Who
do the HIPAA rules apply to?
HIPAA applies to all health care
providers that send or receive patient claims or information by electronic means
including the Internet. Because the rules also apply to insurance companies and
claims clearinghouses, a chiropractor may be required to conform to HIPAA even
if he/she does not transmit any data electronically.
What
does this regulation do?
The HIPAA privacy rule, for the first time,
creates national standards to protect individuals’ medical records and other personal
health information.
• It gives patients more control over their health information.
• It sets boundaries on the use and release of health records.
• It establishes
appropriate safeguards that health care providers and others must achieve to protect
the privacy of health information.
• It holds violators accountable, with
civil and criminal penalties that can be imposed if they violate patients’ privacy
rights.
• It strikes a balance when public responsibility requires disclosure
of some forms of data - for example, to protect public health.
Why
are these rules necessary?
Health care information does not have the
same type of protection as other types of confidential information such as your
banking records. As a result, many health care providers, hospitals and insurance
companies have revealed their patients health care information without obtaining
the permission of their patients. These rules are designed to insure that allow
doctors, hospitals and insurance companies give out patient information only after
it has been specifically authorized by the patient. In addition, it will require
software changes to insure privacy when records are transmitted electronically
and to restrict staff members that do not have legitimate job responsibilities
from having access to patient files or health information.
What
is the implementation date for these rules?
The HIPAA privacy rules
were effective April 21, 2001. The mandatory compliance date for the electronic
transmission provisions is October 16, 2002 and for the administrative provisions
April 14, 2003.
If a billing service
prepares my billing, will I have to comply with these rules?
Yes. Both
the provider and the billing service must comply.
Can
I rely on my software vendor to automatically comply with the law?
No.
Since software vendors do not have direct access to patient health information,
they do not have to comply with the law. That means that some software vendors
may find the law cumbersome to deal with. If that is the case, the doctor would
have to obtain new software that is compliant with the electronic submission standards
set under the law.
Why is the government
insisting on these rules?
The government believes that doctors and insurance
companies have not done enough to respect the confidentiality of patient’s health
care information. These rules now make it the responsibility of all of those involved
in the health care industry to bend over backwards to protect a patient’s right
to privacy.
I understand what it means
to send a claim electronically, but what types of other information is included
under this rule?
If a chiropractor, insurance, or managed care company
sends any of the following information electronically, they must fully comply
with the HIPAA rules.
(1) Health care claims.
(2) Health care records.
(3) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health
plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
Our
state already has privacy laws. Does HIPAA preempt them?
When the HIPAA
rules are stricter than state law, HIPAA preempts state law. In some instances,
our state law provides more protection that HIPAA. In those cases, you must follow
the state law.
Can we simplify the
rules by using a form where the patient gives “blanket permission” to do anything
we want with their records?
No. Patients cannot voluntarily surrender
their privacy rights.
Are
chiropractors that do IME’s for an insurance company or the state covered by these
rules?
Yes. All chiropractors involved with quality assurance or the
review of claims are covered by the HIPAA rules.
How
may doctors or their staff use or disclose the patient’s name, address or other
health care information?
Doctors and their staff are only allowed to
use protected health information or to disclose the information in the following
ways:
1) They may disclose all information to the patient.
2) If they
have properly provided a copy of their privacy notice, they may use and disclose
protected health information to carry out treatment, to obtain payment, or for
their practice operations.
3) They may disclose protected health information
to law enforcement officials with proper authorizations.
4) They may use protected
health information for advertising and marketing purposes only when the proper
special authorizations have been obtained.
Must
I put restrictions on the health care information my staff has access to?
Depending on the job responsibilities of a staff person, the answer may be
yes. The law requires you to make reasonable efforts to limit a staff person’s
access to the minimum health information necessary to do their job. For example,
if a chiropractic assistant’s job responsibilities were limited to scheduling
patients and moving patients between the waiting room, the dressing room, and
the various treatment rooms, you must design ways to limit their access to patient’s
clinical records since they have no valid reason to see them. If some of your
clinical records are kept on a computer to which all staff members have access,
you would be required to work with your software vendor to limit access to some
parts of the patient files.
Any staff person that has a legitimate need
for patient information must have access to it. However, the determination of
who should have access is based on the staff person’s job description. If they
work with all parts of the patient’s record, they must have access to it. If their
job does not require them to have access to certain types of information, their
access to that information must be limited.
I
have a CA whose primary job is to answer the telephone and schedule patients.
One a week, however, she files patient records. Do I have to limit her access
to our patient’s clinical records on the days of the week when she does not have
filing responsibility?
No. If your CAs have a legitimate need to see
all of the patient’s health care information as part of their regular job duties,
you do not have to take steps to shield them from the patient’s clinical information
on days when their work does not require them to have access to this portion of
the patient’s records.
Are
consent forms required under the HIPAA rules?
While consent forms are
no longer mandatory, they are considered to be a “best practice” that can help
you avoid problems in a compliance audit and misunderstandings with your patients.
Using the consent form developed by the WCA allows your patients to sign a single
time acknowledging that they have received both the consent form and your privacy
notice.
Once a patient has signed
an authorization is it good forever?
No. Authorizations are required
to be limited in their duration. The forms drafted by the WCA are good for seven
years from the date of last treatment. This corresponds to the state’s records
retention requirements. If a patient has not come in for treatment for seven years,
new authorizations must be signed.
If
I refer a patient to another health care provider, am I limited in the clinical
information I can provide to that doctor?
No. You may send all of the
clinical information in your file without limitation. The law is not intended
to interfere in any way with the treatment of a patient.
The
WCA occasionally asks us to provide examples of problems that patients are having
with insurance companies. Will we still be allowed to send the WCA this information?
The
WCA is also covered by the HIPAA rules. After April 14, 2003, an office that sends
the WCA patient EOB’s will have to include a copy of the “WCA authorization form”.
This authorization specifically allows health care information to be sent to the
WCA and for the WCA to forward that information to the insurance commissioner,
state and federal agencies and, if necessary, to our attorneys.
How
does HIPAA affect contracts that I have with my associate(s)?
As the
employer of your associate, the government wants to makes sure that you have fully
informed the associate of their responsibilities under HIPAA. To ensure that you
have done so, there are specific requirements for your associate contracts.
1)
Your contract must state the circumstances under which the associate is allowed
to release protected patient information.
2) Your contract may not authorize
the associate to use patient information in a manner that would violate these
rules.
