A: The Transactions and Code Sets Rule is intended to streamline the data that is currently shared between providers and payors in the health care industry. It will require that all covered entities begin using standardized formats for transactions, and that all pieces of data be conveyed using consistent code sets. This will dramatically reduce the difficulties in filing claims. For example, there are currently over 400 different formats in which transactions are filed. The Transactions and Code Sets Rule reduces that number to eleven. What does this mean for your organization? You can expect fewer mistakes on both the sending and receiving ends, fewer kickbacks from the payor, quicker turnaround times on payment, and less headache for your billing staff.

Q: When is the compliance deadline?

A: October 16, 2002. However, feedback from the healthcare community prompted HHS to create an extension. If you fill out the Model Compliance Plan and submit it by October 15, 2002, your organization will receive a one-year extension and will be expected to be compliant by October 16, 2003.

Q: Where do I file the extension application/model compliance plan?

A: You can file for an extension with CMS in one of two ways.

1. Submit online at http://www.cms.hhs.gov/hipaa/hipaa2/ascaform.asp. The application consists of a series of drop-down boxes and fields to fill in. When you complete the form, print a copy for yourself and click the submit button. You’ll receive an electronic verification that the application has been received. Print out a copy of that receipt for your records. Remember that the deadline for filing an electronic application is October 15, 2002.

2. Submit via mail. You can print out the application, or you can create your own version as long as it provides all the necessary information. Make a photocopy for your records and send it to:

ATTENTION: Model Compliance Plans

Centers for Medicare and Medicaid Services

PO Box 8040

Baltimore, MD 21244-8040

If you send your application via mail, you won’t receive acknowledgment of receipt from HHS. We recommend that you send the application via registered or certified mail to ensure that it is received. Keep this verification in your records, too. Applications submitted by mail must be postmarked no later than October 15, 2002.

Q: How can my organization comply? What are the compliance options?

A: There are three options for implementing the Transactions and Code Sets Rule.

1. Continue using paper forms. Contrary to popular belief, HIPAA does not require that providers switch to electronic submissions. After October 16, 2003, however, Medicare will require that all providers with more than 25 full-time employees submit claims electronically. If your organization will be affected by this requirement, you can continue using paper forms, but you’ll need to enlist the help of a clearinghouse to make your transactions compliant. (See #3 below for additional information on clearinghouses.) You’ll also need to be aware that required fields on paper forms may change as payors streamline their incoming and outgoing data.

· If you plan to continue working with paper forms, find out from your billing service whether there will be changes and when they will take place. Get that information IN WRITING, and add it to your HIPAA file.

2. Submit electronically. Your software vendor should already have plans for dealing with the new requirements. Get in contact with your vendor as soon as possible to find out what it will require from you.

· Contact your billing software vendor and find out what its plans are for Transactions and Code Sets implementation. Get written documentation including a timeline—when will you begin using the new formats? When and how will testing take place? Make sure you get the vendor’s plan IN WRITING, and add it to your HIPAA file.

· If you’re shopping for a new vendor, ask the same questions. Use the answers to help you make a decision.

3. Submit through a clearinghouse. Essentially, clearinghouses provide translation services for outgoing and incoming transactions. Whether you plan to continue using paper forms or non-compliant electronic forms, a clearinghouse can convert your current transmissions to HIPAA-compliant formats. If you use a clearinghouse, you’re essentially paying for compliance on a per-transaction basis. For some providers, this may be a better solution than investing in software for direct electronic submissions.

· If you currently use a clearinghouse, find out what its new policies will be and what associated timelines you’ll need to be aware of. Get this information IN WRITING.

· If using a clearinghouse is a new strategy for you, do some shopping before you make a decision. Compare implementation plans, timelines, and prices. Once again, get it IN WRITING.

Q: What code sets will be allowable?

A: After the compliance deadline of October 16, 2003, only the following code sets will be accepted:

· ICD-9-CM (International Classification of Diseases, 9^th Ed., Clinical Modification, Volumes 1, 2, 3.)

· CPT-4 (Current Procedural Terminology, 4^th Ed.)

