Getting Hip to HIPAA

Existing and upcoming privacy deadlines for medical records keepers are gaining publicity, and paper shredding firms can profit from complying with them. That’s the message of M. Jason Meyer of WorkSmart MD Inc., Ormond Beach, Fla., who spoke to attendees of the National Association for Information Destruction (NAID) conference in Orlando in mid-March.

At the federal level, information destruction requirements in the health care field are part of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Although the centerpiece of the act focused on medical records standardization, parts of the legislation also address maintaining the privacy and security of medical records

Insurance companies, hospitals and physician practices are obligated to protect individually identifiable health information, which has been interpreted to mean any records that include a patient’s name, address or Social Security number. This privacy protection portion of HIPAA took effect April 14 of this year, according to Meyer.

Additional security measures that take effect in 2005 are focused on electronic data transmission, although the standardization of electronic forms has a deadline nearing in the fall of 2003. When these forms become standard, many older, existing records could become obsolete, opening up another avenue of opportunity for information destruction companies.

According to Meyer, many physician practices are still unaware of the looming Oct. 16, 2003 deadline for electronics forms standardization, as well as some of the privacy and security requirements.

Based on a survey conducted by WorkSmart MD, health care companies and paper shredding firms may soon be conducting even more business together. “Based on our research, we think they are really going to be turning to document destruction companies . . . during this two-year window before the security requirements take effect,” said Meyer.

Meyer acknowledged that parts of HIPAA offer very little in the way of guidelines specifically detailing what records must be shredded and which shredding techniques are required. “They are very vague when it comes to specific procedures to destroy this information,” he noted, with the legislation often using terms such as “reasonable and appropriate.”

But facing liability for the unauthorized release of medical information, most hospitals and practices will err on the side of caution. Notifying medical offices about HIPAA is a good way for document destruction firms “to get in the door” in the near future, he remarked.

“You have a large opportunity here,” Meyer told NAID attendees, “because they need you more than ever.”