What is it and how does it affect Audiologists?
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is a comprehensive document that includes detailed provisions to ensure confidentiality of protected health information (PHI). Its intent is to give the patient control over all personal health information that might be shared between a healthcare provider and any other covered entity (CE: Healthcare Providers, Health Plans, and Healthcare Clearinghouses). HIPAA is comprised of three components:
Component 1: Transaction Standards and Code Sets
HIPAA required the Department of Health and Human Services (HHS) to adopt national standards for conducting health care transactions electronically. By ensuring consistency throughout the industry, these national standards will make it easier for health plans and for doctors, hospitals and other health care providers to process claims electronically. Transaction Standards and Code Sets information may be found at https://aspe.hhs.gov/admnsimp/bannertx.htm.
Standardized formats and data content are required for the following transactions:
- premium payments
- enrollment and disenrollment in a health plan
- eligibility inquiry and response
- referrals and authorizations
- claims/encounter data
- claim status inquiry and response
- payment and remittance advice
- coordination of benefits
- International Classification of Diseases, 9th Edition, Clinical Modification, (ICD-9-CM), Volumes 1 and 2, and Volume 3 Procedures.
- The combination of Health Care Financing Administration Common Procedure Coding System (HCPCS), and Current Procedural Terminology, Fourth Edition (CPT-4).
A CMS model Compliance Plan, and instructions on how to complete it, is available at www.cms.hhs.gov/hipaa. It is recommended that each facility complete the Compliance Plan online and submit it via the internet to CMS in order to receive an electronic receipt that documents your timely submission. Paper submissions will also be accepted. Failure to comply may result in exclusion from Medicare.
To obtain an extension for delay of compliance until October 16, 2003, a covered entity must still submit a compliance plan on or before Oct. 15, 2002. Providers must submit detailed information on their compliance activities, including budget, assessment of compliance concerns, whether a contractor or vendor might be used to help achieve compliance, and a schedule for testing to begin no later than April 16, 2003.
Component 2: Privacy Rule
3/21/02 HHS Proposed Modifications to Privacy Rule https://www.hhs.gov/news/press/2002pres/20020321.html
The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) provides the first comprehensive federal protection for the privacy of health information. The Privacy Rule establishes safeguards to protect the confidentiality of medical information, gives patients more control over their health information, and sets boundaries on the use and release of health records. State laws that provide stronger privacy protections will continue to apply over and above the new federal privacy standards.
For the average health care provider or health plan, the Privacy Rule requires activities, such as:
- Providing information to patients about their privacy rights and how their information can be used.
- Adopting clear privacy procedures for its practice, hospital, or plan.
- Training employees so that they understand the privacy procedures.
- Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.
- Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
Information on the Privacy Rule may be found at https://www.hhs.gov/ocr/hipaa/assist.html
Proposed Modifications to the Privacy Rule (3/21/01) may be found at https://www.hhs.gov/news/press/2002pres/20020321.html
Consent -- The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient's written consent before using or disclosing the patient's personal health information to carry out treatment, payment, or health care operations (TPO). However, in the recent proposed revisions linked above, the consent requirement would be removed for TPO that could interfere with efficient delivery of health care, while strengthening requirements for providers to notify patients about their privacy rights.
Authorization -- An authorization is required for use and disclosure of protected health information (PHI) not otherwise allowed by the rule. In general, this means an authorization is required for purposes that are not part of TPO and not described in the statute such as selling a patient mailing list, disclosing information to an employer for employment decisions, disclosing information for life or disability insurance, authorization to leave a message on the patient's answering machine, sending an appt. reminder, etc.
Consent vs. Authorization
Consent
Business Associates -- The current rule requires covered entities - health plans, health care providers and clearinghouses -- to have contracts with their business associates to ensure the business associates protect the privacy of the information. The proposal includes model business associate contract provisions; to make it easier and less costly for covered entities to implement the requirements. The changes also would give covered entities up to an additional year to change existing contracts, easing the burden of renegotiating contracts all at once.
Minimum Necessary and Oral Communications -- This provision requires covered entities to make reasonable efforts to limit the use and disclosure of and request for protected health information to the minimum necessary to accomplish the intended purpose. The revised proposal would retain both the oral communication and "minimum necessary" requirements, but it would make clear that a doctor could discuss a patient's treatment with other doctors and professionals involved in the patient's care without fear of violating the rule if they are overheard.
Parents and Minors -- The revised proposal clarifies that state law governs disclosures to parents. In cases where state law is silent or unclear, the revisions would preserve state law and professional practice by permitting a health care provider to use discretion to provide or deny a parent access to such records as long as that decision is consistent with state or other law.
Uses and Disclosures for Research Purposes -- The revised proposal would eliminate the need for researchers to use multiple consent forms - one for informed consent to the research and one or more related to information privacy rights. Instead, researchers could use a single combined form to accomplish both purposes.
Component 3: Security and Electronic Signature Standards
HIPAA mandates new security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans. HIPAA also mandates that a new electronic signature standard be used where an electronic signature is employed in the transmission of a HIPAA standard transaction.
The proposed rule was issued on August 12, 1998, but a date for compliance has currently not been finalized.
Helpful HIPAA Links:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Page https://www.cms.hhs.gov/hipaa/
Secretary's Committee on Regulatory Reform, Overview of HIPAA Privacy
https://www.regreform.hhs.gov/phoenix_materials.htm
Office of Civil Rights, Standards for Privacy of Individually Identifiable Health Information
https://www.hhs.gov/ocr/hipaa/finalmaster.html
Department of Health and Human Services, Administrative Simplification Web Site https://aspe.hhs.gov/admnsimp/Index.htm
Medicare Learning Network https://www.hcfa.gov/medlearn
WEDI/ Strategic National Implementation Process: What is HIPAA? https://snip.wedi.org/public/articles/index.cfm?cat=9
Information on Security and Electronic Standards can be found at https://aspe.hhs.gov/admnsimp/faqsec.htm
AUDIOLOGISTS MUST BEGIN THE PROCESS NOW!
How do I become HIPAA Compliant?
- State who has the authority to release PHI.
- Identify an individual responsible for determining minimum data necessary.
- Develop a records management plan.
- Define who keeps the records and how records are kept.
- Teach proper documentation.
- Keep a log to record information given in response to patient authorization, information given in response to legal document, patient requests for amendments or restrictions to your privacy policy.
The information in this news release was prepared by the
AAA Reimbursement Committee, Billing Issues Subcommittee:
SPECIAL THANKS to:
Sheila Dalzell, Chair SubCommittee on Billing Issues of the AAA Reimbursement Committee.
Members of the Subcommittee on Billing Issues: Debra Abel, Carmen Brewer, Pam Ison and Paul Pessis.
Alison Grimes, Editor and Chair of Communications for the AAA Reimbursement Committee.
Jody Chappell, Director of Health Care Policy, AAA Staff.
Robert G. Glaser, Chair, AAA Reimbursement Committee.
Audiology Online is grateful to the AAA for allowing us to present this information. For more information on this topic, please see the websites listed (above) or contact the AAA at 1-800-AAA-2336. https://www.audiology.org