HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is an extensive federal law that covers many diverse issues including health insurance portability, fraud/abuse and the Administrative Simplification mandate. Under the Administrative portion of the rule, four main regulations are specified. These include 1) privacy standards; 2) security standards; 3) unique health identifiers and 4) transaction and code set standards. 2. Who has to be concerned about the HIPAA guidelines? HIPAA covers three main entities in its regulations: 1) health care plans; 2) health care plan clearinghouses (which serve to facilitate or process the handling of claim data elements) and 3) health care providers. Health care is defined as care, services or supplies related to the health of an individual. This includes, but is not limited to: preventative, diagnostic, therapeutic, rehabilitative or maintenance care and counseling or a service assessment or procedure with respect to an individualÅfs physical or mental condition or functional status. 3. But HIPAA doesn't affect EAPs, right? We don't provide therapy! The Department of Labor states that an EAP delivers health care benefits whenever trained counselors provide any form of counseling in either an internal or external provider context. There are numerous functions of an EAP that are not covered under HIPAA, such as SAP/DOT evaluations, management consultations, critical incident stress debriefings, support groups, work/life programs, etc. Blair & Burke training helps define what aspects of your program are covered by HIPAA and which are not. 4. What are the effective and compliance dates? The privacy rule became effective on April 14, 2001. Compliance with the rule is required by two years after the effective date, which means providers need to be in compliance by April 14, 2003. The security rule is not out yet in final form, but the general principles are known. Compliance with the security portion will also be required by April 14, 2003. If you electronically transmit and receive any health care claim, payment, enrollment, eligibility, referral authorization, etc, you are also covered by the transaction code set portion of the regulation. Even if you do not transmit electronically yourself, you are still covered if claims information is electronically transmitted on your behalf. The deadline for the transaction code sets is October 16, 2002. If you can't comply by that time, you must file for an extension for the transaction code sets that expires October 16, 2003. There is no extension available for the privacy/security regulations. 5. I am not a covered provider, since my practice is solely paper based. I do not submit any electronic transactions and no one does so on my behalf. This means I don't have to comply with the privacy and security portions of the regulation---right? Although the Department of the Health and Human Services and the Office of Civil Rights (who is enforcing the privacy regulation) would have no enforcement authority against non-covered providers, providers not covered by the Privacy/Security portion of the regulations may face liability exposure if they fail to protect and secure protected health information aggressively. The HIPAA privacy and security regulations are established as a floor, not a ceiling, to protect patients' rights to confidentiality. Generally, mental health professionals are already required to comply with similar, and often more stringent, state law, federal law and the code of ethics for their particular profession. Employee assistance programs have been built on the principles of confidentiality, privilege and protection to ensure access to treatment, reduction in stigma and cost effective solutions to the troubled employee in the workplace. To challenge compliance with the HIPAA regulations would undermine those fundamental EAP principles. And most importantly, many of the requirements of the Privacy/Security portion of the regulation are consistent with best practices in protecting confidential patient information and should be incorporated into your daily operations and practice. 6. We have identified ourselves as a covered provider under the regulations. Does that mean we only have to protect the information that is individually identifiable and electronically transmitted? No, if you are a covered provider, the regulations state that all protected and individually identifiable health information, regardless of the formÅ\electronic, paper or oralÅ\is protected. And it is good consistent business practice to move towards protection and education of all those forms of communication of information about an individual. 7. What does the Privacy portion of the rule include? Patients will have increased knowledge about and more control over their individually identifiable health information. This includes what information is shared, with whom and for what purposes. And all entities that receive personal health information are responsible for ensuring that the information is effectively protected. Patients' rights include:
Providers are required to take specific actions to ensure confidentiality of patient information. This includes:
8. What do the security portions of the regulation cover? The security portion of the regulations has not yet been released in final form, but we do know portions of the regulation that will be included. It is important to approach privacy and security hand in hand to achieve the best possible outcome in implementing the regulations. The security regulations include:
9. We are already in compliance, because we always require proper authorization before releasing any information. EAPs are always very conscientious about releasing only the minimum necessary information. Do we need to do anything else? Most mental health and EAP professionals have been extensively trained in the practice of protecting patient confidentiality. The HIPAA regulations provide formal requirements and require documentation of those practices. It is not enough to say that you do itÅ\you must be able to demonstrate how you do it. 10. How is the coverage for psychotherapy notes different? As defined in 45 CFR Subtitle A, Subchapter C, 164.501, the rule defines psychotherapy notes as Ågnotes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint or family counseling session and that are separated from the rest of the individualÅfs medical recordÅh. Per the regulatory definition, the following information is not part of the psychotherapy notes:
Psychotherapy notes, according to the Privacy Rule, are limited to information that is kept separate by the provider for his/her own purpose and that contains information of a sensitive nature that is only relevant to the provider. There are special rules regarding consents and authorizations. 11. What are the penalties for non-compliance? There are civil fines of up to $25,000 for each calendar year for each provision of the rule that is violated. The criminal penalties include up to 10 years imprisonment and a $250,000 penalty for covered entities that misuse personal health information under this rule. 12. What should I be doing now to begin? The first step is to familiarize yourself with the rule requirements through education and reading. You need to involve all segments of your organization in the process, from clinical to information technology to senior management. Look at your strategic business processes and how they can be improved. Use common sense and thoughtfulness in regard to what will benefit your organization and your clients . HIPAA can be used very effectively in marketing strategies to advertise your desire to do the utmost to keep personal health information private. Provide training and ensure that your policies/procedures are up to date and reflect compliance with the regulations. Continue to monitor and receive updated training as the regulations progress. These initial regulations are the foundation of more HIPAA regulations, which the Federal Government will release approximately every 18 months to two years. Instructor: Marilyn S. Gaipa, LCSW, CAC III, Marilyn can be reached at mgaipa@blairconsultants.com or 720-220-0595.
For problems related to this site, please contact the webmaster at: webmaster@blairconsultants.com Home |