Compliance Alert

Diagnosis: Privacy

Are you HIPAA compliant? That is a question plaguing many health care organizations across the country. At the federal level, information destruction requirements in the health care field are part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although the centerpiece of the act focused on uses and disclosures of health information, parts of the legislation also establish national standards for the privacy, security and electronic transmission of health information.

Insurance companies, hospitals and physician practices are obligated to protect individually identifiable health information, which has been interpreted to mean any records that include a patient’s name, address or Social Security number. The privacy protection portion of HIPAA took effect April 14 of 2003, yet many health care organizations are still struggling to address its requirements. Now health care organizations are facing another challenge on the horizon: Compliance with the April 21, 2005 HIPAA security requirements.

While HIPAA doesn’t dictate how to dispose of information, it reinforces the mandate that covered entities deploy safeguards to prevent improper disclosures of protected health information (PHI). "Examples of appropriate safeguards include requiring that documents containing PHI be shredded prior to disposal," the preamble to the privacy regulation states (65 FR 82562).

So what does this mean to information destruction companies? Simply stated: Opportunity. Physician offices that may have previously shunned the additional expense of information destruction are now budgeting for it. For hospitals it is a necessity.

For information destruction companies, HIPAA creates a new world of opportunities, and if you haven’t incorporated the into your sales and marketing efforts the question is, "Why not?"M. Jason Meyer serves as training specialist for WorkSmart MD, Inc. (www.worksmartmd.com), and is available for training, speaking, and consulting. His background includes consulting with health care providers and as an advocate for administrative simplification of the HIPAA standards.

Fact: An Atlanta area collection agency was the first company fined under a 2002 Georgia law for improper disposal of confidential documents, paying a $5,000 penalty.