Article Date: 2/1/2002

The new HIPAA privacy regulations won't take effect until 2003, but we have some tips to help you better understand them and make sure you're in compliance.
BY ED GOERGES, San Marcos, Texas

Surely you've heard about the new HIPAA regulations slated for 2003. So if this news has you worried, I have some information that I hope will help put your minds at ease. Knowledge is a great weapon. Arm yourselves with what I have to offer in this article, and you'll find the transition manageable.

It's going to happen

I've been reading, researching, and, together with my legal advisors, devising a strategy to help my company and the optometrists I work with on a daily basis comply with the Health Insurance Portability and Accountability Act (HIPAA). Each HIPAA presentation that I make around the country results in what has been called "The Deer in the Headlights" look. The general feeling is one of, "It'll never happen," or, "I'll just retire before April 14, 2003." The former has maybe a 50/50 chance and you shouldn't even consider the latter an option.

Coping with this mountain of regulations must first begin with a basic understanding of the components of HIPAA -- what is it, and who does it cover?

HIPAA components

HIPAA regulations are comprised of three basic components:

1. Health Care Transactions and Code Sets (HCTCS)

2. data security

3. privacy.

These three components apply to all "covered entities." And in case you're wondering what a covered entity is, it's:

Are you a "covered entity?" Every optometrist I've met is.

The privacy rules will probably impact your practice the most, but first a word about the other components.

Health care transactions and code sets

The HCTCS regulations were scheduled to take effect October 2002 and were designed to standardize the formats used for transmission of electronic health data. In late 2001, President Bush signed into law a 1-year extension for the HCTCS requirements of HIPAA for any covered entity that submits to the Secretary of Health and Human Services a plan for how the entity will comply with the requirements by October 16, 2003.

The covered entity must submit the plan by October 15, 2002 and must include the following:

The law also requires that as of this date, all covered entities only submit claims electronically to Medicare.

Data security

This regulation proposes standards for the security of individual health information and electronic signatures that covered entities use. The initial draft of the security standard was published in the summer of 1998. A final draft has been promised by the fall of 2002.

Learning about privacy

The HIPAA privacy rules became binding on April 14, 2001 and all covered entities must comply with them not later than April 14, 2003. The rules take up 500 pages of HIPAA regulations and are quite complex. Here are some cost-effective procedures.

Compliance concerns. How you must comply with the HIPAA privacy rules will depend on how you practice optometry.

Necessary legal documents. Find a law firm that already understands HIPAA and spend between 2 and 4 hours with them. Have the lawyer prepare two documents: a Notice of Privacy Practices and a Patient Consent Form. These are the foundation upon which the privacy rules are built.

Notice of Privacy Practices. This document provides patients with the required notice of the uses and disclosures you'll make of protected health information (PHI), or individually identifiable health information.

The Notice of Privacy Practices spells out the patient's rights and the provider's legal duties with respect to PHI. To satisfy this requirement, you must make a copy of the Notice available to every patient. This Notice will be different for every healthcare provider because each will use the PHI differently. Also, a provider who maintains a Web site that provides information about his customer services or benefits must prominently post his Notice of Privacy Practices on the Web site and make the Notice available electronically through the Web site. Every covered entity must at least include the following in its HIPAA Notice of Privacy Practices:

Patient Consent Form

You're required to obtain a patient's consent before using or disclosing PHI to carry out treatment, payment or healthcare operations. Give the Patient Consent Form to the patient along with access to your Notice of Privacy Practices. If the patient doesn't sign the Patient Consent Form, you're not required to treat her. The following are some of the items that you must include in your Patient Consent Form:

Begin preparations. Have the Patient Consent Form printed on the back side of your new Welcome to the Office form and begin acquiring those signatures as soon as possible. Indicate in your optometric software whether a patient has signed the Consent Form.

You must keep the signed Patient Consent Form on file for at least 6 years. The privacy rule doesn't indicate in what format you must retain the Patient Consent Form. After April 14, 2003 you can't schedule or treat a patient without this signature. Place a copy of the Notice of Privacy Practices at your front desk so patients can read it before signing the Patient Consent Form.

Assign someone to field questions. Select and train a person on staff to handle the public relations aspect of these two documents so that she can easily and consistently answer questions. In addition, select someone, perhaps your "privacy officer" (this is a HIPAA requirement) to oversee your compliance with the law.

Get it in writing. Make sure that each business associate whom you allow to access your patient's PHI has signed a Business Associate Agreement concerning the proper handling of PHI. You must have an agreement with every business associate, or you'll violate the privacy rules. Your HIPAA lawyer can help you with this document.

Learn more. Attend a seminar on HIPAA.

Keep informed

There's no one simple answer to HIPAA compliance. There's so much dis-information floating around in the world today that you must know and understand HIPAA to make the same wise judgements that have allowed you to become the optometric professional that you are.

Ed Goerges is president and co-founder of information, etc. He and his company have, for the past 7 years, provided Patient Recall Services and Web site design hosting to the optometric profession. Visit


Optometric Management, Issue: February 2002