· HCPCS (Health Care Financing Administration Common Procedure Coding System)

· NDC (National Drug Codes) (NOTE: The proposed modification to this rule eliminates the usage of NDC for providers and payors and replaces it with HCPCS J-Codes.)

· CDT-2 (Codes on Dental Procedures and Nomenclature)

HIPAA will require that the most recent editions of these codes be used, so when the ICD-10 codes are released, they will be the new standard code sets. All other codes will be retired, including state Medicaid and local codes, DSM-4, behavioral health, and anesthesia codes.

Identifiers

Q: What is the Identifiers Rule?

A: The Identifiers Rule will require that all providers, health plans, and employers be assigned one unique identifying number. This identifying number will be used on all communications and transactions between entities.

The proposed Rule lists four categories for unique identifiers. They are:

· Health plans

· Employers

· Providers

· Patients

Q: Which parts of the Rule have been finalized?

A: Based on the feedback the HHS received after releasing the proposed rule, it is highly unlikely that the patient identifier will be finalized. The localization of a patient’s entire medical history under one identifying number presents vast problems for security and privacy measures. However, the three remaining will almost certainly be finalized. The employer identifier is the only portion of the Rule that has been finalized to date.

Q: When is the Identifiers compliance deadline?

A: The only portion of the Rule that currently has a compliance deadline is the Employer Identifier. Implementation must occur by July 30, 2004 (or July 30, 2005 for small providers). Additional deadlines will be determined as other portions of the rule are finalized.

Q: What number will be used for the Employer Identifier?

A: Employers will use their FEIN (tax ID) as their identifier.

Q: What does my organization need to do to become compliant with the Employer Identifier Rule?

A: An employer not currently in possession of an EIN can obtain one by submitting an IRS Form SS-4 (Application for Employer Identification Number) to the Internal Revenue Service.

Privacy

GENERAL

Q: What is the Privacy Rule?

A: For providers, the Privacy Rule is one of the largest parts of the HIPAA regulations. This portion of HIPAA legislation focuses on the priority of a patient’s right to privacy, requiring all healthcare providers to evaluate, assess, and modify their operational policies and procedures according to privacy standards.

Q: When is the Privacy compliance deadline?

A: The Privacy Rule was finalized in December of 2000. Its corresponding compliance deadline is April 14, 2003. If your organization files an extension for the Transactions and Code Sets Rule, this is the first deadline you’ll have to meet.

Q: What does my organization need to do to become compliant with the Privacy Rule?

A: The following are actions you’ll need to take to achieve Privacy implementation:

1. Appoint a privacy officer.

2. Develop a notice of privacy practices.

3. Develop a patient consent form.

4. Develop a patient authorization form.

5. Develop and Implement business associate agreements.

6. Develop “Minimum Necessary” policies.

7. Develop policies and procedures to respond to patient requests.

8. Develop a privacy training program.

9. Respond to privacy infractions.

10. Maintain records of HIPAA compliance.

Additional information on the above requirements is available in the Sample Forms and Documents section of this website and in the Implementation Checklists provided.

Q: Can I expect additional changes to the Privacy Rule?

A: Yes. Proposed changes to the Privacy Rule have been released but not finalized. These will have an impact on many portions of the Rule. The proposed changes would affect the Rule in the following ways:

· Consent and Notice. The proposed changes would drop the requirement for patient consent and instead require that a patient provide acknowledgment of receipt of the notice of privacy practices.

· Minimum Necessary and Oral Communications. The proposed changes retain both of these requirements, but clarify that incidental disclosures—for example, a patient who overhears providers discussing another patient’s treatment—are permissible as long as the standards for minimum necessary standards are being reasonably upheld.

· Business Associates. To reduce the impact of the Business Associates portion of the Rule, the proposed changes would allow covered entities up to an additional year (until April 14, 2004) to implement updated contracts. Included in the proposal are template contract provisions.

· Marketing. The finalized Rule makes some allowances for marketing, which has caused some concern that patients’ privacy could suffer as a result. The proposed changes would mandate that a covered entity would have to obtain a patient authorization before sending marketing materials. Additionally, the proposed changes exempt disclosure of information regarding treatment options and other health-related information from “marketing” practices.