3) The contract may permit the associate to use protected health information
for the proper management and administration of the practice.
4) The contract
may permit your associate to provide you with the data necessary to run the overall
practice.
5) Your associate may not use or further disclose patient information
beyond what is allowed by your contract or required by law.
6) Your associate
must use appropriate safeguards to prevent the use or disclosure of patient information
unless it is specifically allowed in the contract.
7) Your associate must
tell you when information is disclosed in an inappropriate manner as soon as he
or she becomes aware of it.
8) Your associate must make health care information
available to public health or law enforcement authorities when requested to do
so in accordance with the rules.
9) Your contract must have specific provisions
for the return or destruction of protected patient information at the termination
of the contract.
10) Your contract must have a provision that authorizes termination
of the contract by you, if you determine that the associate has violated a material
term of the contract.
You are personally subject to criminal or civil penalties
if you find out that your associate is repeatedly violating these rules and you
failed to take reasonable steps to stop the violations or terminate the contract.
The
WCA has model business associate agreements available for its members.
When
must I provide a patient with a copy of my privacy notice?
You must
provide a copy of your privacy notice to a patient no later than the date you
first provided care to the patient.
What
if there is an emergency and the patient is not capable of giving their consent?
You
may treat the individual as long as you provide your privacy notice as soon as
reasonably practicable after the treatment.
What
must I do to prove that I have complied with the rule that requires me to give
a copy of my privacy notice to each patient?
To prove that the patient
received a copy of your privacy notice, you may do any of the following:
•
The patient may sign the privacy notice. Keep a copy of the last page for your
file (you do not need to keep the first 3 pages) or,
• The patient may initial
the privacy notice. Keep a copy of the last page for your file (you do not need
to keep the first 3 pages) or,
• The patient may sign a separate list with
multiple patients on the same page. If you use a list the following statement
should appear at the top of each page: “By signing below, I acknowledge that I
have received a copy of (your office name) Notice of Privacy Practices. Retain
the lists for at least 6 years.
What
if a patient refuses to sign acknowledging they have received a copy of my privacy
notice?
If a patient refuses to sign acknowledging that they have received
a copy of your privacy notice, you are required to document as part of the patient’s
file:
1. What you did to try to obtain the patient’s signature
2.
The reason why the patient refused to sign
My
patient signed my authorizations then changed his mind a few weeks later. Can
he do this?
A patient may withdraw their consent for any authorization
as long as they do so in writing. If you have relied on their consent to perform
the activity described in the authorization, you have nothing to worry about because
the consent cannot be retroactively withdrawn.
I
prepared my own policy notice and authorizations and now realize that there are
mistakes in the form. What do I do?
Obviously having an invalid policy
notice or authorizations leaves you open to the possibility of penalties if you
are audited. If you discover an error, you should have it corrected as soon as
possible. As soon as it is corrected, each patient should sign a new authorizations
or be given a copy of the corrected policy notice.
An authorization form
is not valid if the document has any of the following defects:
1) The expiration
date has passed.
2) The authorization has not been filled out completely with
respect to required information.
3) You or your staff knows the authorization
has been revoked.
4) You or your staffs know that any of the material information
in the authorization is false.
Are
there any situations where I do not need the consent/authorization to release
a patient’s health information?
Under the privacy laws, you are permitted
or required to use or disclose a patient’s health information without their consent
or authorization:
1) To the extent that you are required to do so by applicable
federal or state laws.
2) To a public health authority for a wide range of
public health activities when the public health authority is authorized to collect
or receive health information under state or federal law.
3) To an appropriate
government authority if you reasonably believe the patient is the victim of abuse,
neglect or domestic violence.
4) For state and federal health oversight activities
of the health care system and government benefit programs.
5) In response
to a court order or, in response to a subpoena, discovery request, or other lawful
purpose.
6) To a law enforcement official as required by laws that require
you to report certain types of wounds or physical injuries or, to comply with
court orders, a grand jury subpoena, or administrative requests authorized by
the law.
7) To an appropriate law enforcement authority if the disclosure
is necessary to prevent or lesson a serious and imminent threat to the health
or safety of a person or the public.
8) To a correctional institution if you
provide health care services to an inmate.
9) If you provide health care services
to a patient in an emergency.
10) If you provide care to a patient that is
related to a work place injury to the extent necessary to comply with Wisconsin’s
worker’s compensation laws.
I would like to do at least one of the following
activities:
¦ Mail recall notices to my patients.
¦ Use “thank-you for
referral” boards in my office.
¦ Mail birthday cards in which free services
are offered.
¦ Use “birthday boards” in our office to acknowledge upcoming
birthdays.
¦ Mail advertising about products I offer for sale in my office
to my patients.
¦ Use the name of my patients in advertising or marketing
materials.
¦ Keep testimonial books in my office
¦ Sell or give the names
of my patients to another organization.
¦ Post artwork or pictures of my patients
that are children.
¦ Advertise “patient appreciation days” to my patients.
¦ Advertise “open houses” with complimentary services to my patients.
¦ Participate
in a “health fair” or similar activity in which I send clinical information and
marketing material to a person on which I performed any type of diagnostic procedure.
If
I send a newsletter that includes paid advertising, what does the law require
me to do?
In any newsletter or any communication that includes
paid advertising you must:
¦ Clearly identify your practice with
its name, address and telephone number.
¦ Prominently state the fact
that you will receive direct or indirect remuneration for running the ad. Direct
remuneration is a payment you receive. Indirect remuneration is anything of value
such as products, services, discounts, or offsetting advertising you receive in
exchange for running the ad.
What
type of authorization form must my patient sign?
The government is especially
strict with using patient information for any internal or external marketing activity.
You patient must sign a marketing authorization form before they receive any of
your marketing information. The penalties for failing to have this signed marketing
authorization are severe.
Am I allowed
to use a blanket phrase like “all marketing activities” or must I be specific?
Blanket
phrases are not allowed. Each of your marketing activities must be listed.
What information must my marketing
authorization include?
A valid authorization must contain at least the
following elements:
1. A description of the information to be used or disclosed
that identifies the information in a specific and meaningful fashion.
2.
The name or other specific identification of the person(s), or class of persons,
authorized to make the requested use or disclosure.
3. The name or other
specific identification of the person(s), or class of persons, to whom the covered
entity may make the requested use or disclosure.
4. A description of each
purpose of the requested use or disclosure. The statement “at the request of the
individual” is a sufficient description of the purpose when an individual initiates
the authorization and does not, or elects not to, provide a statement of the purpose.
