What do you know about HIPAA compliance? As with all new government programs, there seems to be a lot of confusion. Many of you probably feel like Doctor Trevor Miller, who said, "The HIPAA special interest groups are getting on my nerves". The recent letters, fliers and other ads from publishers, seminar producers and even insurance companies only seem to add to the confusion.

This article clarifies misconceptions about HIPAA and provides resources for help you learn more. Because HIPAA is new and dynamic, interpretations of rules could change in the future. The information contained here is only accurate as of September 2002.

HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The initial intents and purposes of this act were to:

• Protect individuals from losing health insurance when they change insurance coverage (portability).
• Standardize the healthcare system (accountability).

To make all this happen, it became apparent that certain rules would need to be established that would both protect individuals and to make it possible for insurance carriers and providers to communicate with the same set of rules and codes.

HIPAA has three main components affecting providers/doctors, each with its own implementation timetable, standards and rules:

1. Electronic Transactions
2. Privacy and Confidentiality
3. Security

Before proceeding, you should know whether or not your practice is a HIPAA "covered entity."

A common misconception is that ALL providers must file a "Compliance Plan" or a "Compliance Plan Extension Form" by October 15, 2002. This is NOT true. The HIPAA rules and regulations only apply to health care providers who transmit health information in electronic form (electronic billing, payment reports, verification, reports, etc). According to the law, if you do not transmit any health information electronically, you are not a "Covered Entity."

Concurrent with HIPAA’s October 2003 Rules for Electronic Transaction Rules is a rule that all Medicare claims must be submitted electronically-unless you have a waiver. Some providers MUST be granted such a waiver "if there is no method available for the submission of claims in electronic form or if the entity submitting the claim is a small provider of services or supplies." The term ‘small provider of services or supplies’ means you meet 1 of 2 criteria below:

1. An institutional provider of services with fewer than 25 full-time equivalent employees; or
2. A physician, practitioner, facility, or supplier (other than provider of services) with fewer than 10 full-time equivalent employees.

In other words, if you only do manual (paper) transactions, and you are a small provider, you are not required to file a HIPAA compliance plan. You MAY still submit paper claims for Medicare payment. DO NOT file either a "Compliance Plan" or a "Compliance Plan Extension Form."

Conversely, if you do any electronic transactions, whether in-house or through a billing service, you are a Covered Entity and must comply with all associated HIPAA rules and regulations. That includes either having a "Compliance Plan" in place now, or by filing an automatic "Compliance Plan Extension Form" before October 14, 2002 and becoming compliant by October 2003.

If you are required to meet HIPAA Electronic Transaction standards, use the following links:

For instructions on completing the Compliance Plan, go to:
http://www.cms.hhs.gov/hipaa/hipaa2/TCSFormInstructions.asp

To file your compliance plan manually (do not file both electronically and by mail), download the form and print it on your own computer. When it is completed, send it in the mail via certified mail. Click here to download the form. ASCAForm.pdf.  (To view PDF files, download the free Acrobat Reader from: www.adobe.com)

To file your compliance plan electronically, go to: http://cms.hhs.gov/hipaa/hipaa2/ascaform.asp

We anticipate that many solo practitioners might be exempt from HIPAA and its rules because neither they nor their billing department do electronic transactions. The jury is still out on whether or not a faxed claim submission is considered to be an electronic transaction. To err on the side of caution, if you use a computer software program, then use it only to prepare paper claims that are sent via regular mail.

InstaCode has developed a simple computer program for printing claim forms. The InstaClaim PC software speeds up the claim process and helps you comply with HIPAA. InstaClaim is ideal for practices and billing services that want to automate the claim creation process without the overhead and expense of a large, complex computer billing system. (Click here for more information about InstaClaim.)

For a list of Frequently Asked Questions (FAQs) on this rule, follow this link: http://aspe.hhs.gov/admnsimp/faqtx.htm

The Privacy Rule - formally called the Privacy of Individually Identifiable Health Information - became effective on April 14, 2001 and has an April 14, 2003 compliance deadline.

Even if you are a Non-Covered Entity and are not subject to all HIPAA standards, you ought to keep the rules when doing business with a Covered Entity. Also, many of the rules and required notices (consent forms, privacy policies, etc.) of the Privacy Rule are prudent and good ethical office standards worthy of adopting, even if you are not an official "covered entity".

The extent of the privacy protection protocols is based on the size of the HIPAA Covered Entity. Clinics and hospitals need to have more stringent safeguards in place than a sole provider. For a good short summary of the most important provisions of this rule, go to http://www.chirocode.com/Download/HIPAAPrivacyAlert.pdf.  (To view PDF files, download the free Acrobat Reader from: www.adobe.com)

The following portions of the Privacy Rule are required for providers who are a Covered Entity and recommended for ethical Non-Covered providers as well:

1. Consent: The Rule permits, but does not require obtaining written patient consent before they use or disclose Protected Health Information (PHI). Consent forms should be easily understood by the average reader.
2. Privacy Policy: providers with a direct treatment relationship must make a "good faith effort" the first time service is rendered, to obtain a signed patient "acknowledgment of receipt" of the provider’s notice of privacy practices. This policy should be written in "plain English".
3. Incidental Disclosures: As long as the covered entity takes reasonable safeguards to protect Personal Health Information (PHI), overheard conversations and such are not a violation.
4. Authorizations: The Department of Health and Human Services (HHS) adopted a single set of provisions, which must be included in all authorizations. Sample authorizations will be available from this website at a later date.
5. Business Associate Agreements: Current and future contracts with business associates need to include clauses about the handling of PHI. (Needed for billing services, etc.)
6. Employment Records Excluded: Individually identifiable health information found in employment records is not included as part of PHI.

