The Health Insurance Portability and Accountability Act, HIPAA is the most far reaching legislative act passed since ERISA. It directly affects healthcare providers all across the nation. It will be a culture change and alter the way the healthcare sector does business. It also affects the health insurance business, and the people healthcare practitioners do business with.
However, not all healthcare providers must comply with the privacy and security regulations. The regulations makes a distinction between those that use electronic transmission of data and those that don't. There are no distinctions between sizes of healthcare providers when it comes to HIPAA compliance. The only exception is that mental health providers must follow special, more stringent rules.
Electronic transmission of data means if your firm transmits any patient information to anyone else you fall under the HIPAA rules. It also says if you give the information to someone like a billing service or third party claims service and they transmit it electronically, it is the same as if you did it. Health and Human Services has been asked to clarify whether faxes are electronic transmission. At this writing they are not, although many consider it to fall under the regulations as electronic. On October 16, 2003, Medicaid and Medicare require all claims to be submitted electronically. With the savings that come from electronic versus paper claims, many firms that do not submit electronically may very well find themselves doing it or having someone else do it for them.
HIPAA will require changes to how an office operates. While it's very likely that you already have some privacy and security measures in place, HIPAA requires that you document those policies and procedures. And it requires that your employees be trained in the HIPAA law and the policies & procedures of your office.
Another group of businesses that have a direct impact from HIPAA are Business Associates of the covered entity. A Business Associate is an individual or entity that receives protected health information (PHI) from a covered entity, such as a medical practice, so that the business associate may perform services or functions, or assist in the performance of services or functions, on behalf of the covered entity. HIPAA mandates the covered entity require a Business Associate (BA) to sign a Business Associate Agreement (BAA). This agreement pulls parties that normally do not fall under the definition of a covered entity right into the HIPAA water. The agreement requires the BA to offer the same protection of the data as the covered entity must and it is a contract enforceable in court. If the BA does not sign the agreement or fails to protect the data, HIPAA requires the covered entity to terminate relationship with the BA. Bottom line is BA's must follow the same guidelines as a covered entity. A BAA can also be an addendum to an existing business agreement and does not have to be separate.
What are examples of Business Associates?
- Billing Companies
- Collection Agents
- Practice Managers
- Medical Transcription Service
An employee of the covered entity or a member of the covered entity's own workforce is not considered a business associate. Independent contractors are Business Associates. Also, other health care providers to whom covered entities disclose PHI for treatment purposes are considered business associates, too. This includes other covered entities as well as those not directly affected by HIPAA.
Business Associates need to demonstrate "HIPAA Compliance" by going through the same processes that a covered entity must. This means setting up a manual for HIPAA policies & procedures and training employees. Business Associate version is designed to simplify that process and is offered along side this web site.
A side note: even though HIPAA applies directly to a defined group of "covered entities" and not to others, it is an universal set of privacy guidelines. It is very likely over the long term ALL firms involved with protected health information may see the guidelines apply in other ways. Consider this, if you were to seek care from a medical provider and one says they are HIPAA complaint and follow the guidelines, the other says HIPAA what and has no intention of complying voluntarily, which one would you go to? Same applies to a firm like a lawyer. Suppose you needed an attorney to represent you in a conversation that included your personal medical history, which law firm would you use, one that is HIPAA certified or one that is not? As the public becomes more HIPAA aware, they will expect if not demand privacy compliance.