5.
An expiration date or an expiration event that relates to the individual or the
purpose of the use or disclosure. The statement “end of the research study,” “none,”
or similar language is sufficient if the authorization is for a use or disclosure
of protected health information for research, including for the creation and maintenance
of a research database or research repository.
6. Signature of the individual
and date. If the authorization is signed by a personal representative of the individual,
a description of such representative’s authority to act for the individual must
also be provided.
What must I
do when a patient complains about any of my policies or procedures?
You
must provide a process for your patients to make complaints concerning your policies
and/or procedures or to complain that you are not following your policies and/or
procedures. You must document every complaint that you receive and how you responded
to the complaint. The law does not require you to take any specific action to
the complaint, merely that you respond in some way. If you are audited for compliance
with this law, your complaint file will be subpoenaed as evidence.
In
addition to the above listed elements, the authorization must contain statements
adequate to place the individual on notice of all of the following:
1. The
individual’s right to revoke the authorization in writing, and either: a. The
exceptions to the right to revoke and a description of how the individual may
revoke the authorization; or
b. To the extent that the information in paragraph
(c)(2)(i)(A) of this section is included in the notice required by § 164.520,
a reference to the covered entity’s notice.
What
must I do to make sure that the person requesting protected health information
is entitled to receive it?
Prior to sending or revealing protected
health information, you are required to verify the identity of a person requesting
the information and that the person has the authority to make the request if you
do not know the individual. This portion of the law would seem to eliminate a
verbal request for records except when you have had a prior working relationship
with the individual. Written requests for records should have the insurance company
name, address, and telephone number as part of the request. In addition, the request
should have the job title of the person making the request for patient records.
As long as there is nothing unusual about the request, you are not required to
further investigate the credentials of the person making the request.
2.
The ability or inability to condition treatment, payment, enrollment or eligibility
for benefits on the authorization, by stating either:
a. The covered entity
may not condition treatment, payment, enrollment or eligibility for benefits on
whether the individual signs the authorization when the prohibition on conditioning
of authorizations in paragraph (b)(4) of this section applies; or
b. The
consequences to the individual of a refusal to sign the authorization when, in
accordance with paragraph (b)(4) of this section, the covered entity can condition
treatment, enrollment in the health plan, or eligibility for benefits on failure
to obtain such authorization.
3. The potential for information disclosed
pursuant to the authorization to be subject to re-disclosure by the recipient
and no longer be protected by this subpart.
All authorization must be written
in plain language.
Must our patients
be given a copy of the marketing authorization form after it is signed?
Yes.
Patients must receive copies of all authorization forms after they are signed.
If
our office wants to participate in a study or research project where our records
are requested and we do not have the permission of some or all of the patients
to release protected health information, what information must we remove from
the records before we can participate in the study or research project?
All
of the following information must be removed from the records:
(A) Patient
names.
(B) All address information except for the first three digits of the
patient’s zip code as long as the geographic area of the three digits zip code
area contains at least 20,000 people. For major metropolitan areas this is never
a problem. For doctors in rural areas, a quick call to the post office will tell
you this information.
(C) All dates except the year or service (e.g. birth
date, initial date of service, discharge date)
(D) Telephone numbers.
(E) Fax numbers.
(F) Electronic mail addresses.
(G) Social security numbers.
(H) Record numbers.
(I) Health plan beneficiary numbers.
(J) Account numbers.
(K) Certificate/license numbers.
(L) Vehicle identifiers and serial numbers,
including license plate numbers.
(M) Device identifiers and serial numbers.
(N) Web Universal Resource Locators (URLs).
(O) Internet Protocol (IP) address
numbers.
(P) Biometric identifiers, including finger and voice prints.
(Q) Full face photographic images and any comparable images.
(R) Any other
unique identifying number, characteristic, or code.
What
steps must we take to make sure that we are not releasing more information than
is necessary when records are requested by an insurance company, an attorney,
or another third party?
You are allowed to assume that any request by
an insurance company meets the “minimum necessary” criteria in the law. However,
you must be sensitive to overly broad requests made by attorneys. When any attorney
requests “the entire patient file” you should ask for their written justification
for records that are not reasonably related to the area of the patient’s injury.
Before records are sent that are not reasonably related to the patient’s area
of injury, written consent from the patient should be obtained.
Each office
must have written criteria (or a protocol) covering:
- How to determine
what information is reasonably related to a patient’s injury.
- How to delete
information that should not be sent.
- How to respond to overly broad requests
for patient information
- How to document the fact that patient information
was sent to a third party.
- How long to keep the above documentation.
The
job description for all individuals that have the responsibility for sending out
patient information should state that they must follow this procedure or protocol
before records are released.
If
I send a brochure or any marketing information that includes paid advertising
in which I am marketing a product or service, what does the law require me to
do?
The rules are stricter for sending brochures or other marketing
materials than they are for newsletters. In any brochure or marketing information
that includes paid advertising you must:
Clearly identify yourself or your
practice with your name or the practice name, address and telephone number.
Prominently
state the fact that you will receive direct or indirect remuneration for running
the ad. Direct remuneration is a payment you receive. Indirect remuneration is
anything of value such as products, services, discounts, or offsetting advertising
you receive in exchange for running the ad.
Give instructions as to how
a person can opt out of receiving future communications.
If you used protected
health information to target the communication to patients based on their health
status or condition:
Your patient must sign a marketing authorization.
You
must make a determination prior to mailing the marketing information that the
product or service being marketed may be beneficial to the health of the type
or class of individual targeted.
The communication must explain why the
individual has been targeted and how the product or service relates to the health
of the patient.
You must make reasonable efforts to ensure that individuals
who decide to opt out of receiving future marketing communications are not sent
any further communications.
What
specific elements must be in the privacy notice that we provide to patients?
All
of the following information must be written in “plain language”.
Required
elements of the notice You must provide a notice that is written in plain language
and that contains all of the following elements:
1. Header. The notice must
contain the following statement as a header or otherwise prominently displayed:
“THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED
AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”
Some
patients request that we send information to a location other than their home.
Are we required to do so?
Yes. You must accommodate reasonable
requests by patients to receive communications about their health records from
you by alternative means or at alternative locations. You may require patients
to make their requests in writing. You may not require an explanation from the
patient as to why they need the information sent to a different location.
2.
