Q. We're confused about HIPAA. What was recently finalized?

A. On August 14, 2002, the Department of Health and Human Services published final modifications to the HIPAA Privacy Rule, effective October 15, 2002. The modifications did not, however, alter the date within which covered entities must be in compliance with the Final Privacy Rule.

All covered entities must be in compliance with the Final Privacy Rule by April 14, 2003. It's impossible in a small space to describe the steps physicians need to take to do so, though there are some critical things your practice should be doing.

You need to formulate an "action plan" to help prepare the practice for the compliance deadline. It's usually best to divide the action plan into phases to make the process more manageable. The first phase of the action plan should be to create a project team comprising a privacy officer and a privacy committee to help with planning and implementation. Be sure the privacy officer and committee members understand the Final Privacy Rule requirements and targets for compliance.

During the second phase of the plan, conduct a privacy risk assessment to determine exactly how your organization's current level of security, privacy, and EDI systems compares to the HIPAA requirements. The risk assessment, combined with a gap analysis, will let the practice know what it needs to do to come into compliance. Also during this phase, evaluate business arrangements to determine which of them will require a written Business Associate Agreement.

During the next phase of the plan, the practice establishes its compliance systems and develops a "privacy plan" that includes its policies and procedures, Notice of Privacy Practices, authorization forms, monitoring and auditing systems, and other relevant forms and documents. The practice must also educate all staff members on the privacy plan.

Q. Is it true that we no longer have to get patient consent?

A. Yes, the final modifications to the Privacy Rule eliminated the mandatory consent requirement and now make it optional for a covered entity to obtain consent for payment, treatment and health care operations. Now, "direct treatment providers" must provide patients with a copy of their Notice of Privacy Practices and make a good faith effort to obtain a patient's written acknowledgment of the receipt of the Notice of Privacy Practices.

Q. What are the penalties for violating the Final Privacy Rule?

A. The lowest penalty is a $100 fine, increasing to $25,000 per year for each patient and standard violated. If the patient information is obtained with the purpose of selling it or harming the individuals, the penalty can be as high as $250,000 plus a 10-year jail sentence. Penalties can be levied against you or a staff member and your practice. In some circumstances, you can even be sanctioned for violations by one of your business associates.

Q. What is considered to be "marketing" under the Final Privacy Rule?

A. Under the rule, covered entities may use protected health information without specific patient authorization in very limited circumstances: 1) in a face-to-face encounter; 2) for products and services that are of nominal value; and 3) for health-related services, provided certain conditions are met. The definition of marketing does not, however, include communications to an individual for treatment, case management or care coordination, or to direct or recommend alternative treatments, therapies, health-care providers or care setting. 

Additionally, a covered entity may also use protected health information to let a patient know about a particular health-related product or service the covered entity provides.

Q. What are the implications of a business associate who is not involved in the actual treatment of a patient (e.g., auditors, billing firms, lawyers, or accreditation organizations) using protected health information in the performance of its services on behalf of a covered entity?

A. The Final Privacy Rule allows a covered entity to disclose protected health information to a business associate who performs a function or activity on behalf of the covered entity as long as the covered entity has a written agreement with the business associate containing specific safeguards.

The final modifications allow a covered entity to continue operating under existing written agreements with business associates for up to one year beyond the April 14, 2003 compliance date. This transition period is available if the covered entity has an existing written contract with a business associate and the written agreement is not renewed or modified between the effective date of the modifications (October 15, 2002) and April 14, 2003. Such a written contract would be deemed to be in compliance with the Privacy Rule until the sooner of (1) the date the contract is renewed or modified after April 14, 2003, or (2) April 14, 2004. The transition period does not, however, extend to oral contracts or new written contracts entered into after April 14, 2003.  REVIEW

Ms. Poindexter is an attorney in the Health Law practice group at Shook, Hardy & Bacon, LLP. She frequently lectures on health-care legal issues.