Tools that Will Make You More Skilled and Productive

I will answer questions about HIPAA by email from purchasers. Send me email at                                 Mail@ThreeWishesPress.com

Ginny, a seasoned psychologist and practitioner has a simple practice and wrote asking how much work she needs to do to comply with HIPAA. Below is her letter in blue with my response in black.
______________________________________________________________________

Hello Ed,
I'm a solo practitioner in NH. I saw your response to Dr. KS. If you don't feel I'm intruding or asking too much, would you respond to my question of what do I need to do to be in compliance? If you answer "please read my book," I'll take no offense and will certainly understand.

Happy to share what I have learned. See my suggestions below [or the top button on the left] for levels of compliance. The feds and lawyers will not tell you that there are different levels of effort possible for compliance but throughout HIPAA you will find qualifying statements like "scalability", "professional judgement," and "cost analysis." In addition, the regulations encourage practitioners to tailor the materials to their clients and practices.

Here's the pertinent information: I do no billing, have no staff, hand write notes during the session and give clients a receipt which, if they choose, they may send into their insurance for reimbursement.

That last is the hook. If they submit a bill to an insurer who is HIPAA Transactions Rule compliant (uses the codes for electronic transactions like billing and verification of coverage, etc.) then you are likely to be hooked into having to make your practice HIPAA compliant. Sorry. But compliance takes only a few hours and so isn't so bad.

Clients pay at each session. Client records---which includes their signed consent form, a client questionnaire, all my notes, and a running bookkeeping noting when I saw them, and the charge--

You will have to add to this paperwork at least the Notice of Privacy Practices and a Consent form and some paragraphs to your "Welcome to My Practice" brochure and to your Authorization to Release Records form to be compliant. Also, I would recommend that you keep you financial and clinical records separate.

are all locked either in my desk or a file cabinet right near my desk and the door is always locked.

This is likely to be enough to comply with parts of the Privacy Rule if you do not keep any kinds of electronic records and do not fax. To be better compliant you should start a folder titled "HIPAA" and enter a statement now that you have assessed the risks to the privacy of your records using your current office procedures and decided that the safeguards of two locks are sufficient to guard against unauthorized releases.

Only the property owner has a second key and he knows I'm over-the-top about security and confidentiality. Given the above, what, if you're willing to respond, do you suggest I do for compliance?

(Later) Because of the Security Rule, which took effect in April, 2005, all clinicians should do a more thorough analysis of the exact risks to privacy because of their methods and expand their statements in their HIPAA Policy and Procedures Manual.

Thank you in advance.
Ginny

Ed,
Thank you so much. You have made my day, my week & my month!!! Not to mention making it very easy for me to get into compliance, and most importantly, you have assuaged my anxiety. I am very grateful. You're a Sweetie and a colleague in the best sense of the word.
Ginny

Page revised Dec. 26, 2007