A description, including at least one example, of the types of uses and disclosures
that you as the provider are permitted to make for each of the following purposes:
treatment, payment, and health care operations.
3. A description of each
of the other purposes for which you are permitted or required by this subpart
to use or disclose protected health information without the individual’s written
consent or authorization.
4. If a use or disclosure for any purpose is prohibited
or materially limited by other applicable law, the description of such use or
disclosure must reflect the more stringent law.
5. For each purpose described
in paragraph (b)(1)(ii)(A) or (B) of the privacy law, the description must include
sufficient detail to place the individual on notice of the uses and disclosures
that are permitted or required by that part of the law and other applicable law.
6.
A statement that other uses and disclosures will be made only with the individual’s
written authorization and that the individual may revoke such authorization as
provided by § 164.508(b)(5) of the privacy law.
If you intend to engage
in any of the following activities, the elements required above must include a
separate statement that:
1. You may contact the individual to provide appointment
reminders or information about treatment alternatives or other health-related
benefits and services that may be of interest to the individual.
2. You
may contact the individual to raise funds for the covered entity; or The notice
must contain a statement of the individual’s rights with respect to protected
health information and a brief description of how the individual may exercise
these rights, as follows:
1. The right to request restrictions on certain
uses and disclosures of protected health information as provided by § 164.522(a)
of the privacy law, including a statement that you are not required to agree to
a requested restriction.
2. The right to receive confidential communications
of protected health information as provided by § 164.522(b) of the privacy law.
3.
The right to inspect and copy protected health information as provided by § 164.524
of the privacy law.
4. The right to amend protected health information as
provided by § 164.526 of the privacy law.
5. The right to receive an accounting
of disclosures of protected health information as provided by § 164.528 of the
privacy law.
6. The right of an individual, including an individual who
has agreed to receive the notice electronically in accordance with paragraph (c)(3)
of this section, to obtain a paper copy of the notice from you upon request.
The
notice must also contain:
1. A statement that you are required by law to
maintain the privacy of protected health information and to provide individuals
with notice of its legal duties and privacy practices with respect to protected
health information.
2. A statement that you are required to abide by the
terms of the notice currently in effect.
3. For you to apply a change in
a privacy practice that is described in the notice to protected health information
that you created or received prior to issuing a revised notice, in accordance
with § 164.530(i)(2)(ii) of the privacy law, a statement that you reserve the
right to change the terms of your notice and to make the new notice provisions
effective for all protected health information that you maintain. The statement
must also describe how you will provide individuals with a revised notice.
4.
A statement that individuals may complain to you and to the Secretary if they
believe their privacy rights have been violated, a brief description of how the
individual may file a complaint with you, and a statement that the individual
will not be retaliated against for filing a complaint.
5. The name, or title,
and telephone number of a person or office to contact for further information
as required by § 164.530(a) (1) (ii) of the privacy law.
6. The date on
which the notice is first in effect, which may not be earlier than the date on
which the notice is printed or otherwise published.
7. If you elect to limit
the uses or disclosures that you are permitted to make, you may describe your
more limited uses or disclosures in your notice, provided that you not include
in your notice a limitation affecting your right to make a use or disclosure that
is required by law or permitted by § 164.512(j)(1)(i) of the privacy law.
When
must we revise our notice?
You must promptly revise and distribute your
notice whenever there is a material change
- in the way you use or disclose
protected health information
- in the patient’s rights.
- in your legal
duties.
- in other privacy practices stated in your original notice.
Except
when required by law, a material change to any term of your notice may not be
implemented prior to the effective date of the notice in which the material change
is reflected.
When must health plans
give notices to their patients?
They must make the notice available
on request to any person and to their subscribers on the following schedule:
(a)
No later than the initial date the compliance law becomes effective for everyone
enrolled in the plan at that time.
(b) After that date, at the time of enrollment
for new enrollees.
(c) Within 60 days of a material revision to the notice,
to individuals then covered by the plan.
(d) No less frequently than once
every three years. The health plan must notify their subscribers then covered
by the plan of the availability of the notice and how to obtain the notice.
What
internal protections do I have to provide for patient records within my office?
You
must have appropriate administrative, technical, and physical safeguards to protect
the privacy of your patient’s records. You are required to reasonably safeguard
your patient records from any intentional or unintentional use or disclosure that
is in violation of the law. Depending on the design and/or operation of your practice,
this could require you to make changes to your office layout and/or computer systems.
•
If you adjust patients in an “open bay” setting, you would be required to provide
a private area to discuss clinical information and each treatment area would have
to have a curtain or partition in order to create a minimum zone of privacy.
•
If members of your staff have job responsibilities that do not require them to
have access to a patient’s clinical records, you would have to have software capable
of denying access to the clinical portions of a patient’s records.
• If
your computer is connected to the internet you must have “firewall” protection
that would protect your patient records from a hacker seeking access to your data.
•
Patients may not have visual access to your appointment books. A chiropractic
assistant must provide appointment options without allowing the patient access
to the names of other patients.
• Patients may not view computer monitors
that display the names of other patients.
• Sign in sheets are allowed.
However, for those offices that wish to honor the spirit of the privacy laws,
sign in sheets should be unique to a particular patient. This can be accomplished
by using a separate sheet of paper for each patient and then bundling each day’s
sheets together and filing them by date. As an alternative you could keep a sign
in sheet in the patient’s file.
• If you currently place your patient’s
records in a receptacle outside a treatment room in which the receptacle is open
to other patients passing by, you will have to eliminate the receptacle or place
the clinical file in a envelope or other type of portfolio so the patient name
and/or other information is not visible to other patients.
• Access to the
areas in which patient records are stored must be controlled in a manner so that
only authorized individuals have access. Doors or filing cabinets must be secured
against patients and staff members that do not have job responsibilities that
require them to have access to clinical records.
• Policies and procedures
must be written so that all staff individuals understand the privacy requirements
of their jobs. These procedures must include prohibiting employees from attempting
to access patient information that is not part of their job responsibilities and
the requirement to keep patient records secure when they are in their work areas.
•
Testimonial books, birthday boards, children’s photos, and “thank you” referral
boards that list patient names would have to be eliminated unless the patient
gave specific authorization allowing their names to be used. This includes sign
boards that list the patients’ first name and last initial.
Work areas that
are open to patients and/or small children must be secured so that unauthorized
personnel do not have intentional or unintentional access to patient records.
What
documentation is required for the records that are available for inspection or
copying by my patients?
