HIPAA Deadline LoomsBy Steven T. Minor, Esq. The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") will likely have the most pervasive impact on physician practice administration since the introduction of Medicare. HIPAA will change the way nearly every healthcare provider collects, maintains and transmits health information. April 14,2003, the deadline for compliance with HIPAA's privacy requirements, looms in the very near future. Does HIPAA Apply to Me? HIPAA will apply to most providers who conduct transactions electronically, whether independently or through a third-party billing agency or clearinghouse. Transactions conducted through the use of facsimile machines, however, are not considered to be "electronic transactions" subject to HIPAA. What Are the Basic Requirements of HIPAA? A. The Transaction Standards HIPAA mandates the use of a uniform list of treatment codes (diagnosis codes, procedure codes, service codes, inpatient service codes, physician, etc.), and identifying codes (that is, provider, health plan, employer and possibly individual) when providers electronically transmit any one of the 10 types of transactions subject to HIPAA. HIPAA covers most of the electronic transactions common to today's providers, including: (i) claims, (ii) remittance and payment information, (iii) claim status information, (iv) eligibility information and (v) referral certifications and authorizations. The transaction standards are designed to standardize terminology and format and thereby simplify the electronic transmission of health information. Although these standards are highly specific and complex, use of HIPAA-compliant accounting and practice management systems will greatly simplify a provider's compliance with the transaction standards. B. The Privacy Standards The main thrust of the privacy standards is to limit the release of certain identifiable patient information without the patient's knowledge and consent. Exchanges of information required for the patient's care, however, will not implicate HIPAA. Many providers feel overwhelmed by the sheer volume and detail of the privacy standards. Even so, compliance should not be overly burdensome for those providers who have complied with existing state law regarding the confidentiality of patient information. C. The Security Rules Generally speaking, the security rules outline the minimum administrative, technical and physical safeguards that providers should use to prevent unauthorized access to confidential patient information. Fortunately, the rules allow flexibility in adopting data security measures, and in some circumstances even allow the provider to weigh the cost and complexity of a given measure against the likelihood and seriousness of relevant security risks. HIPAA’s security rules were finalized on February 20, 2003, and will become effective for enforcement purposes in April 2005. Documents and HIPAA Compliance It is expected that HIPAA enforcement will start with a review of a provider's practice documents. The provisions of a number of common documents are discussed in great detail in the privacy standards. These documents include the following: 1. Notice of Privacy Practices and Acknowledgment of Receipt. Providers must notify all patients of their rights and the provider's obligations related to confidential information, and must attempt to obtain an acknowledgment of receipt from each patient. 2. Policy Manual. Providers must implement policies and procedures designed to ensure compliance with HIPAA’s privacy and security regulations. 3. Employee Manual. Employee manuals should contain a copy of the Policy Manual and provisions for the disciplining of employees for failure to comply with HIPAA. 4. Authorization Forms. Providers are advised to obtain specific authorization to use or disclose information for purposes other than treatment, payment or administrative. 5. Business Associate Agreements. Providers will need written agreements with "business associates," such as liability insurers, attorneys, transcription services and copy services. A provider does not need a Business Associate Agreement with other healthcare providers, health insurance companies or other payers or clearinghouses. Determining who is required to sign business associate agreements is one of the many difficult issues raised by HIPAA. Conclusion HIPAA establishes a complex and highly detailed scheme of regulation over the collection, maintenance and transmission of certain health information. Thankfully, with the help of technology providers, HIPAA compliance should not require drastic changes in the delivery of health services. Steven T Minor is a Partner in the Carrollton office of the law firm Tisinger Vance, PC. His practice focuses on advising health care providers on business, tax and regulatory issues. The firm also has offices in Villa Rica. He may be contacted at Tisinger Vance, P.C. by phoning: (770) 214-5108, or faxing (770) 834-5426; online: www.ttvglaw.com. Source: M.D. NEWS Western Georgia, March 2003 |
Carrollton Office
100 Wagon Yard Plaza
Carrollton, GA 30117
T: 770-834-4467 | F: 770-834-5426
Map and Directions | E-mail Us
Villa Rica Office
215 West Bankhead Highway | Suite C
Villa Rica, GA 30180
T: 770-459-8557 | F: 770-459-8965
Map and Directions | E-mail Us
© 2008 by Tisinger Vance PC. All rights reserved. Disclaimer | Site Map