serve as a contact person for receiving complaints and who can provide further information about privacy matters. All employees will need to be trained as to their responsibilities under the regulations. Compliance with all of these requirements must be documented according to specific standards outlined in the regulations.

If protected health information is to be given to "business associates"--persons or entities with whom the provider does business--you must have written contracts in which the business associates agree to safeguard the information you release. The contents of these contracts is prescribed by regulation as well. Existing vendor contracts and relationships with attorneys, accountants, etc. should be reviewed and amended as necessary to comply with the privacy regulations.

Providers will also need to consult with their computer experts to ascertain whether they have adequate protections in place to prevent unauthorized access to information stored on or transmitted by their computers.

A good starting point to implement effective strategies for compliance would be to obtain a copy of the regulations and/or experts' analyses of them. Then, develop a plan of action which harnesses the talents and knowledge base of in-house staff as well as outside experts and legal counsel. Some compliance tools are or will become available on the internet. With two years until compliance will be mandated, it is not too early to begin to assess your operations to determine what organizational changes will be required and to begin to make those changes in order to comply with the privacy regulations.

190 Willis Avenue Mineola, NY 11501 Tel: (516)747-0300 Fax: (516)747-0653

Home | Attorneys | Practice Areas | Resources | News & Events | About the Firm | Contact Us

© 2001 Meltzer, Lippe Goldstein & Schlissel, LLP Disclaimer Notice | Privacy Policy