You must document the following and retain the
documentation for 6 years:
(1) The records that are subject to access by
individuals; and
(2) The titles of the persons responsible for receiving and
processing requests for access by patients.
Does
a patient have the right to make changes to their records?
A patient
has the right to request that you amend their records as long as you have the
records in your files. You may deny a patient’s request for an amendment if you
determine that the record that is the subject of the request:
- was not
created by you, unless the patient provides a reasonable basis to believe that
the originator of protected health information is no longer available to act on
the requested amendment.
- is not part of their records
- in your view
is accurate and complete. This last point prevents a patient from being able to
compel you to put false clinical information into their file.
You must permit
a patient to request that you amend their records. You may require patients to
make requests for amendments in writing and to provide a reason to support a requested
amendment, provided that you inform your patients in advance of this requirement.
You
must act on the patient’s request for an amendment no later than 60 days after
receipt of such a request. If you deny the request, you must give the patient
a written explanation for your denial within 60 days. If you are unable to act
on the amendment within 60 days, you may extend the time by no more than 30 days,
provided that within 60 days you give the patient a written statement of the reasons
for the delay and the date by which you will complete your action on the request.
You may only have one 30 day extension.
If you accept the requested amendment,
in whole or in part, you must comply with the following requirements.
(1)
You must make the appropriate amendment to the patient’s records by, at a minimum,
identifying the records that are affected by the amendment and appending or otherwise
providing a link to the location of the amendment.
(2) You must timely inform
the patient that the amendment is accepted and notify the relevant persons with
which the amendment needs to be shared.
(3) You must make reasonable efforts
to inform and provide the amendment within a reasonable time to:
(a) Persons
identified by the patient as having received records needing the amendment; and
(b) Persons, including business associates, which you know may have relied or
could rely on the previous information to the detriment of the patient.
What
are my responsibilities if I deny a patient’s request to amend their records?
If
you deny a patient’s request for an amendment, in whole or in part, you must comply
with the following requirements:
(1) You must provide the patient with
a timely, written denial. The denial must use plain language and contain:(a)
The basis for the denial
(b) The patient’s right to submit a written statement
disagreeing with the denial and how the patient may add this statement to their
file;
(c) A statement that, if the patient does not submit a statement disagreeing
with the denial that the patient may request that you provide their request for
an amendment and your denial with any future disclosures of their records that
are the subject of the requested amendment; and
(d) A description of how the
patient may complain to you or the Secretary of Health and Human Services.
(e) The name, or title, and telephone number of the contact person in your office.
(2)
You must permit the patient to submit to you a written statement disagreeing with
the denial of all or part of a requested amendment and the basis of such disagreement.
You may reasonably limit the length of a statement of disagreement.
(3)
You may prepare a written rebuttal to the patient’s statement of disagreement.
Whenever such a rebuttal is prepared, you must provide a copy to the patient.
(4)
You must, as appropriate, identify the records that are in dispute and append
or link the record to the patient’s request for an amendment and your rebuttal,
if any.
(5) If the patient has submitted a statement of disagreement, you
must include the statement or an accurate summary of the statement every time
the records that are in disagreement are disclosed. If the patient has not submitted
a written statement of disagreement, you must include the patient’s request for
an amendment and its denial, or an accurate summary of the information, with any
subsequent disclosure of the patient’s records if the patient has requested that
you do so.
What rights do my patients
have to know where their records have been sent?
A patient has a right
to receive an accounting of disclosures of their protected health information
made by you in the six years prior to the date on which the accounting is requested,
except for disclosures that occurred prior to April 14, 2003.
You must provide
the patient with a written accounting that meets the following requirements.
(1)
The accounting must include disclosures of protected health information that occurred
during the six years prior to the date of the request for an accounting, including
disclosures to or by your associates.
(2) The accounting must include for
each disclosure:
a) The date of the disclosure;
b) The name of the
entity or person who received the protected health information and, if known,
the address of such entity or person;
c) A brief description of the protected
health information disclosed; and
d) A brief statement of the purpose of the
disclosure that reasonably informs the individual of the basis for the disclosure;
or, in lieu of such statement:
- A copy of the patient’s written authorization;
or
- A copy of a written request for a disclosure.
(3) If, during the
period covered by the accounting, you have made multiple disclosures of protected
health information to the same person or entity for a single purpose, the accounting
may, with respect to such multiple disclosures, provide:
a) The information
required for the first disclosure during the accounting period;
b) The frequency,
or number of the disclosures made during the accounting period; and
c) The
date of the last such disclosure during the accounting period.
You must
act on the patient’s request for an accounting no later than 60 days after receipt
of such a request. If you are unable to provide the accounting within 60 days,
you may extend the time to provide the accounting by no more than 30 days, provided
that within 60 days you provide the patient with a written statement of the reasons
for the delay and the date by which you will provide the accounting. You are only
allowed one 30 day extension.
What
documentation must I keep when I give a patient an accounting of where their records
have been sent?
You must document the following and retain the documentation
for six years:
The information required to be included in an accounting;
•
The information you provided to the patient; and • The titles of the persons or
offices responsible for receiving and processing requests for an accounting by
individuals.
What are my responsibilities
if an employee does not follow our privacy policies and/or procedures?
You
are required to have and use disciplinary policies against an employee that violates
your privacy policies or procedures. Your disciplinary actions could include:
•
warnings (oral)
• reprimands (written)
• probation
• demotion
• temporary suspension
• discharge of employment
• restitution of damages
• referral for criminal prosecution.
Any disciplinary action taken against
an employee must be documented in the employment file of the staff person. The
file should contain specific information including:
• the date of incident
• the name of the reporting party
• the name of the person responsible for
taking action
• follow-up action taken.
What
are my obligations if I find that our privacy policies and/or procedures are not
being followed?
In addition to the disciplinary action described in
the preceding question, you must also, to the extent practicable, mitigate any
harmful effect that has been caused by the violation.
I am very upset
because a member of my staff or a patient reported me for violating the privacy
law. What action may I take against the employee?
The law is very specific
that you may not intimidate, threaten, coerce, discriminate against, or take other
retaliatory action against an employee or patient that:
1) Reports a privacy
violation.
2) Testifies against you.
3) Assists in an investigation or
a compliance review.
4) Opposes any act or practice that they, in good faith,
believe violates the privacy laws.
You may not require your staff or patients
to waive their rights in order to work for you, receive benefits, or to receive
increases in compensation.
