The Health Insurance Portability and Accountability Act, HIPAA is the most far reaching legislative act passed since ERISA. It directly affects healthcare providers all across the nation. It will be a culture change and alter the way the healthcare sector does business. It also affects the health insurance business, and the people healthcare practitioners do business with.
However, not all healthcare providers must comply with the privacy and security regulations. The regulations makes a distinction between those that use electronic transmission of data and those that don't. There are no distinctions between sizes of healthcare providers when it comes to HIPAA compliance. The only exception is that mental health providers must follow special, more stringent rules.
Electronic transmission of data means if your firm transmits any patient information to anyone else you fall under the HIPAA rules. It also says if you give the information to someone like a billing service or third party claims service and they transmit it electronically, it is the same as if you did it. Health and Human Services has been asked to clarify whether faxes are electronic transmission. At this writing they are not, although many consider it to fall under the regulations as electronic. On October 16, 2003, Medicaid and Medicare require all claims to be submitted electronically. With the savings that come from electronic versus paper claims, many firms that do not submit electronically may very well find themselves doing it or having someone else do it for them.
HIPAA will require changes to how an office operates. While it's very likely that you already have some privacy and security measures in place, HIPAA requires that you document those policies and procedures. And it requires that your employees be trained in the HIPAA law and the policies & procedures of your office.
Another group of businesses that have a direct impact from HIPAA are Business Associates of the covered entity. A Business Associate is an individual or entity that receives protected health information (PHI) from a covered entity, such as a medical practice, so that the business associate may perform services or functions, or assist in the performance of services or functions, on behalf of the covered entity. HIPAA mandates the covered entity require a Business Associate (BA) to sign a Business Associate Agreement (BAA). This agreement pulls parties that normally do not fall under the definition of a covered entity right into the HIPAA water. The agreement requires the BA to offer the same protection of the data as the covered entity must and it is a contract enforceable in court. If the BA does not sign the agreement or fails to protect the data, HIPAA requires the covered entity to terminate relationship with the BA. Bottom line is BA's must follow the same guidelines as a covered entity. A BAA can also be an addendum to an existing business agreement and does not have to be separate.
What are Business Associates?