Government Issues and Politics
Insurance and Employee Benefits
Business and Economic Information
Human Resources and Safety
Education Policy and Practice
Training and Consulting Services
Human Resources and Safety
HR Issues and Laws Safety and Health Tools and Forms Comp and Benefits Publications and Posters Training and Programs

Are you covered by HIPAA? If so, state worrying

By John M. Letizia, Atty.
Letizia, Ambrose & Falls
One Church Street
New Haven, CT 06510
Tel (203) 787-7008
letizia@laflegal.com

     Despite the fact that HIPAA was first passed into law by Congress in 1996, many employers are just learning about the massive scope of HIPAA and the many organizations that have obligations under this law, even those who are not healthcare providers.

     HIPAA can be separated into three general areas: electronic transactions, privacy and security. At this time, only the regulations related to the electronic transactions and privacy areas have been finalized. It is expected that the regulations relating to the security aspect of HIPAA will be finalized in the next several months and implemented in 2004.

  1. ELECTRONIC TRANSACTIONS OBLIGATIONS

As to the electronic transactions area, all healthcare organizations covered under this section of HIPAA were required to submit, by October 15, 2002, a compliance plan that allowed for a one-year extension for implementation of all of the electronic transactions requirements. Covered entities who failed to file for an extension were required to be compliant with HIPAA as of October 16, 2002. Examples of healthcare organizations that may not be covered by the electronic transactions area of HIPAA include assisted living facilities and residential homes for the mentally or physically impaired. However, even these facilities may be covered if they meet the two-part test noted below.

    1. Misstatements In The Extension

      2. Many have taken this filing lightly because the Centers for Medicare and Medicaid Services (CMS), the federal agency responsible for overseeing the transaction and code set standards portion of HIPAA, is allowing an automatic one-year extension with the simple filing of a compliance plan. However, covered providers should not be misled by this automatic extension into believing they can simply state anything in the compliance plan. Furthermore, the compliance plan has specific obligations in the areas of internal awareness and gap assessment that should be initiated prior to the submission of the plan.

      Also, many organizations, in an attempt to prove they are implementing the pieces of the electronic transactions requirements, have been overly optimistic in their answers and have made statements that are not completely true as they relate to the education of employees and the use of outside consultants. Fortunately, CMS
      understands that even the smallest organization can have internal and external costs of over $50,000 in implementing all aspects of HIPAA and has not promulgated any specific penalties at the time of the drafting of this article relating to misinformation in the compliance plan. While penalties have not been promulgated for late-extension filings, CMS has indicated that those entities failing to be in compliance may be denied participation in Medicare.

    2. The Test

The following simple test should be used to determine whether you are a covered entity that needs to comply with all the electronic transaction obligations of HIPAA and that should have filed a compliance plan:

    1. Do you provide health care treatment to individuals that will
      result in a direct payment from Medicare, Medicaid or other payer (e.g., Anthem, Aetna) to you? If yes, please proceed to Question 2. If no, in most cases you will not be required to implement HIPAA’s electronic transaction obligations.

    2. If you do submit such claims for payment, are they now, or are they likely to be over the next year, submitted to Medicare, Medicaid or other third party payers electronically? If yes, then you are probably covered by the electronic transactions portion of HIPAA and must submit a compliance plan.

This simple test has several minor variations, so we strongly recommend that you consult a non-legal HIPAA expert or a healthcare attorney that is knowledgeable about HIPAA to determine if the electronic transactions requirements apply to you regardless of whether you have answered no to one or both of the above questions. For example, by October 16, 2003, Medicare is going to require most providers of services with 25 or more employees, or physicians, practitioners, facilities or suppliers with 10 or more employees, to electronically submit all claims. Therefore, although you may not voluntarily expect to submit claims electronically, you may be required to do so if you do not fall under the potential exceptions to the Medicare implementation of electronic transactions. In addition, although you may not directly submit claims for payment, you may utilize a clearinghouse that would otherwise obligate you to meet this HIPAA requirement.