If I
have a patient, at the time the law takes effect, that refuses to acknowledge
that they have received a copy of our privacy notice. May I treat that person?
Yes.
You must note in the patient’s records the attempts you made to have the patient
sign or initial a statement that they received a copy of your privacy notice and
the reason they refused to sign.
Electronic Transactions
Who
is covered by privacy laws?
The privacy laws cover all health care providers
that send health care transactions by electronic transmission, including the Internet.
A health care transaction includes:
(1) Health care claims or equivalent
encounter information.
(2) Health care records.
(3) Health care payment
and remittance advice.
(4) Coordination of benefits.
(5) Health care claim
status.
(6) Enrollment and disenrollment in a health plan.
(7) Eligibility
for a health plan.
(8) Health plan premium payments.
(9) Referral certification
and authorization.
(10) First report of injury.
The law also covers
all of the following health plans.
• Group health plans
• Health insurance
companies
• HMOs
• Medicare
• Medical Assistance
• Medicare supplemental
policies
• Long-term care plans
• Union health plans
• Military health
plans
• Veterans health plans
• CHAMPUS
• The Indian Health Service
programs.
• The Federal Employees Health Benefit Program.
• State child
health plans
• The Medicare + Choice program
• Any other individual or
group plan, or combination of individual or group plans, that provides or pays
for the cost of health care.
Health care clearinghouses are also covered
by the plan. A health care clearinghouse is a public or private business, including
billing services and re-pricing companies that processes patient information from
a nonstandard to a standard format.
By
what date must I comply with the electronic standards portion of the rule?
You,
or your clearinghouse, must comply with the electronic portion of the privacy
laws no later than October 16, 2002.
Where can my software company get
a copy of the implementation specifications?
The implementation specifications
for ASC X12N standards may be obtained from the Washington Publishing Company,
PMB 161, 5284 Randolph Road, Rockville, MD, 20852-2116; telephone 301-949-9740;
and FAX: 301-949-9742. They are also available through the Washington Publishing
Company on the Internet at http://www.wpc-edi.com.
If
I use a billing service or clearinghouse, am I responsible for making sure their
software is compliant?
Yes. If you choose to use a billing service or
clearinghouse to process your claims, you must require them to comply with all
elements of the law.
What members
of my staff are required to have privacy training?
Any staff
person that has a job responsibility which is covered by the HIPAA privacy laws
is required to be trained on the elements of the law that affect them. This training
can be accomplished by attending a WCA program, having a member of your staff
attend a WCA program and then having that person teach the other members of your
staff, or, downloading the rules and completing the training yourself.
If
I use a billing service or clearinghouse, am I responsible for making sure their
software is compliant?
Yes. If you choose to use a billing service or
clearinghouse to process your claims, you must require them to comply with all
elements of the law.
I do not have
a fax or a computer in my office. Must I comply with the HIPAA privacy laws?
Technically,
no. However, you must still comply with Wisconsin’s privacy laws. In addition,
some managed care plans may require you to comply with the HIPAA privacy laws
as a condition to stay on their managed care panel. If they make this a requirement
of their plan, your option is to comply or leave the panel.
What
resources are the billing and coding standards based on?
The billing
and coding standards are:
International Classification of Diseases, 9th
Edition, Clinical Modification, (ICD-9- CM), Volumes 1 and 2 as maintained and
distributed by Health and Human Services (HHS), for the following conditions:
(1)
Diseases
(2) Injuries
(3) Impairments
(4) Other health problems and
their manifestations
(5) Causes of injury, disease, impairment, or other health
problems
International Classification of Diseases, 9th Edition, Clinical
Modification, Volume 3 Procedures (including The Official ICD-9-CM Guidelines
for Coding and Reporting), as maintained and distributed by HHS, for the following
procedures or other actions taken for diseases, injuries, and impairments on hospital
inpatients reported by hospitals:
(1) Prevention
(2) Diagnosis
(3)
Treatment
(4) Management
National Drug Codes (NDC), as maintained and
distributed by HHS, in collaboration with drug manufacturers, for the following:
(1)
Drugs
(2) Biologics
The combination of Health Care Financing Administration
Common Procedure Coding System (HCPCS), as maintained and distributed by HHS,
and Current Procedural Terminology, Fourth Edition (CPT-4), as maintained and
distributed by the American Medical Association, for physician services and other
health care services. These services include, but are not limited to, the following:
(1)
Physician services
(2) Physical and occupational therapy services
(3)
Radiologic procedures
(4) Clinical laboratory tests
(5) Other medical
diagnostic procedures
(6) Hearing and vision services
(7) Transportation
services including ambulance
The Health Care Financing Administration Common
Procedure Coding System (HCPCS), as maintained and distributed by HHS, for all
other substances, equipment, supplies, or other items used in health care services.
These items include, but are not limited to, the following:
(1) Medical
supplies
(2) Orthotic and prosthetic devices
(3) Durable medical equipment
We
mail all of our claims and clinical documentation. All we use the Internet for
is to check on the status of a patient’s claim. Are we covered under the HIPAA
privacy laws?
Yes. If you inquire about the status of a health care
claim using electronic means or you are sent e-mail about the status of a claim,
you are covered by the law. Once covered by the law, you must comply with all
elements of the law.
We mail all
of our claims and clinical documentation. However, we send inquiries about a patient’s
benefits electronically. Are we covered under the HIPAA privacy laws?
Yes.
If you obtain benefits information or receive EOBs electronically, the law covers
you. Once covered by the law you must comply with all elements of the law.
Can
a chiropractor to whom a patient is referred for the first time, use patient health
information to set up appointments before providing the patient with a copy of
their privacy notice?
Yes. You would provide the privacy notice the
first time you saw the patient.
Will
the notice requirements restrict the ability of providers to consult with other
providers about a patient’s condition?
No. A provider with a direct
treatment relationship with a patient would have to provide the patient with a
copy of his/her privacy notice when they first treated the patient. Consulting
with another health care provider about the patient’s case falls within the definition
of “treatment” and, therefore, is permissible. If the provider being consulted
does not otherwise have a direct treatment relationship with the patient, that
provider does not need to provide the patent with a copy of their privacy notice.
The
rule provides an exception to the notice requirements for “emergency treatment
situations.” How will a provider know when the situation is an “emergency treatment
situation” and is exempt from the rule’s privacy notice requirement?
