AudiologyOnline Phone: 800-753-2160


InnoCaption - Connected - July 2024

AAA Reimbursement Committee Summarizes the HIPAA and How it Affects Audiologists

Share:
The Health Insurance Portability and Accountability Act (HIPAA)

What is it and how does it affect Audiologists?

The Health Insurance Portability and Accountability Act (HIPAA)
of 1996 is a comprehensive document that includes detailed provisions to ensure confidentiality of protected health information (PHI). Its intent is to give the patient control over all personal health information that might be shared between a healthcare provider and any other covered entity (CE: Healthcare Providers, Health Plans, and Healthcare Clearinghouses). HIPAA is comprised of three components:

Component 1: Transaction Standards and Code Sets

HIPAA required the Department of Health and Human Services (HHS) to adopt national standards for conducting health care transactions electronically. By ensuring consistency throughout the industry, these national standards will make it easier for health plans and for doctors, hospitals and other health care providers to process claims electronically. Transaction Standards and Code Sets information may be found at https://aspe.hhs.gov/admnsimp/bannertx.htm.

Standardized formats and data content are required for the following transactions:
  • premium payments

  • enrollment and disenrollment in a health plan

  • eligibility inquiry and response

  • referrals and authorizations

  • claims/encounter data

  • claim status inquiry and response

  • payment and remittance advice

  • coordination of benefits
Code sets for medical data are required for data elements in the administrative and financial health care transaction standards adopted under HIPAA for diagnoses, procedures, and drugs. HHS has adopted the following code sets as some of the standard medical data code sets:
  • International Classification of Diseases, 9th Edition, Clinical Modification, (ICD-9-CM), Volumes 1 and 2, and Volume 3 Procedures.

  • The combination of Health Care Financing Administration Common Procedure Coding System (HCPCS), and Current Procedural Terminology, Fourth Edition (CPT-4).
Every facility must file a Compliance Plan by 10/16/02.

A CMS model Compliance Plan, and instructions on how to complete it, is available at
www.cms.hhs.gov/hipaa. It is recommended that each facility complete the Compliance Plan online and submit it via the internet to CMS in order to receive an electronic receipt that documents your timely submission. Paper submissions will also be accepted. Failure to comply may result in exclusion from Medicare.

To obtain an extension for delay of compliance until October 16, 2003, a covered entity must still submit a compliance plan on or before Oct. 15, 2002. Providers must submit detailed information on their compliance activities, including budget, assessment of compliance concerns, whether a contractor or vendor might be used to help achieve compliance, and a schedule for testing to begin no later than April 16, 2003.

Component 2: Privacy Rule

3/21/02 HHS Proposed Modifications to Privacy Rule
https://www.hhs.gov/news/press/2002pres/20020321.html

The Privacy Rule (Standards for Privacy of Individually Identifiable Health Information) provides the first comprehensive federal protection for the privacy of health information. The Privacy Rule establishes safeguards to protect the confidentiality of medical information, gives patients more control over their health information, and sets boundaries on the use and release of health records. State laws that provide stronger privacy protections will continue to apply over and above the new federal privacy standards.

For the average health care provider or health plan, the Privacy Rule requires activities, such as:
  • Providing information to patients about their privacy rights and how their information can be used.

  • Adopting clear privacy procedures for its practice, hospital, or plan.

  • Training employees so that they understand the privacy procedures.

  • Designating an individual to be responsible for seeing that the privacy procedures are adopted and followed.

  • Securing patient records containing individually identifiable health information so that they are not readily available to those who do not need them.
Compliance is required by 4/14/03.
Information on the Privacy Rule may be found at
https://www.hhs.gov/ocr/hipaa/assist.html

Proposed Modifications to the Privacy Rule (3/21/01) may be found at
https://www.hhs.gov/news/press/2002pres/20020321.html

Consent -- The Privacy Rule establishes a federal requirement that most doctors, hospitals, or other health care providers obtain a patient's written consent before using or disclosing the patient's personal health information to carry out treatment, payment, or health care operations (TPO). However, in the recent proposed revisions linked above, the consent requirement would be removed for TPO that could interfere with efficient delivery of health care, while strengthening requirements for providers to notify patients about their privacy rights.

Authorization -- An authorization is required for use and disclosure of protected health information (PHI) not otherwise allowed by the rule. In general, this means an authorization is required for purposes that are not part of TPO and not described in the statute such as selling a patient mailing list, disclosing information to an employer for employment decisions, disclosing information for life or disability insurance, authorization to leave a message on the patient's answering machine, sending an appt. reminder, etc.

Consent vs. Authorization

Consent
  • General document

  • Only gives permission to the provider and not to another person
  • Authorization
    • Customized, more detailed document

    • Gives covered entity permission to use specified personal information for specified purposes
    • Marketing -- The proposed revisions would explicitly require covered entities to first obtain the individual's specific authorization before sending them any marketing materials. At the same time, the proposal would permit doctors and other covered entities to communicate freely with patients about treatment options and other health-related information, including disease-management programs.