· Parents and Minors. The proposed changes clearly indicate that all matters concerning disclosures to parents will be subject to state law.

· Uses and Disclosures for Research Purposes. Under the proposed changes, researchers would not be required to obtain multiple consent forms. A single form would be used for purposes of consent to research AND relating information privacy rights.

· Uses and Disclosures for which Authorizations are Required. The proposed changes would allow covered entities to use a single form on which to record specific details of each disclosure, rather than requiring that different types of disclosures be filed on separate authorization forms.

For additional updated information on these and other changes, see “Proposed Modifications to the Privacy Rule” on www.HIPAAdvisory.com.

IN-HOUSE PRACTICES

Q: What specific functions are included in the definition of Health Care Operations?

A: According to www.HIPAAdvisory.com,

“Health care operations means any of the following activities of the covered entity to the extent that the activities are related to covered functions, and any of the following activities of an organized health care arrangement in which the covered entity participates:

Conducting quality assessment and improvement activities, including outcomes evaluation and development of clinical guidelines, provided that the obtaining of generalizable knowledge is not the primary purpose of any studies resulting from such activities; population-based activities relating to improving health or reducing health care costs, protocol development, case management and care coordination, contacting of health care providers and patients with information about treatment alternatives; and related functions that do not include treatment;
Reviewing the competence or qualifications of health care professionals, evaluating practitioner and provider performance, health plan performance, conducting training programs in which students, trainees, or practitioners in areas of health care learn under supervision to practice or improve their skills as health care providers, training of non-health care professionals, accreditation, certification, licensing, or credentialing activities;
Underwriting, premium rating, and other activities relating to the creation, renewal or replacement of a contract of health insurance or health benefits, and ceding, securing, or placing a contract for reinsurance of risk relating to claims for health care (including stop-loss insurance and excess of loss insurance), provided that the requirements of § 164.514(g) are met, if applicable;
Conducting or arranging for medical review, legal services, and auditing functions, including fraud and abuse detection and compliance programs;
Business planning and development, such as conducting cost-management and planning-related analyses related to managing and operating the entity, including formulary development and administration, development or improvement of methods of payment or coverage policies; and
Business management and general administrative activities of the entity, including, but not limited to:
1. Management activities relating to implementation of and compliance with the requirements of this subchapter;

ii. Customer service, including the provision of data analyses for policy holders, plan sponsors, or other customers, provided that protected health information is not disclosed to such policy holder, plan sponsor, or customer.

Resolution of internal grievances;

iv. Due diligence in connection with the sale or transfer of assets to a potential successor in interest, if the potential successor in interest is a covered entity or, following completion of the sale or transfer, will become a covered entity; and

Consistent with the applicable requirements of § 164.514, creating de- identified health information, fundraising for the benefit of the covered entity, and marketing for which an individual authorization is not required as described in § 164.514(e)(2).”

Q: What is an Organized Health Care Arrangement and how would it be useful to my hospital?

A: The following comes from the HIPAA FAQs listed at www.bricker.com :

“The regulations allow the creation of something called an organized health care arrangement, which will allow the use and disclosure of protected health information by members of the medical staff for health care operations of the hospital. Without the concept of the organized health care arrangement, hospitals will find no place in the regulations where information can be used by physicians who sit on hospital committees, such as peer review and quality assurance. The regulations allow that information can be freely shared throughout the hospital for treatment, and for most payment purposes. To share information for health care operations, however, the users and recipients must be either workforce members or business associates. It is generally not practical to make the medical staff workforce members (unless the physicians are employed) because this will subject them to training and the hospital will retain responsibility for their compliance. Likewise, business associates require contracts and it is probably not practical to contract with each physician who will be involved in health care operations.

By self-designating as an organized health care arrangement, all of the covered entities (including physicians) within the arrangement can share patient information for the common operations of the arrangement. An organized health care arrangement, defined as a clinically or operationally integrated health care setting, can include the hospital, the medical staff, and any other facilities that are clinically and operationally integrated with the hospital. It seems that this concept is akin to the Medicare provider-based designation; those facilities and entities operating with integration under the hospital's provider number (including the medical staffs) can share information for the health care operations of the integrated arrangement.

