With the April 14, 2003, deadline for HIPAA looming for practices that file or receive information electronically, make sure your practice is compliant

Since 1996, when Congress passed the Health Insurance Portability and Accountability Act (HIPAA), everyone has been talking about the far-reaching enormity of the law. HIPAA is the 1,000-plus page legislation with more twist, turns, and legal mumbo-jumbo than the most intelligent person cares to comprehend. For example: 164.524 (b)(2)(iii) “If the covered entity is unable to take an action required by paragraph (b)(2)(i)(A) or (B) of this section within the time required by paragraph (b)(2)(i) or (ii) of this section, as applicable the covered entity may extend the time for such actions by no more than 30 days.” Why couldn’t it just read, “If someone asks for a copy of protected health information, there is a 30-day timeframe, with one 30-day extension possible.” That would just be too simple.

Out of Mind, Out of Touch
Due to the length of the bill and its cumbersome language, most chiropractors have put HIPAA on the back burner. Everyone seemed to be hoping that it would either get changed or just go away. There are changes, but unfortunately, it has not gone away. The (almost) final version is a far cry from the media spin that was originally presented upon passing the legislation 6 years ago, which ensured the portability of employee insurance benefits from job to job. And, while that protection is embodied within the law, the uproar about HIPAA today is about how every office will have to restructure practices and policies. But that is not quite correct. Believe it or not, one of the intentions of HIPAA is to simplify and standardize insurance claim filing.

The reality is that the legislation known as HIPAA is Public Law 104-191 with certain sections that mature at different deadlines. The most recent deadlines deal more with administrative and security issues, and these sections of the law will directly affect individual offices. What most people do not know is that these sections went into effect in 2001, and we have had 2 years to adopt them. That 2-year deadline is April 14, 2003. Hence, the current sense of importance. However, while HIPAA regulations affect everyone from doctors to funeral directors and insurance carriers to at-home billing companies, the April 14 deadline may not affect all offices just yet.

So, who exactly is affected? The Standards for Privacy of Individually Identifiable Health Information (45 CFR Parts 160 and 164) was amended October 2002 because Congress failed to act by its self-imposed deadline under HIPAA, leaving the privacy and security issues to be implemented by the Centers for Medicaid and Medicare (CMS). You can obtain a complete 42-page version of the regulation text at http://www.hhs.gov/ocr/combinedregtext.pdf.

According to section 160.102, three types of entities are affected: 1) health plans, 2) health care clearinghouses, and 3) health care providers who transmit any health information in electronic form. These entities are classified as covered entities—companies, individuals, and/or businesses that will be affected by the HIPAA security rules.

Therefore, the only doctors who will be affected by the privacy issues under HIPAA on April 14, 2003, will be those who file electronically, submit claim information to a biller who submits electronically, receive information from a carrier regarding a claim or benefits via electronic transmission (not including fax machines, unless the fax transmission is read by a computer), or transmits any patient information electronically to transcriptionists or other health care providers or trading partners. Also affected are doctors who filed for an extension for the October 15, 2002, deadline.

Protect and Serve
By definition, protected health information (PHI) includes data that is created or received by covered entities that relates to the past, present, or future physical or mental health or condition of an individual. While the privacy regulation does not specifically define “identifiable health information,” protection should be given to names, addresses, phone numbers, medical and financial records, diagnoses, and any information that may be used to identify patients. The extent of protecting this information includes a reasonable effort to limit the disclosure of information. Permitted uses and disclosures of PHI are that covered entities cannot disclose protected health information (without written consent of the patient, personal representative ,or guardian), except for treatment, payment, or health care operations. In other words, you may still send an insurance claim form to a carrier with the patient’s name, address, date of birth, and diagnosis to get paid. The only difference is if you send this information by computer, you must ensure that the information cannot be obtained by anyone other than the intended party. Security guards must be in place to protect this information, which is why offices filing electronically, insurance carriers, and clearinghouses must have a compliance manual in place to prove their due diligence in protecting this information. The compliance manual deadline was October 15, 2002, unless the covered entity filed for the 1-year extension, which brings the deadline to October 15, 2003, for the compliance manual, not to be confused with the April 14 deadline for the privacy and securities issues.

Some privacy and security requirements due by April 14 are:

• Business associate contracts—if a covered entity deals with another business or individual privy to the PHI of a patient, the covered entity must have the other party sign a business associate contract that basically states that they will not divulge the information. Some examples of business associates are practice management companies, accountants, computer workers, and consultants.

• Written consent—a covered entity must document and retain any signed authorization that a patient allows PHI to be disclosed. The documentation must include a description of the information to be used, name of the person or persons who may obtain the information, and purpose for the disclosure. In short, the standard release of information form that your office may be using (and have been using since 1985) will probably not be sufficient.

• Posted notices—a covered entity must disclose, by way of prominently displaying, a posted notice within the office stating how medical information may be assessed. A copy of this posted information must also be available for the patient to take.

• Patient authorizations—a covered entity must obtain a patient’s signature on a written authorization form if they wish to contact the patient, even about appointment reminders.

• Notices and authorizations—a covered entity must notify and obtain written acknowledgement of receipt of the notice provided on the first day of treatment, except in emergency situations.

• Patients’ right to obtain access to records—a covered entity must permit an individual to request access to inspect or to obtain a copy of the PHI. The request must be in writing and the covered entity has 30 days to comply or deny in writing. A 30-day extension may be granted provided the covered entity informs the requestor in writing explaining the reasons for the delay.

• Maintaining records—PHI must be maintained for a minimum of 6 years. State laws, or other legislation, may require more time; in which case the longest period of time would prevail.

• Accounting of disclosures of PHI—a patient would have the right to obtain information concerning all disclosures of PHI by the covered entity (with some exceptions. Should a patient request this information, the covered entity must list the names, dates, and purposes for the disclosure.

• Safe guards—a covered entity must reasonably safeguard PHI from any intentional or unintentional use or disclosure.

• Privacy officer—a covered entity must designate a person (ie, doctor, office manager, doctor’s spouse) to be a privacy officer. This individual is responsible for the development and implementation of the policies and procedures to ensure the protection of the PHI.

• Training—a covered entity is responsible for training all employees on the safeguards no later than April 14, 2003, and thereafter to each new member of the work force within a reasonable timeframe. All training must be documented.

• Complaints and violations—a covered entity must make a form available explaining the process in which an individual may file a complaint concerning violations of safeguards.

• Policies and procedures document—a covered entity must implement a compliance manual that includes a policies and procedures section that proves the covered entity is taking reasonable precautions to protect PHI and that they have procedures in place that include the standards, requirement, implementation, training, testing, violations, and consequences of failing to uphold the security and privacy of patients.

If your office files electronically (or receives information electronically), the privacy and securities rules applies. There is no extension available. There are several forms, notices, authorizations, and new paperwork that must be implemented. Your office must have a policies and procedures document written and a privacy officer named. You must take reasonable efforts to protect the medical and financial information of your patients. There is no rule that the records must be in a locked room, or even a locked file cabinet (a recommendation written in an earlier version of the rule). You must, however, obtain written permission to even call a patient about an appointment reminder.

HIPAA is here. It is time to comply. CP

Ces Soyring, CA, is cofounder of the National Academy of Chiropractic Assistants (www.naca-online.com) and a chiropractic consultant. She can be reached at: 888-218-7757 or via email: naca_csoyring@yahoo.com.