Health
care providers must exercise their professional judgment to determine whether
attempting to get the patient to acknowledge that they received a copy of the
provider’s privacy notice would interfere with the timely delivery of necessary
health care. If, based on professional judgment, a provider reasonably believes
at the time the patient presents for treatment that a delay would compromise the
patient’s care; the provider may provide treatment without giving the patient
a copy of their privacy notice in order to carry out the patient’s treatment.
The provider must attempt to provide their privacy notice as soon as reasonably
practicable after the provision of treatment.
Must
we verify a signature on the privacy notice if the individual is not present when
he or she signs it?
No.
Must
a revocation of an authorization be in writing?
Yes.
How
are we expected to determine what is the minimum necessary information that can
be used, disclosed, or requested for a particular purpose?
The privacy
rules require providers to make a reasonable effort to limit use, disclosure of,
and requests for personal health information to the minimum necessary to accomplish
the intended purpose. To allow providers the flexibility to address their unique
circumstances, the rules require providers to make their own assessment of what
health information is reasonably necessary for a particular purpose, given the
characteristics of their practice, and to implement policies and procedures accordingly.
This is not a strict standard and providers need not limit information to that
which is absolutely needed to serve the purpose. Rather, this is a reasonableness
standard that calls for an approach consistent with the best practices and guidelines
already used by most providers today to limit the unnecessary sharing of health
care information.
The minimum necessary standard is intended to make providers
evaluate their practices and enhance protections as needed to prevent unnecessary
or inappropriate access to a patient’s health information. It is intended to reflect
and be consistent with, not override, professional judgment and standards.
If
health care providers engage in confidential conversations with other providers
or with patients, have they violated the rule if there is a possibility that they
could be overheard?
The privacy rules are not intended to prohibit providers
from talking to each other and to their patients. HHS understands that overheard
communications are unavoidable. HHS considers the following practices to be permissible,
if reasonable precautions are taken to minimize the chance of inadvertent disclosures
to others who may be nearby (such as using lowered voices, talking apart):
•
Your staff may orally coordinate services in your administrative area.
• You
or your staff may discuss a patient’s condition over the phone with the patient,
a provider, or a family member.
Does
the Privacy Rule require doctors’ offices to be retrofitted, to provide private
rooms, and soundproof walls to avoid any possibility that a conversation is overheard?
No,
the Privacy Rule does not require these types of structural changes be made to
facilities. Providers must have in place appropriate administrative, technical,
and physical safeguards to protect the privacy of patient’s health information.
“Reasonable safeguards” mean that providers must make reasonable efforts to prevent
uses and disclosures not permitted by the rule. HHS does not consider facility
restructuring to be a requirement under this standard. For example, the privacy
rules do not require the following types of structural or systems changes:
•
Private rooms.
• Soundproofing of rooms.
• Encryption of wireless or other
emergency medical radio communications which can be intercepted by scanners.
• Encryption of telephone systems.
Providers must provide reasonable safeguards
to avoid prohibited disclosures. The rule does not require that all risk be eliminated
to satisfy this standard. Providers must review their own practices and determine
what steps are reasonable to safeguard their patient information. Examples of
the types of adjustments or modifications to facilities or systems that may constitute
reasonable safeguards are:
• Staff could ask waiting patients to stand a
few feet back from a counter used for patient check in or payment.
• Providers
should add curtains or screens to areas where oral communications occur between
doctors and patients or among professionals treating the patient.
• In an
area where multiple patient-staff communications routinely occur, use of cubicles,
dividers, shields, or similar barriers may constitute a reasonable safeguard.
Do
the privacy rules allow parents the right to see their children’s medical records?
If
under state of federal law a parent, guardian, or other person acting in loco
parentis has authority to act on behalf of an individual who is an unemancipated
minor in making decisions related to health care, you must treat that person as
a personal representative under the privacy laws, with respect to child’s health
information.
That person may not be a personal representative of an unemancipated
minor, and the minor has the authority to act as an individual, with respect to
protected health information pertaining to a health care service, if:
(A)
The minor consents to such health care service; no other consent to such health
care service is required by law, regardless of whether the consent of another
person has also been obtained; and the minor has not requested that such person
be treated as the personal representative;
(B) The minor may lawfully obtain
such health care service without the consent of a parent, guardian, or other person
acting in loco parentis, and the minor, a court, or another person authorized
by law consents to such health care service; or
(C) A parent, guardian,
or other person acting in loco parentis assents to an agreement of confidentiality
between a covered health care provider and the minor with respect to such health
care service.
When is an authorization required from the patient we engage
in marketing to that individual?
An authorization for use or disclosure
of a patient’s health information for marketing is always required, unless one
of the following three exceptions apply:
• The marketing occurs during an
in-person meeting with the patient (e.g., during an appointment).
• The marketing
concerns products or services of nominal value.
• The provider is marketing
health-related products and services, the marketing identifies the covered entity
that is responsible for the marketing, and the individual is offered an opportunity
to opt-out of further marketing. In addition, the marketing must tell people if
they have been targeted based on their health status, and must also tell people
that they are directly or indirectly compensated for making the communication.
What if I decide to take
my chances and not comply?
The law calls for severe civil and criminal
penalties, including fines up to $250,000 and imprisonment of up to 10 years.
The law gives the government the right to audit you at any time to insure that
your practice is in compliance. The burden is on the doctor to prove that they
are complying with the law. However, a bigger concern may be a disgruntled patient.
The privacy laws will receive a great deal of publicity when they go into effect.
A dissatisfied patient may bring your practice to the attention of HHS as an easy
means of expressing their displeasure over their care.
In
general, how do these rules alter the way a doctor and his/her staff use patient
health care information?
Before HIPAA there were state laws but no federal
controls on how a doctor used a patient’s health care information. If something
was not forbidden under state or federal law, a doctor was allowed to use patient
health care information in any way they chose. Under HIPAA, a chiropractor may
not use patient information for any purpose except that which is permitted by
the rules. A doctor that uses the names and/or address of patients for internal
or external marketing must have the patient’s written authorization before they
may do so.
Our current practice
is to send all of the clinical documentation in a patient’s file whenever we receive
a request from an insurance company? Will HIPAA require a change in our practices?
Under
the “minimum necessary standard” HIPAA requires you to send the minimum amount
of clinical information necessary to accomplish the intended purpose. The law
gives a special exemption to an insurance company requesting patient records.
You are allowed to assume that any request from an insurance company is the “minimum
necessary”. You are not allowed to challenge the insurance company to prove that
their request is valid.