  1. PRIVACY OBLIGATIONS

    2. Even if you are not covered by the electronic transactions requirements of HIPAA, if you are a healthcare provider you are likely covered by the privacy obligations of HIPAA. It is not within the scope of this article to go into all the details of the significant obligations of the privacy requirements. The privacy obligations of HIPAA go into effect on April 14, 2003.

    1. The Rule

    The privacy obligations apply to all healthcare providers regardless of their size, including the solo physician with no employees. Healthcare provider, for purpose of this obligation, is defined under HIPAA to mean “a provider of medical or health services and any other person or organization who furnishes, bills or is paid for health care in the normal course of business.”

    Briefly, the privacy obligation requires all such covered providers to implement changes in their operation to ensure both the internal and external privacy of any individually identifiable medical information of a patient. This obligation extends to: 1) drafting a new patient acknowledgement policy separate and in addition to the usual patient consent form; 2) advising patients of their privacy rights; and 3) obtaining specific authorizations for voluntary disclosures of patient information to sources other than third party payors, auditing agencies and other treaters or pharmacies.

    The privacy obligation provides strict prohibitions against using individually identifiable patient information for marketing purposes or even research without specific written authorization. Marketing may be defined as simply as framing a letter from a satisfied patient in your lobby or placing the picture of a patient in a brochure. In addition, the privacy requirements now include allowing a patient the right to pursue the amendment of their medical records if the patient believes the records or notes contain false or inaccurate information, as well as requiring disclosure to patients, upon request, of any improper or unauthorized disclosure of medical information.

  2. PRIVACY OBLIGATIONS OF BUSINESS ASSOCIATES

Finally, a key obligation of providers covered by the privacy rules is to ensure that they obtain, in writing, assurances of privacy from their “business associates.” These business associate obligations of HIPAA appear to be the first time that the federal government is requiring non-healthcare providers to treat medical information from healthcare providers with the same confidentiality as if they were the medical provider. Specifically, any person or organization that contracts with a healthcare provider covered by the privacy obligation of HIPAA must enter into an agreement with that provider, or must sign a contract provided by that provider, stating that they will meet the business associate obligations of HIPAA.

These business associate obligations can be significant as they require almost the same level of confidentiality and protection and have the same disclosure obligations as if the non-healthcare organization were directly covered by HIPAA. For example, the business associate must ensure that a patient’s information is kept confidential and not disclosed to individuals within that organization who have no need to know, and must also notify the current healthcare provider of any improper disclosures of that information.

    1. The Test

      2. To determine if an entity is likely to be a covered business associate, a simple test can be utilized: is the contracting person or organization likely to receive individually identifiable patient information from the healthcare provider? If yes, then the healthcare provider is obligated to ensure that this business associate abides by its HIPAA obligations.

    2. Examples Of Business Associates

Specific examples of organizations or individuals that are likely to be considered business associates of medical providers are their lawyers, accountants and computer consultants, as well as any contract workers of the healthcare provider, regardless of whether the worker is employed by a temporary or leasing agency. These are only a few examples of such business associates, as CMS has also determined that towns, states and possibly even the federal government are business associates of healthcare providers and must enter into such agreements.

Examples of organizations that may not be business associates and still inadvertently attain individually identifiable patient information include janitorial services or copy machine repair personnel. However, even though these individuals or organizations may not be required to enter into a business associate obligation, the healthcare provider still needs to list an improper disclosure in its accounting log of disclosures in the patient’s file if any such individuals become aware of individually identifiable patient information.

  1. CONCLUSION

We strongly recommend that anyone who has questions about whether they have an obligation to comply with HIPAA should contact either a non-legal expert in this specific area or a lawyer that is knowledgeable about HIPAA. Our firm practices in the healthcare field with a concentration in HIPAA. Please do not hesitate to call me at (203) 787-7008 or email me at letizia@laflegal.com, if you have any questions. Even those who work with HIPAA on a regular basis are still trying to understand the obligations of HIPAA because the government is consistently providing more guidance and has at times revised its proposed regulations and requirements.