Roadmap to HIPAA: keeping occupational health nurses on track.

So what does HIPAA require most covered entities to do? At this point, the Privacy Rule compliance date has already passed for all covered entities except small health plans. Most of the requirements under the Privacy Rule dictate the development of appropriate policies and procedures, a notice of privacy practices and other forms, implementation of measures to secure the privacy of PHI, contracting with Business Associates, and training of all involved. For covered entities, testing of the electronic standard transactions to exchange data between participating parties should have begun by April 16, 2003. Although full implementation of the electronic transactions should have taken place by October 16, 2003, the government has allowed covered entities that are still actively working toward compliance to operate under contingency plans. It remains unclear when the use of such plans will be disallowed. After standards are published for claim attachments and first report of injury, these electronic standard transactions will be incorporated by the designated compliance date. Appropriate use of national identifiers will be implemented after final rules and standards are published. For the occupational health nurse who is not a covered entity, the most critical implementation factor is a HIPAA compliant authorization form so the occupational health nurse can continue to obtain necessary PHI. This is essential when attempting to obtain medical information, even for workers' compensation or disability case management. Although these plans are not considered health plans under HIPAA and, therefore, would not require the designation of covered entity, the occupational health nurse frequently needs to obtain PHI to manage these cases. Most providers in the health care community will be covered entities under HIPAA and will not be able to release PHI without a signed HIPAA compliant authorization form. In addition, providers will want a HIPAA compliant authorization form signed when requesting health information from the occupational health nurse. The HIPAA's privacy regulations are considered "the floor" or minimum standard for the protection of PHI. As such, it is likely that these privacy regulations will become the "industry standard" to which all health care professionals will be held. Even though the occupational health nurse may not be a covered entity, implementing appropriate HIPAA procedures is recommended. Knowing that most of HIPAA's privacy rule contains requirements already in place and in practice for most occupational health nurses can take some of the worry out of this complex regulation. Additionally, the nurse interacts with the health care system in a variety of roles. As a health care consumer, occupational health nurses can assert their own patient rights when interacting with covered entities. As the trusted advisor and consultant to many employees, the occupational health nurse can play a vital role in educating employees about HIPAA and assisting employees with navigating an ever-complex health care system. As a health care professional, the occupational health nurse continues to protect and safeguard all PHI while respecting employees' rights and delivering quality care. Staying knowledgeable and up-to-date on the HIPAA regulations as they continue to evolve and change allows occupational health nurses to stay on the right course while mapping their way toward regulatory compliance (see Sidebar for recommended resources).