However, if there is no request from the insurance
company, your staff should only send documentation related to the patient’s current
problems.
Can I copy the language
of the statute and use that for my privacy notice or authorization form?
Unfortunately,
the language of the statutes cannot be used verbatim because the statute requires
that your privacy notice and authorization form to be in plain language. It is
a shame that the federal government did not impose the same requirement on itself
to help to simplify the understanding of the HIPAA rules. If you attended the
WCA training courses, you have access to our policies and forms. If you choose
to develop the form yourself, we would advise you to have an attorney review your
notice and authorizations so that it complies with all HIPAA requirements including
the “plain language” requirement.
Can
a patient put restrictions on the people or organizations to which their protected
health information is released?
Yes. By law, you must permit your patients
to request that you not send information to certain parties or that you limit
the type of information sent to another party. This restriction can apply to treatment,
payment, or the operation of your practice. You are not required to agree to their
restrictions. Any restrictions you agree to must be in writing.
If you agree
to the restriction, you may not use or disclose the information that is part of
the restriction. However, if the patient is in need of emergency treatment and
the restricted protected health information is needed, you may use the restricted
protected health information, or may disclose such information to another health
care provider, to provide such treatment to the individual. If you use the restricted
information for emergency treatment, you must request that the person to whom
the information was disclosed does not further use or disclose the information.
A patient cannot require you to ignore requests for information you are required
to give by law.
There are a lot
of references in the privacy law to policies and procedures. Must we have written
policies and procedures describing our employee’s responsibilities under the privacy
laws?
Yes. Written policies and procedures are required so your staff
is fully informed about their responsibilities.
The policies and procedures
may be written or kept on a computer. The policies and procedures must be reasonably
designed for your size practice and the type of management that you have over
your staff. While the law does not specifically require a certain type of policy
or procedure, it specifically states that you can not use a poorly designed policy
or procedure as an excuse for violating the law.
You are required to change
your policies and procedures whenever there is a change in the law or you find
it is necessary for compliance with the law. You should keep your original policies
and procedures and any changes in your file for six years. If there is a change
in the law that is significant, you must change your privacy notice as well as
your policies and procedures.
May
we charge a fee for the records we provide to our patients?
If a patient
requests a copy of their records or agrees to a summary of the records, you may
impose a reasonable, cost-based fee, provided that the fee includes only the cost
of:
• Copying, including the cost of supplies and labor of copying the file
• Postage, when the patient has requested the copies be mailed
• Preparing
a summary of the file if agreed to by the patient
May
I charge a patient when they ask me for an accounting of where their records have
been sent?
You must provide the first accounting to a patient in any
12 month period without charge. You may impose a reasonable, cost-based fee for
each subsequent request by the same patient within a 12 month period, provided
you inform the patient in advance of the fee and provide the patient with an opportunity
to withdraw or modify their request in order to avoid or reduce the fee.
Must
there be a person in charge of our privacy policies and procedures?
You
must designate a person to be responsible for the development and implementation
of the policies and procedures for your practice. In addition, you must designate
a contact person or office who is responsible for receiving complaints and who
is able to provide further information about matters covered by your privacy notice.
You must document the names of the person(s) that are selected for these jobs
and keep the documentation for 6 years. Keep in mind that if you choose a staff
member for this job, that the responsibility will revert to you if that person
quits or is terminated from their job.
What
rights do my patients have to see information in their file?
A patient
has the right to inspect and obtain a copy of their file for as long as you maintain
the protected health information. You must permit a patient to request that they
be allowed to inspect or copy their file. You may require patients to make requests
for access in writing, provided you informed patients of this requirement.
This
law requires you to give the patient access to their records no later than 30
days after receipt of the request. However, the Chiropractic Examining Board expects
records to be turned over to the patient “as soon as possible” unless there is
a good reason why you are unable to do so. If you are unable to produce the records
within 30 days, you may extend the time by no more than 30 days provided you give
the patient a written explanation as to why the delay is necessary. You may have
only one extension.
What are my
responsibilities for documenting the name of the individual that has responsibility
for receiving or processing requests for amendments by my patients?
You
must document the name and/or title of the person or the name of the office offices
responsible for receiving and processing requests for amendments by patients.
You must retain the documentation for six years.
What
must we do to terminate our agreement to a disclosure restriction?
You
may terminate your agreement to a restriction, if:
(a) The patient agrees
to or requests the termination in writing;
(b) The patient orally agrees to
the termination and the oral agreement is documented; or
(c) You inform the
patient you are terminating your agreement to the restriction. This type of termination
is only effective with respect to protected health information created or received
after you have informed the patient.
What
practical changes will I see in the way we do our billing as a result of the electronic
standards?
Offices that are using a current version of the CPT and HCPCS
manuals should not have to change any of their billing practices. For these offices,
the changes will occur to the software code and claims should be able to be imputed
into the system with few, if any procedural changes. Offices not using a current
version of the CPT or HCPCS codebooks may obtain them from the AMA at (800) 621-8335.
For these offices, there may be significant software and procedural changes.
I
have converted my software as required by the law. I work with a health plan that
will pay me at a higher reimbursement rate if I continue to send in my claims
using the “old way”. Can they do this?
It is against the law for an
insurance company or managed care plan to offer you an incentive of any kind to
bill your claims in a way that does not comply with the law. In addition, a health
plan may not delay or reject a transaction, or attempt to adversely affect you
or the transaction, because their system is not yet ready to handle data formatted
under the new standards.
Can
an insurance or managed care company force me to comply with these rules even
if I do not transmit any claim data or patient information electronically?
If
a managed care or insurance company requires that you transmit patient data or
claims electronically, you will be required to follow all of these rules. Some
managed care companies will automatically require you to be HIPAA compliant so
they protect themselves against potential lawsuits over privacy. Insurers or managed
care companies that do not require immediate compliance will likely do so in the
future as they allow electronic transmission of claims or health care information.
If
I am part of a managed care company for which I directly enter my claims data
on their website or with their software, am I responsible for making sure the
software is compliant?
No. The managed care company would have the responsibility
for compliance. It is possible that the software may change as a result of the
privacy requirements. If so, your staff would have to be re-trained as to how
to use the software.
We mail all
of our claims and clinical documentation. However, we are paid electronically.
Are we covered under the HIPAA privacy laws?
Yes. If a payment is made
electronically to your bank account the law covers you. Once covered by the law
you must comply with all elements of the law.
