The Department of Health & Human Services (HHS) implemented federal regulations for the protections of patients' medical records (Privacy Rule or HIPAA—Health Insurance Portability and Accountability Act—regulations) on April 14, 2001. The Department issued additional changes to the Privacy Rule on August 14, 2002. All covered entities (health care plans, providers, and clearinghouses) must be in compliance with the regulation by April 14, 2003.
The HHS Office for Civil Rights (OCR) is tasked with monitoring implementation of the Privacy Rule. On December 4, 2002, OCR published guidance on implementation of the rule and announced that it will continue to make informational materials available on its website. OCR has announced that they will be employing a complaint-driven approach to enforcement.This means that they do not plan to initiate investigations unless they receive complaints of violations.OCR has reportedly already received some complaints, so providers should devote resources and staff time to achieving compliance.OCR will provide those subject to a complaint the opportunity to implement corrective action prior to initiation of the penalty phase.Punitive means are described by officials as a last resort.
Under these regulations, physicians need to implement a number of new practices, including
Developing and posting a Notice of Privacy Practices
Obtaining written acknowledgments from patients for their receipt of the Notice
Training employees
Appointing a "privacy official" responsible for ensuring compliance with the regulations
Providing to patients an accounting of the release of their medical records by the practice
Entering into contracts with "business associates" to ensure adherence to the standards of the Privacy Rule
ASCO has developed a list of frequently asked questions and model documents, forms, and policies to assist its members in complying with the rule. Before using these policies and forms, please note that they were drafted to comply with the federal HIPAA requirements without regard to state law. The policies and forms will need to be modified, on a state-by-state basis, to comply with the provisions of applicable state law that continue to apply. The HIPAA law defers to state privacy laws that are more stringent and not in conflict with the federal requirements. ASCO recommends that members consult counsel to adapt these policies and forms to more stringent state privacy requirements and to comply with the policies of their individual practices.
The policies and forms may also include provisions that are not explicitly required by law or regulation but that enhance the rights of the health care provider or address practical problems likely to arise in implementation. Please address any questions on this issue to publicpolicy@asco.org.