Sample forms for many of these regulations will be available from this website at a later date. You may also download the entire Final Rule at the end of this article.

For a list of Frequently Asked Questions (FAQs) on this rule, follow this link http://aspe.os.dhhs.gov/admnsimp/final/pvcguide1.htm

To test your knowledge of the privacy rule, go to http://www.regreform.hhs.gov/HIPAAQUIZ_0204171/sld001.htm

The Security Rule - formally known as the Security and Electronic Signature Standards - has not been finalized. The new standards were developed to protect the confidentiality, integrity, and availability of individual health information. The standards were created because there were no uniform rules in place that would both protect the individual and also permit appropriate access to that information by health care providers, clearing houses and health plans.

According to HHS, "any healthcare provider, health care clearinghouse, or health plan who electronically maintains or transmits health information pertaining to an individual" must comply with the Security Standards.

Remember that this rule has not been finalized. At the end of this article, you can download the proposed rule in its entirety. The public comment period for this rule has passed. As more information becomes available, we will keep you informed.

These non-compliance penalties only apply to Covered Entities. Also, if you decide to file electronically at some point in the future, you will not have a grace period and will be immediately changed from a non-covered to covered status. With that in mind, the following things could happen (in order of severity) if you fail to comply with HIPAA:

1. Administrative action taken by the HHS Office for Civil Rights
2. Fines of up to $100 per violation up to $25,000 per year
3. Fines of up to $250,000, imprisonment for up to 10 years or both.

Ignorance is not bliss. All providers need to know the law and how it applies to them on an individual basis. There are many sources for information: booklets, professional associations, videos, forums, and official Published Rules. We’ve included references for many of these resources.

For people who want to be on top of all the details, sign up for the HIPAA listserve (an automatic email notification system). When new information is published, you receive an email notification. Go to http://aspe.hhs.gov/admnsimp/lsnotify.htm to sign up..

Booklet: The American Psychological Association has written a good booklet for practitioners. Even though they advocate complete HIPAA participation and the audience is directed towards psychologists, much of the information is highly applicable to all providers. Follow this link to download their booklet: http://www.apait.org/resources/hipaa/hipaa_booklet.pdf

Professional organizations quite often have helpful information available as well. There are benefits to being involved in your professional organizations on either a national or local level. Even some malpractice insurance companies are sending letters and information to their clients. Find out what is available for you.

Seminars can also be a good source of information. Keep in mind that many of them will be advocating full HIPAA compliance and want you to purchase all their extra forms, books and services. Don’t buy anything you don’t really need. Remember, unless you are truly a Covered Entity, complete HIPAA compliance is optional.

Video: Until September 30, 2002, CMS is presenting a webcast of their video "Meeting the HIPAA Challenge: Implementing HIPAA Standards and the Administrative Simplification Compliance Act". You may watch this presentation on your computer. Go to http://cms.livewebcasts.com and select "View the broadcast via the web:" - either closed captioned or not.

This video is also available for FREE. For your FREE video, send an email to Medlearn@cms.hss.gov and be sure to include the video title, your full name, mailing address, and telephone number. Download the transcript of this video (a MS Word document file) here.

Forum: On September 30, 2002 from 2:00 - 3:30 pm EST, there will be a HIPAA Roundtable. Anyone interested in HIPAA is invited to participate and ask HIPAA questions. The call-in number is 800-837-1935. Access code #5260079. Please RSVP to Alikia Brown at abrown1@cms.hss.gov or fax 410-786-1710.

Books: The AMA has two books on HIPAA. We have read them. In the coming months, there will most likely be lots of books on the market. PMIC is publishing a book about HIPAA entitled "HIPAA Compliance Manual". In late October, you will be able to order this book from our secure on-line store.

Published Rules: For those of you who like to "get it straight from the horses mouth", download the following official rules and read them in their entirety.

• Final Transaction Rule - PDF File (Download Acrobat Reader from: www.adobe.com)
• Final Privacy Rule - ZIPed File (Download WinZip from: www.winzip.com)
• Proposed Security Rule - PDF File

Good luck in your quest for HIPAA understanding.

Wyn Staheli
Operating Manager
InstaCode Institute, LC

********* Acronyms ********

ASCA - Administrative Simplification Compliance Act
CMS - Centers for Medicare and Medicaid Services
HHS - Department of Health and Human Services
HIPAA - Health Insurance Portability and Accountability Act
PHI - Protected Health Information
SMCP - Standard Model Compliance Plan