      Business Associates
      -- The current rule requires covered entities - health plans, health care providers and clearinghouses -- to have contracts with their business associates to ensure the business associates protect the privacy of the information. The proposal includes model business associate contract provisions; to make it easier and less costly for covered entities to implement the requirements. The changes also would give covered entities up to an additional year to change existing contracts, easing the burden of renegotiating contracts all at once.

      Minimum Necessary and Oral Communications -- This provision requires covered entities to make reasonable efforts to limit the use and disclosure of and request for protected health information to the minimum necessary to accomplish the intended purpose. The revised proposal would retain both the oral communication and "minimum necessary" requirements, but it would make clear that a doctor could discuss a patient's treatment with other doctors and professionals involved in the patient's care without fear of violating the rule if they are overheard.

      Parents and Minors -- The revised proposal clarifies that state law governs disclosures to parents. In cases where state law is silent or unclear, the revisions would preserve state law and professional practice by permitting a health care provider to use discretion to provide or deny a parent access to such records as long as that decision is consistent with state or other law.

      Uses and Disclosures for Research Purposes -- The revised proposal would eliminate the need for researchers to use multiple consent forms - one for informed consent to the research and one or more related to information privacy rights. Instead, researchers could use a single combined form to accomplish both purposes.

      Component 3: Security and Electronic Signature Standards

      HIPAA mandates new security standards to protect an individual's health information, while permitting the appropriate access and use of that information by health care providers, clearinghouses, and health plans. HIPAA also mandates that a new electronic signature standard be used where an electronic signature is employed in the transmission of a HIPAA standard transaction.

      The proposed rule was issued on August 12, 1998, but a date for compliance has currently not been finalized.

      Helpful HIPAA Links:

      The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Page https://www.cms.hhs.gov/hipaa/

      Secretary's Committee on Regulatory Reform, Overview of HIPAA Privacy
      https://www.regreform.hhs.gov/phoenix_materials.htm

      Office of Civil Rights, Standards for Privacy of Individually Identifiable Health Information
      https://www.hhs.gov/ocr/hipaa/finalmaster.html

      Department of Health and Human Services, Administrative Simplification Web Site
      https://aspe.hhs.gov/admnsimp/Index.htm

      Medicare Learning Network
      https://www.hcfa.gov/medlearn

      WEDI/ Strategic National Implementation Process: What is HIPAA?
      https://snip.wedi.org/public/articles/index.cfm?cat=9

      Information on Security and Electronic Standards can be found at
      https://aspe.hhs.gov/admnsimp/faqsec.htm

      AUDIOLOGISTS MUST BEGIN THE PROCESS NOW!

      How do I become HIPAA Compliant?
      • Read the privacy rules.

      • Appoint your HIPAA team

      • Appoint a privacy officer

      • Designate a contact person

      • Provide training to all staff

      • Gather your current policies and procedures

      • Submit Transaction Standards and Code Set Plan - due October, 2002.
      • www.cms.hhs.gov/hipaa Privacy
        • Develop a Notice of Privacy that reflects your dedication to patient privacy and adhere to the notice.

        • Post Privacy Notice for both new and established patients to review. Post Privacy Notice on your web site.
        • Develop Written Policies and Procedures
          • State who has the authority to release PHI.

          • Identify an individual responsible for determining minimum data necessary.

          • Develop a records management plan.

          • Define who keeps the records and how records are kept.

          • Teach proper documentation.

          • Keep a log to record information given in response to patient authorization, information given in response to legal document, patient requests for amendments or restrictions to your privacy policy.
          Conduct On-Site Survey
          • Start at the entrance of your facility and walk through as if you were a patient

          • Look at areas that have charts, lab results, or dictation and determine if a patient could see or access confidential information.

          • Look in waste cans and make sure that they do not contain PHI that must be shredded.

          • Observe how computer monitors are facing to ensure screens are not readable by patients.

          • Evaluate the location of telephones in relation to the waiting room and treatment rooms.

          • Are patient records secure?

          • Are there individual and unique passwords assigned for computer systems?

          • Where is the fax machine located? Does fax cover sheets eliminate identifiers? Is a disclaimer statement included on fax cover statement? Before faxing information, call to confirm correct fax number.

          • Are collection calls made in a private location?

          • The information in this news release was prepared by the
            AAA Reimbursement Committee, Billing Issues Subcommittee:

            SPECIAL THANKS to:

            Sheila Dalzell, Chair SubCommittee on Billing Issues of the AAA Reimbursement Committee.
            Members of the Subcommittee on Billing Issues: Debra Abel, Carmen Brewer, Pam Ison and Paul Pessis.
            Alison Grimes, Editor and Chair of Communications for the AAA Reimbursement Committee.
            Jody Chappell, Director of Health Care Policy, AAA Staff.
            Robert G. Glaser, Chair, AAA Reimbursement Committee.

            Audiology Online is grateful to the AAA for allowing us to present this information. For more information on this topic, please see the websites listed (above) or contact the AAA at 1-800-AAA-2336.
            https://www.audiology.org

            Phonak Infinio - December 2024

            Our site uses cookies to improve your experience. By using our site, you agree to our Privacy Policy.