HIPAA regulations, such as regulatory categories, preemption, and enforcement, that affect chiropractic
One of the first endeavors in health care regulation was the effort to develop a national identification and database system using social security numbers for all health care transactions. This would allow the federal government to track transactions of every person in the United States. In 1995, HR-560, HR-756, and HR-1080 all sought to grant the federal government the means to track health care information.
Recently, the Healthcare Insurance Portability And Accountability Act (HIPAA), signed by President Bush in April 2001, expands the accessibility of personal and medical information to federal and state law enforcement and can preempt state law. HIPAA is extremely complex and, in all probability, will have many legal challenges during full implementation by April 2003.
Regulatory Categories
Within HIPAA, which addresses privacy issues, confidentiality, and medical records, there are regulatory categories that must be implemented by a specific time:
• Transaction standards—effective October 2002: Deals with electronic transmission methods of health care information through the use of specific management and HIPAA compliant software. Health information—whether oral, recorded, or written—is any form created or received by the health care provider that relates to the past, present, and future physical and mental health or condition of the individual. It also includes past, present, and future payment to an individual (subsection 160.202).
• Code set—effective April 2003: Pertains to reducing the need for multicoding systems through the use of ICD-9 (diagnosis) and CPT-4 (treatment) codes. Once HIPAA regulation takes effect, local codes may no longer be used, but there may be a national standard coding system used by all providers.
• Electronic signatures—effective April 2003: Concerns your signature for electronic transmission of health information. An electronic signature will carry the same legal weight as an original handwritten signature.
• Health identifiers: Involves the creation of a national identification system and may replace the UPIN number to identify the health care provider.
• Privacy standards—effective April 2003 with alterations: Affects individual, identifiable health information, including demographics, that is created or received by a health care provider. This includes anything relating to the past, present, and future physical and mental health or condition of the individual/patient. It includes, but is not limited to chart notes, billing and payment records, complete patient charts, all correspondence, and all electronic information—written and oral.
The provider must protect patient information and always obtain a consent and/or authorization before releasing or using patient records. There are exceptions, such as workers’ compensation, subpoenas, and court orders necessary to comply with state laws. In addition, health information that does not identify an individual, nor is there a reasonable basis that the information can be used for identification, is another example of an exception (Subsection 164.514 and 164.514(1)).
• Security standards—to date, draft form only: Relates to electronic and all computer security, which includes the physical office where patient files are stored. It may become necessary to modify your office to accommodate an area where medical and computers records locked and secure.
State or Federal Law
HIPAA, being a federal law, would normally preempt state law. However, due to the complexity and gray areas, it may become necessary to combine federal and state law. HIPAA has a provision: "If state law is more stringent then federal law, state law would apply." To determine this, all state confidentiality, privacy regulations, and required statutes that deal with protection of health information must be compared to HIPAA law. If state law gives more privacy protection, then it prevails. When state law does not give the same level of protection as HIPAA, then states are bound to follow federal laws.
However, the state may petition the Department of Health and Human Services for an exemption. This must be done in writing and show a comparison of state vs federal law. The explanation must be detailed and show the negative effects of submitting to HIPAA. There are some state laws that do preempt HIPAA, which include laws necessary to prevent fraud and abuse and ensure state regulations of insurance and health plans, workers’ compensation, public health, birth and death certificates, adoptions, education, and welfare. Patient information related to specific conditions—with social and economic implications, and mental health and HIV/aids information that are considered super-confidential—may require additional safeguards for release.
Punishment Fits the Crime
Congress established a two-prong approach to enforce all requirements established under HIPAA.
Civil monetary penalties:
• $100 per person per violation
• $25,000 per person per year for violation of a single standard during a calendar year.
Criminal fines and penalties:
Any person who knowingly and in violation of this part: 1) uses or causes to be used a unique health provider identifier, 2) obtains individual, identifiable health information, 3) discloses individual, identifiable health information.
• Fines up to $50,000 and/or imprisonment up to 1 year
• If under false pretenses, fines up to $100,000 and/or imprisonment up to 5 years
• If committed with intent to sell, transfer, or use information for commercial advantage, personal gain, or malicious harm, fines up to $250,000 and/or imprisonment for up to 10 years.
Although state regulations are different, and individual compliance will be less than a large organization, you need to be aware of all state and federal laws concerning privacy, confidentiality, and release of medical records. This will affect all providers who treat and render care to patients. In the past 2 to 5 years, many legislative bills have been passed of which most providers are not aware—Consumer Internet Privacy Practice Act of 1999, Online Privacy Protection Act of 1999, Financial Information Privacy Act of 1999, The Freedom and Privacy Restoration Act of 1999, Medical Information Privacy and Security Act of 1999, and the Medical Privacy Act in the Age of New Technology Act of 1999.
Compliance is no longer an option, and it will affect all health care providers including doctors of chiropractic. CP
About the Author
Kenneth S. Ross, DC, JD, MBA, LHRM, is a retired criminal law enforcement officer. He practices chiropractic in Orlando, Fla, and is a member of the Orange County Bar Association. Ross also teaches tort law and conducts a national expert witness certification course. He can be reached at 407-682-6041, or via his website: www.medicallawjd.com.
Resources
