Can
I just ignore HIPAA?
This has got to
be the number one question on the mind of mental health
professionals. What happens if I just ignore all this
hoopla and continue as I have been? How would anyone
know about little old me?
The quick answer
is yes, you can ignore HIPAA and forget about
compliance. However, probably not for long and it can be
extremely risky, mostly in ways you probably haven't considered.
For example, referral sources or insurers may ask if
you are compliant. To say you're not a covered entity
may get you dropped from their list.
If HHS challenges
you about your HIPAA compliance they will want to know
if you're at least making a good faith effort. It is
better to have some compliance than no compliance.
HIPAA is not just
about forms! It is about profound changes in patient
rights and provider roles. The discussion has been
shifted exclusively to forms because that's easier to
understand. But HIPAA is about much more.
The clinician
should at least be informed enough about the risks to make
intelligent professional and business decisions.
Without discussing the details of
the regulations, here are some things to consider in the your approach to HIPAA
compliance.
Does
HIPAA Apply to Mental Health Professionals?
Yes. The privacy
rule of HIPAA will ultimately apply to every healthcare provider and
all health information, whether paper or
electronic. If
a provider, or someone on their behalf, completes even
one HIPAA covered transaction (billing, benefits query,
etc.) then the provider is a "covered entity"
and must comply.
There is an exemption in another portion of HIPAA (the
Transaction and Code set) that allowed for a compliance
extension until October, 2003. It did not apply to the
privacy rule.
What
If I Don't Use Computers?
The regulations
speak to all protected health information, not just
things stored on computers. Whether you file insurance
claims or not, HIPAA will become a national standard of
privacy and security for medical records. The
American Psychological Association recommends that all
clinical psychologists become HIPAA compliant. HHS has
consistently expanded the rules
For example, if
you write a client related letter on a computer, then
the information has been created and stored
electronically, even if you just print it out and mail it. If
you backup a copy of the letter file and take it home or
to another office (a good computer practice) then you
are a covered entity.
Degrees
of Compliance
HIPAA is not an
all-or-nothing requirement. There are degrees of compliance, just as there are in complying with mental health
licensing laws. No one is 100% compliant, but we do our
best at figuring out which regulations are important.
The published
HIPAA regulations (privacy, security, & transaction codes)
all have different standards and different deadlines.
Within each regulation there may be some wiggle room for
compliance. One can decide to be minimally compliant,
moderately compliant, or fully compliant. Additionally,
one can be fully compliant with one part and minimally
compliant with another part. At issue would be which
parts are important and which parts are not. This is
what consultants are supposed to tell you.
Strategies
There are four
strategic approaches to HIPAA.
Non-Compliant
– The clinician, practice, or agency does
virtually nothing to comply with any of the HIPAA
regulations.
Minimally
Compliant – The clinician, practice, or
agency completes only the amount of HIPAA regulations
that will get the bills paid and stay below the radar of
any compliance enforcement.
Moderately
Compliant – The clinician, practice or
agency completes the majority of HIPAA requirements.
This will
pass superficial scrutiny by most regulators, and if
necessary can quickly become fully compliant.
Fully
Compliant - The clinician, practice or
agency makes a concerted effort to monitor, meet or
exceed every HIPAA requirement.
Clearly, these
are merely points along a continuum of compliance which
will hopefully serve to gauge the time, energy and
expense of compliance vs. the risks noncompliance.
Degrees
of Risk
What are the
risks of non-compliance? Is it realistic to worry that
some giant bureaucracy in Washington, DC will find you by sheer dumb luck? No, that’s not the way it will work. HIPAA is not
simply a link between you and federal regulation.
HIPAA involves
just about everyone in health care: patients, providers,
health insurers, malpractice insurers, hospitals,
credentialing services, referral sources, law
enforcement, public health, claims billers, Medicare,
Medicaid, secretaries, receptionists, and so on.
The idea is that
all healthcare players, including mental health, are
becoming
an interwoven web of connectedness.
For example,
malpractice insurers will want practitioners to be HIPAA
compliant because the regs require it and the patient
information practices and protections will help in the defense of the clinician.
Insurers may require compliance before
paying claims, or even reimbursing the patient. Other
providers and referral sources may need to know that
you're HIPAA compliant so they can legally communicate
with you without incurring risk for your
"leakage" of protected information.
Additionally, patients will be
receiving notices of their privacy rights from other
health care sources and may wonder why they’re not
getting any notices from you.
The federal government’s Dept. of HHS office, which
has responsibility for enforcement, can assess civil and
criminal fines
for noncompliance from $100 to up to $250,000. They can
also demand immediate and full compliance. To aid in
this effort they have launched a HIPAA compliance
initiative of phone numbers and websites so that
reporting non-compliers can be done easily by anyone
over the internet.
Not
Covered by Malpractice Insurance
If you happen to get pursued by HHS
for criminal noncompliance (knowingly failing to comply)
don’t look to your malpractice
insurance carrier for help. "HIPAA is about
criminal charges at the federal level. Malpractice
insurers are prohibited from providing coverage for
criminal acts," says Eric Marine, VP of Claims for
malpractice insurer American Professional Agency.
Patient
Civil Rights
Although
most of HIPAA administration falls under HHS, the U.S.
Office of Civil
Rights will administer the privacy rule. This takes the
issue of compliance to a much higher level. The
patient’s informed consent to privacy becomes a basic
civil right.
The
privacy rule requires profoundly important disclosures
to the patient about where their protected health
information may go, who has access to it, how they may
inspect and correct it, and what to do if their privacy is
violated.
The
Notice of Privacy Practices, probably the most visible
symbol of the HIPAA regs, becomes a contract between
provider and patient. It states what you will and won't
do with their protected health information, notably with
or without their authorization.
Failure
to inform the patient of the provisions of the privacy
rule becomes a patient civil rights violation. Licensing
boards will also be monitoring this issue.
If
you must pick only one regulation in an effort to be
minimally compliant, make sure it’s the privacy rule.
You
will need
-
Forms
-
Training
(you and staff)
-
Policies
and procedures
-
Site
Walkthrough
There
are lots of solutions and providers.
We
are one of the best.
Read
articles published in the professional and popular
press.
HHS
Covered Entity Decision Support Tool
Disclaimer
This document is provided for general
educational and informational purposes only and should
not be construed as legal advice. The provision of these
materials for the stated purpose is not intended to
assert any guarantee of HIPAA compliance and does not
denote an endorsement or recommendation of the materials
by the Federal Government, the Federal Department of
Health and Human Services (HHS), The Centers for
Medicare & Medicaid Services (CMS), or any state
entity.
Back
to top
home
Copyright
2003 Michael Freeny
clinicalCE.com
5764
N. OBT, # 128 Orlando,
FL 32810
407-884-6553
E-Mail:
info@clinicalCE.com
|
