Feature Show In most cases, state laws will not be preempted by HIPAA. By JENNIFER DAW HOLLOWAY Monitor Staff January 2003, Vol 34, No. 1 Print version: page 28 4 min read Comment: With the Health Insurance Portability and Accountability Act (HIPAA) privacy rule compliance date--April 14--fast approaching, psychologists must explore how the new federal rules interact with their current state laws. HIPAA's privacy rule governs how health-care providers handle the use or disclosure of protected health information (PHI). In effect, PHI is defined as individually identifiable health information relating to the condition of a patient, the provision of health care or payment for care. All states already have privacy laws that apply to such information. Areas such as patient consent, access to records and subpoena rights, to name a few, are included under HIPAA as well as state laws. So, will HIPAA's rules preempt state laws? "The general standard is that if a state law is more protective of the patient, then it takes precedence over HIPAA," says Doug Walter, legislative and regulatory counsel in APA's Practice Directorate. Conversely, if a state law is less stringent than HIPAA, then HIPAA takes over, he says. The following examples illustrate the interplay between state laws and HIPAA and how that will affect psychologists:
There are myriad examples--aside from the three above--of how state laws may take precedence over HIPAA. The simple rule of thumb is that any provision--in state laws or HIPAA--that gives greater protection to patients' privacy or right to access their own health information takes precedence. The HIPAA privacy rule "won't impair the effectiveness of state laws that are more protective of privacy," says Russ Newman, PhD, JD, APA's executive director for practice. And, he notes, in states where protective laws haven't been enacted, HIPAA will not prevent states from enacting laws that provide greater patient privacy protection. HIPAA assumes that practitioners know the ins and outs of their state laws, but figuring out which law will take precedence involves a complicated analysis of state statutes, regulations and common law decisions. The APA Practice Organization and the APA Insurance Trust are developing comprehensive resources for psychologists that will facilitate compliance with the HIPAA privacy rule. Along with several offerings, a new product, "HIPAA for Psychologists"--which will include the necessary state-specific forms that comply with both the HIPAA privacy rule and relevant state law--will be available for purchase online at the Practice Organization's new practitioner portal. This article is the first in a three-part series on HIPAA topics. The next piece, on HIPAA's psychotherapy notes requirement, will appear in February. Comment: What should be the first step in the security Rule implementation process?The first step toward Security Rule compliance requires the assignment of security responsibility — a Security Officer. The Security Officer can be an individual or an external organization that leads Security Rule efforts and is responsible for ongoing security management within the organiza- tion.
What is a minimum necessary rule?The minimum necessary standard requires covered entities to evaluate their practices and enhance safeguards as needed to limit unnecessary or inappropriate access to and disclosure of protected health information.
What is the HIPAA privacy Rule?The HIPAA Privacy Rule
The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual's authorization.
What practices would you put in place to ensure compliance with HIPAA?Practices should keep all patient paperwork, charts, and records locked away and safe out of the public's view. Never leave patient information out or unattended. Computer programs containing patient information should be closed and logged out of when not in use. Never share passwords between employees.
|