Self-designation is accomplished by joint consent forms and Notices of Privacy Practices that clearly set forth who and what is a part of the organized health care arrangement and how information will be shared throughout the organization.”

For the definition listed in the Final Privacy Rules, see Section 164.501.

Q: Who is the best choice as privacy officer?

A: HIPAA doesn’t expressly dictate who a privacy officer should be. If your organization is very small, the natural choice may be your office manager. Larger organizations may wish to designate a medical records specialist or patient advocate as a privacy officer. Ideally, you should choose someone who has a sound knowledge of information flows and practice policies and procedures.

Q: What’s the definition of “reasonable?”

A: That’s one of the mysteries of HIPAA—we can expect this to be better defined later down the road, but for now, it’s up to your organization to decide what is and what’s not “reasonable.” Common sense can help to determine most issues—for example, if your training policies indicate that new employees should be trained on privacy procedures within 30-60 days, that’s probably reasonable. Two years is probably not.

Q: Do the Notice of Privacy Practice, Consent, and Authorization forms have to be provided in other languages?

A: The law recommends that translated copies of the forms be made available to those who do not speak English. However, this is not a requirement. According to HIPAAdvisory.com, “As stated in the preamble to the Privacy Rule, the Department encourages covered entities to consider alternative means of communicating with certain populations, such as with individuals who cannot read or who have limited English proficiency.” It would be practical to offer forms in Spanish if your facility serves a large Spanish-speaking population, but you cannot be penalized for offering English forms only.

Q: Where should documentation of receipt of notice go? Does it have to go into a patient’s medical record?

A: HIPAA doesn’t state precisely where or how documentation must be stored. However, it must be secure—if you have taken proper security measures in storing your patient records, it may be logical to store documentation of disclosures there as well. One Community Health Center creates extra blank fields in its records where uses and disclosures can be recorded, and a box that can be checked once a notice has been received and signed.

Q: Do employees need to sign the notice of privacy practices?

A: The notice form is intended for patient signatures. An employee’s understanding of her organization’s privacy practices is implied in the documentation of her participation in privacy training.

Q: We employ volunteer physician specialists at our organization. Can we request a copy of their privacy and security training documentation at the facility where they are generally employed, or do we have to train them ourselves?

A: Unfortunately, you’ll need to train everybody on your workforce, regardless of whether they’ve had previous privacy and security training at other facilities. Even though HIPAA itself is the same from facility to facility, its manifestations in work policies will be different. A large hospital will have very different approaches to privacy policies than will a small, single-provider office. Each organization will have a responsibility to inform its employees of its own specific policies and procedures.

Q: If I give a patient a copy of his own information and he leaves it somewhere unattended in the hospital, am I responsible for the violation?

A: No. Once a copy of medical records has been disclosed to a patient according to proper privacy procedures, responsibility for safeguarding the copy falls to the patient. You can’t be held accountable if a patient misplaces that information.

BEHAVIORAL/MENTAL HEALTH

Q: Can mental/behavioral health patients modify their records?

A: Speaking very generally, yes. A patient has the right to access and request amendments to his health records. However, the rule puts specific conditions on the disclosure of “psychotherapy notes.” The regulation’s definition is as follows:

“Psychotherapy notes means notes recorded (in any medium) by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session and that are separated from the rest of the individual’s medical record. Psychotherapy notes excludes medication prescription and monitoring, counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date.” (See 164.501 of the Final Privacy Rule.)

Psychotherapy notes are the only established portions of a patient’s health record to which the patient may be denied access. Procedures for denying access can be found in 164.124 d. of the Final Privacy Rule.

A mental health patient may have access and request amendments to other portions of his mental health records.

Q: Are there specific guidelines that apply to the use and disclosure of mental health records?

A: Yes. There are special requirements for the use and disclosure of psychotherapy notes. Unlike other portions of a patient’s record, psychotherapy notes may only be disclosed with patient authorization—not merely consent. Exceptions are as follows:

The creator of the notes does not require authorization to use psychotherapy notes for treatment.
Psychotherapy notes may be used by the covered entity without authorization in training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling.
Authorization is not required if the covered entity uses psychotherapy notes to defend a legal action brought by the individual.
No authorization is required if psychotherapy notes are disclosed by requirement of law; for the purposes of health oversight activities; to coroners, medical examiners, and funeral directors as necessary; or in cases where the covered entity believes a disclosure is necessary to ensure the safety of a person or the public. (For clarification of these exceptions, see sections 164.502a.2.ii; 164.512a; 164.512d; 164.512g.1; and 164.512j.1.i.)

