Log in to:

Articles

Living the Law and HIPAA

An Update on HIPAA

In 1996 the Health Insurance Portability and Accountability Act, or HIPAA, was passed and health care providers (and other agents) were mandated to have it in place as of April 2003. HIPAA has three major purposes:

  1. to protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information
  2. to improve the quality of health care in the United States by restoring trust in the health care system among consumers, health care professionals, and the multitude of organizations and individuals committed to the delivery of care
  3. to improve the efficiency and effectiveness of heath care delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, individual organizations and individuals.

The Four Facets to HIPAA

The four parts to HIPAA's "Administrative Simplification" are:

  1. Electronic Health Transactions Standards: If billing insurance, practitioners are required to use the Standard Code Sets of the International Classification of Disease (ICD-9) codes and the Current Procedural Terminology (CPT) codes
  2. Unique Identifiers for Providers, Employers, Health Plans and Clients: Each practitioner who transmits electronically is assigned a National Provider Identifier (NPI)
  3. Security of Health Information & Electronic Signature Standards: All practitioners must provide uniform levels of protection of all health information that is housed or transmitted electronically. This includes your computer, along with any faxes and e-mail messages sent. An electronic signature is required for all HIPAA transactions. (The final regulations are being completed as of this writing.)
  4. Privacy and Confidentiality: Limits the non-consensual use and release of private health information; gives clients new rights to access their medical records and to know who else has accessed them; restricts most disclosure of health information to the minimum needed for the intended purpose; institutes criminal and civil sanctions for improper use or disclosure; and establishes new requirements for access to records by researchers and others

Who is a Covered Entity?

Unfortunately, the answer is not straightforward. In the Atlanta Business Chronicle, December 2, 2002, journalist Julie Bryant states, "What was to be a simple federal rule, designed to lift the health-care industry out of antiquated paper-based systems and into the bright, organized world of high-speed technology, has instead spawned hysteria, predatory opportunists and outright befuddlement."

Many companies are charging hundreds (and even thousands) of dollars to provide practitioners with training, guidelines and forms to ensure HIPAA compliance. Some of these may even be worth. Caution is advised before investing in these programs, particularly since it's still not clear exactly what is required of massage practitioners.

The current emphasis of HIPAA compliance centers on electronic transmission of clients' Protected Health Information (PHI). When you go to the HIPAA site (see references) and fill out the questionnaire to determine if you are a Covered Entity, most massage practitioners (unless they are billing insurance) will find that indeed they are not required to be HIPAA compliant. Unfortunately, this is misleading because there are still the privacy considerations. According to Marilyn Allen of the American Acupuncture Council, "The privacy of every client's PHI is mandatory. When you maintain client records, gather information from a client, engage in oral communication, or transmit records (whether electronic or not), you are considered a covered entity."

I suggest following the HIPAA guidelines: they actually make good business sense and are fairly easy to implement. Consumers are now becoming used to getting privacy policy statements from other health care providers as well as from a myriad of other business such as insurance carriers and credit card companies. Your clients might find it disconcerting if you don't follow suit.

Note that even if you do not need to be HIPAA compliant for your own practice, you still need to be compliant if you work with other covered entities. The term for this is a "chain of trust." If you are a Business Associate, you must meet the same requirements for privacy and security as if you were a covered entity. According to the HIPAA regulations a Business Associate is defined as: persons, companies or entities hired by the practitioner to perform duties, requiring access, the use of, or disclosure of a client's PHI. Thus, if a primary care provider refers a client to you or you send a client's progress report to his or her doctor, then you are considered a Business Associate. There is a form that Business Associates must sign. If you are currently working with other providers and haven't received one of these forms, you will soon! Also, be aware that your state regulations might be more stringent than the Federal requirements.

Keep in mind that within the next few years all insurance companies will require that insurance forms be submitted electronically. So for those of you who bill insurance manually and avoid being a HIPAA covered entity, be aware that it's just a matter of time before you will need to be compliant.

Myths

Some of the confusion about client privacy has led to unnecessary changes. Paige Joyner of Compliance+ LLC states, "Doctors' offices have gone so far as to purchase restaurant-style beepers, handing them out to patients for fear that calling names out in a crowded waiting room might violate HIPAA privacy regulations."

Myths abound regarding client paperwork such as sign-in sheets and files. You can still have client sign-in sheets as long as they don't disclose any PHI. You can put clients' charts on the treatment room doors as long as the clients' names don't show and unauthorized people can't have access to the charts. For instance, if people have to walk past a treatment room to get to the bathroom, then it might not be wise to put a chart on that treatment room door.

One of the more recent myths I encountered was that your client database is no longer an asset that may be sold for any reason. This would make it extremely difficult to sell a practice. Carrie Allen, a business broker from Kiernan and Associates, Inc. in Tucson, AZ, clarified that the concern with the database and records will not affect the sale of a practice very much. "According to the AMA guidelines patients have the right to know if the doctor is leaving or the practice is moving, but do not have to be notified until it happens, after the close. At that point the patients have to be notified that their records will be staying with the new doctor." Thus, if you act in good faith to provide a qualified guardian of the records (and hopefully the care of the clients as well), then legally, the records stay with the practice. Of course the clients could request their records after they have been notified. This standard should equate to massage practitioners.

Hopefully, by now the majority of the myths have been debunked, although as witnessed by the current examples above, I'm sure more will proliferate. Visit the websites listed in the References for more examples of common myths as well as the HIPAA regulation guidelines.

Steps To Implement Now

If you work with insurance reimbursement, it's wise to immediately follow the HIPAA compliancy guidelines--and if you are a covered entity, compliance is mandatory. Regardless of insurance issues it's vital that you take appropriate measures to ensure client privacy, confidentiality and security. More clarity will emerge as the rest of the HIPAA guidelines go into effect over the next couple of years.



