Maureen Weaver, Health Care Department Chair, quoted in Contemporary Long Term Care on HIPAA Compliance.

September 13, 2002
Contemporary Long Term Care, Volume 25; Issue 8, August 2002.

Racing toward the deadline: towards compliance with the Health Insurance Portability and Accountability Act - by Suzanne Bilyeu

From the article:

Maureen Weaver, who chairs the Health Care Department at Wiggin & Dana, a Connecticut-based law firm, says that HHS's own material--including answers to "frequently asked questions" posted online--offer invaluable insights into HIPAA compliance.

"If you're confused or need further interpretation of a particular regulation, you can find that it's also helpful to check the preamble to the final [privacy] rule--HHS's own comments," says Weaver. "It's divided according to topic, so it's fairly easy to search. What the agency is saying about the rule is the best source."

Most skilled nursing facilities electronically transmit claims for payment, and therefore are covered entities under HIPAA. Certain other long term care providers--such as assisted living facilities and CCRCs--may be covered entities as well. Weaver advises that providers with questions concerning their "covered entity" status consult with legal counsel.

"It's possible that in some states, assisted living providers could be billing some government funding authority such as Medicare electronically, and they may be covered under the Privacy Rule," she says. "I think it's going to vary, depending on how those entities are licensed and operated state to state."

Some state laws and some federal regulations--such as OBRA--call for broader or more stringent measures than those outlined in the HIPAA Privacy Rule.

"The approach generally is that if another federal or state law is more protective of residents' rights to privacy and confidentiality of health information, then the more protective rule would remain in place," says Weaver.

2. Find out where you stand. One of the most time-consuming aspects of preparing for HIPAA compliance is the "gap analysis"--a complete inventory of how a provider manages, maintains, uses, and discloses protected health information. This inventory should encompass all current practices, policies, and procedures; software and IT systems; and contractual arrangements with business associates. Findings are then compared against the HIPAA privacy requirements to locate compliance gaps that must be filled. The more thorough the analysis, the more solid the foundation for HIPAA compliance.

Weaver suggests that a provider who has not yet begun a gap analysis might want to move ahead with developing policies and procedures. "Your time would probably be better spent assuming that there's a gap and then filling it," she says.