Part one explains HIPAA history, covered entities, and responsibilities for compliance.

The Health Insurance Portability and Accountability Act (HIPAA) brings a sweeping change to the US health care delivery system and how it is managed, and will be a challenge for all involved. HIPAA will impact every provider in all aspects of health care services. This will make Y2K pale in comparison and will cost the industry an estimated 30 to 50 billion dollars. Will HIPPA help regulate fraud or be a health care nightmare?

First introduced in 1996, it created guidelines governing employee benefits, fraud, security of patient information, and electronic transactions involving billing and claims processing. In 1999, it was amended to include Internet security and electronic signatures. Then in 2001, the Bush Administration approved HIPAA with a 24-month implementation period in phases for full compliance by providers. The categories of regulation and compliance include transaction standards, code sets, health care identifiers electronic signatures, physical security, and privacy issues. Each category will take effect on different dates during that 24-month period.

Covering Your Bases
Covered entities include: health plans, billing services, and health care providers engaging in electronic transmission of claims, payment, and insurance. Included are business associates, other doctors in your office, and contract workers or independent contractors. All Complementary Alternative Medicine (CAM) providers will also need to comply. With the growth of CAM and an increase in fraud, CAM providers will especially be targeted for HIPAA compliance. If you are a covered entity, it is important that you protect medical records, or you will face the consequences of HIPAA law.

Entities covered by the privacy and security regulations of HIPAA will face many hurdles, some of which could be very costly. You may be required to pay for risk assessment to identify areas of noncompliance and physically redesign your office for compliance as it relates to securing records. You will definintely have to update your computer with HIPAA compliance software. A word of warning here—make sure to buy HIPAA compliance software and know the vendor. To date, there are very few, if any, software programs on the market that will allow you to become HIPAA compliant, and when available, may be extremely expensive.

Also, train your staff and periodically re-train them. Change office procedures and the way you store records. Make sure to retain an attorney who is familiar with HIPAA regulations to guide you. Although you may not have a computer and therefore do not bill electronically, you must comply with HIPAA. Electronic billing will become the way to do business with all insurance companies, which will need to be compliant with HIPAA. If you are not, then claims may not be paid or even allowed to be submitted other than electronically. Insurance contract plans have certain guidelines for participation on the panels. If these guidelines, one of which may be HIPPA compliant, are not met, then you will not be allowed to take part on the insurance panel.

Paper Trail
As a covered entity, there will be increased paperwork in the areas of medical consents, written patient authorizations, privacy notices—posted and given to patients—and creation of policy and procedures covering disclosure of treatment by you, contract worker, independent worker or associate doctor in your office.

Consent forms for treatment must also include HIPPA language as to treatment, payment, or other provider services. Although consent to treat and authorizations may be on a single form, it must be signed separately. Authorizations must be signed by the patient if the provider uses patient information for purposes other than treatment.

Privacy policy notices must be posted in your office and a copy given to all patients. Your computer and data files are the lifeline of the practice. You must protect patient information and have office policies and procedures that address who has access and how they are accessed. There must also be a secure area for your medical records, keeping access private and assigning a designated person to view those records. Business associates/independent contractors, associate doctors must also be HIPAA compliant. Securing these workers on a contract basis as other types of person’s or entities for access to medical records may be necessary.

Presently, personal injury and workers compensation attorneys are exempt as they represent the patient and not the provider. Compliance, although difficult, is a far better choice than noncompliance, as will be discussed in part two.

About the Author
Kenneth S. Ross, DC, JD, MBA, LHRM, is a retired criminal law enforcement officer. He practices chiropractic in Orlando, Fla, and is a member of the Orange County Bar Association. Ross also teaches tort law and conducts a national expert witness certification course. He can be reached at 407-682-6041 or via his website: www.medicallawjd.com.