References

  1. Checklist for dealing with HIPAA. Centers for Medicare & Medicaid Services
  2. Get your assigned National Provider Identifier. See Frequently Asked Questions About the National Provider Identifier
  3. HIPAA Hotline 886-282-0659; 866-627-7748
  4. U.S. Department of Health & Human Service Office for Civil Rights
  5. Center for Medicare & Medicaid Service FAQ on HIPAA
  6. U.S. Department of Health and Human Services: Office for Civil Rights - HIPAA
    Includes the actual statute document and great links.
    800-368-1019
  7. Covered Entity Decision Tools is a walk-through decision process in deciding if you are a health care provider covered in HIPAA
  8. Health Privacy Project lists myths, facts and current legislations information about HIPAA. This site also provides links to help you determine if your state has greater privacy protection laws than those mandated by HIPAA
  9. American Health Information Management Association provides tools, resources and other HIPAA links
  10. Physicians Practice has articles, FAQs and free forms


Sample Forms


Sample Client Consent for the Purposes of Treatment, Payment and Health Care Operations

I, [Client's name here], give consent to [Practitioner's name here] for the use and disclosure of my Protected Health Information (PHI) for the specific purposes of providing treatment to me, receiving payment for services rendered to me and for general administrative operations of the practice.

I understand that I have the right to request restrictions on the use and disclosure of my PHI, but the practice is not required to agree to these restrictions. If the practice agrees with my restrictions, the restriction is binding on the practice.

You may contact me for appointment reminders, schedule changes, or other needs by the following methods (fill in only those methods by which you desire to be contacted):

Home Telephone:
Work Telephone:
Cell Phone:
Home Address, City, State/Province:
Work Address, City, State/Province:

Marketing: Occasionally we send out newsletters, announcements and special occasion cards.
If you do not wish to receive these, please check here: [ ]

I have received a copy of the Privacy Policies Notice. I have read the Notice and understand this authorization form. I understand that I do not have to sign this authorization and that my refusal to sign will not affect my abilities to obtain treatment, nor will it affect my eligibility for benefits. I also understand that I may revoke this authorization at any time by notifying the practitioner in writing.

Signature:
Date:
Print Name (Client or Personal Representative):
Relationship to Client and Description of Representative's Authority:



Sample Release of Information Authorization

Client Name:
Address:
City, State, Province:
Country, Postal Code:
Telephone:
FAX:
email:
Date of Birth, Social Security Number:

I authorize XYZ Practice to release all medical records or other Protected Health Information (PHI), including intake forms, chart notes, reports, correspondence, billing statements, and other written information concerning my health and treatment as requested by my health insurance carrier, Medicare or any other third-party payers.

I authorize XYZ Practice to contact my insurance company or health plan administrator and obtain all pertinent financial information concerning coverage and payments under my policy. I direct the insurance company or health plan administrator to release such information to XYZ Practice.

I also authorize the release of my medical records or other PHI concerning my health and treatment during the period of [insert From date] to [inset To date]; to be sent to the following person or company.

Company:
Address:
City, State, Province:
Country, Postal Code:
Telephone:
FAX:
email:

I agree that these provisions will remain in effect until I provide written revocation to XYZ Practice.


Sample Privacy Policies Notice

We are dedicated to providing top-quality service. Protecting your privacy is paramount and we have implemented procedures to safeguard your the information included in your files. We have installed a firewall on our computer; computerized files can only be accessed with a password; and all paperwork is kept in a locked filing cabinet.

This notice describes how Protected Health Information (PHI) about you may be used and disclosed and how you can get access to this information. Please Review it Carefully.

Your Personal and Protected Health Information

We may gather personal and health information from you, other health care providers and third party payers. This information is used for treatment, payment and health care operations. The following describes the ways we may use and disclose your Protected Health Information:

Please note your rights regarding this information:

  1. You are entitled to inspect and receive copies of your records
  2. You are entitled make a written request to amend your PHI files or put restrictions on certain uses and disclosure of PHI
  3. We accommodate any reasonable request, yet we retain the right to deny inclusion of amendments or use restrictions of your PHI
  4. You have the right to disagree with the practitioner's refusal of inclusion
  5. You have a right to receive all notices in writing
  6. You have the right to request that we do not disclose your information to specific individuals, companies, or organizations. Any restrictions should be requested in writing. We are not required to honor these requests. If we agree with your restrictions, the restriction is binding on us
  7. You may complain to us or the Secretary for Health and Human Services if you feel that we have violated your privacy rights. There will be no retaliation for filing a complaint. Written comments should be addressed to:
    Privacy Officer at our office address or,
    the Secretary for Health and Human Services,
    200 Independence Ave. SW,
    Room 509F, HHH Bldg. Washington, DC 20201

Original Effective Date: April 14, 2003

This notice remains in effect until it is replaced or amended by changes in the law.


Sample Fax & E-Mail Confidentiality Notice

The information contained in this facsimile (aka fax) message [e-mail] is private and confidential. It may contain Protected Health Information deemed confidential by HIPAA regulations. It is intended only for the use of the individual named above, and the privileges are not waived by virtue of this information having been sent by facsimile [e-mail]. Any use, dissemination, distribution or copying of this the information contained in this communication is strictly prohibited by anyone except the named individual or that person's agent. If you have received this facsimile [e-mail] in error, please notify us by telephone and immediately destroy this fax [purge this e-mail].

Contact Us | Privacy Policy

Copyright © 2001-2017 Sohnen-Moe Associates, Inc.

Last updated: March 24, 2016
Processing time: 0.002 seconds