HIPAA Consult

May 6, 2005

Answers to your questions about...invalid authorizations; computer security; e-prescribing

A No. To be valid, an authorization must contain, at minimum, the following elements: (1) a description of the information to be disclosed; (2) the name of the authorized discloser; (3) the name of the recipient; (4) the purpose of the disclosure (which, in special circumstances, may be satisfied with the phrase, "at the request of the individual"); (5) an expiration date or event (for example, "at the conclusion of the research project"); and (6) the patient's signature and date.

A valid authorization must also make clear the patient's right to revoke the authorization in writing at any time; whether, in special circumstances, any treatment, payment, enrollment, or benefit eligibility is dependent upon the authorization; and the potential for the information to be redisclosed by the recipient and, therefore, no longer protected by HIPAA.

Computer security Q Are there specific steps I need to take to make my computer system HIPAA compliant?

A Yes. The security rule sets out more than 60 requirements. Here's a partial list: (1) Install and regularly update virus-protection software. (Make sure to protect workstation computers, too, and not just the server.) (2) Set screen savers to come on quickly, with reactivation requiring a password. (3) Be sure PDAs, tablet computers, and laptops are password-protected, just as desktops should be. (4) Position computer monitors so patients can't read what's on the screen. (5) When an employee quits or is fired, eliminate her computer password and be sure she surrenders her office keys. (6) Store backup tapes of files in a safe, offsite location, so that data will be protected in case of fire or flood.

Privacy and e-prescribing Q What impact will HIPAA have for doctors who elect to e-prescribe?

A That depends. Any doctor who's considered a covered entity must protect the privacy of e-prescribing information-both prescriptions transmitted to a pharmacy and requests for prescription-related information from a patient's drug plan-just as she would any other protected medical information transmitted electronically to a third party.

You're considered a covered entity if you conduct any one of the standard HIPAA transactions electronically (claims filing, insurance eligibility requests, and so forth). Moreover, since e-prescribing information (prescriptions and related data) is considered protected health information, it's also covered by the security rule.

Margaret M. Davinomdavino@kbrny.com is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.