MAILING INFORMATION & MARKETING

Q: What should I do about mailings that contain PHI? Do I need an authorization to send them?

A: If you are sending mailings to a patient regarding his condition or treatment, those fall under the practices allowed by patient consent. Using PHI for marketing, however, generally requires a patient authorization. (There are some exceptions; for more information, see the Office of Civil Rights’ page “Health-Related Communications and Marketing” at http://www.os.dhhs.gov/ocr/hipaa/marketing.html.)

Q: If we contract with an outside company that gathers demographic information for us from sources other than our own information, are we limited in the use of the information they provide? For example, can we market to people who are listed on purchased, externally-created mailing lists?

A: HIPAA defines PHI as individually identifiable health information created by your organization used for purposes of treatment or payment. If the data you purchase is created independently by a non-covered entity, you are not restricted by HIPAA’s marketing limitations.

Q: Can you market new services to groups of patients who might need them?

A: If a covered entity is contacting a patient to let them know about certain services it provides, HIPAA doesn’t classify that as marketing. The purpose in that sort of communication is primarily to ensure that the patient has access to services he may need, and the covered entity does not need to request a patient authorization. Specifically, the exceptions to an authorization requirement for marketing are as follows:

The marketing occurs during an in-person meeting with the patient (e.g., during a medical appointment).
The marketing concerns products or services of nominal value.
The covered entity is marketing health-related products and services (of either the covered entity or a third party), the marketing identifies the covered entity that is responsible for the marketing, and the individual is offered an opportunity to opt-out of further marketing. In addition, the marketing must tell people if they have been targeted based on their health status, and must also tell people when the covered entity is compensated (directly or indirectly) for making the communication.

Q: Can you solicit donations from patients?

A: Yes. HIPAA makes allowances for healthcare fundraising, understanding that a good deal of medical funding comes from individual philanthropic donations. However, there are some definite restrictions: a covered entity is not allowed to market based on medical records, but only on demographic information. This means that certain condition-specific solicitations will have to be discarded. For example, a CHC requesting donations for a renovated oncology center cannot market only to its former and current cancer patients—instead it will have to market to all its patients, or to those living within a certain vicinity, etc.

Q: Can you identify patients through the clinics to fill the required 51% patient membership of the Board of Directors?

A: This, too, is a practice that requires no patient authorization since it falls under the heading of healthcare operations. You can use demographic information to determine who might be an appropriate candidate to serve on the Directors’ Board, but you can’t use medical information.

BUSINESS ASSOCIATES

Q: What is a Business Associate?

A: HHS provides a clear summary:

A business associate is a person or entity who provides certain functions, activities, or services for or to a covered entity, involving the use and/or disclosure of PHI.
A business associate is not a member of the health care provider, health plan, or other covered entity's workforce.
A health care provider, health plan, or other covered entity can also be a business associate to another covered entity.
The rule includes exceptions. The business associate requirements do not apply to covered entities who disclose PHI to providers for treatment purposes - for example, information exchanges between a hospital and physicians with admitting privileges at the hospital.

(Information from http://www.hhs.gov/ocr/hipaa/busassoc.html)

Q: Do I have to put a Business Associate Agreement in place with my cleaning staff?

A: If you contract with an outside janitorial service, yes. An outside janitorial staff performs a function (unrelated to treatment) on behalf of your facility, and may have access to a covered entity’s PHI. Initiating a Business Associate Agreement with anyone who may come in contact with PHI is always a good safeguard measure to take.

Q: Do residency programs require Business Associate Agreements?

A: Yes. A residency program’s function is to provide training for students. To this end, a residency program may contract with covered provider entities. This situation defines the program and the covered entities as business associates—the covered entities are providing a service of training on behalf of the residency program. While disclosures of PHI for purposes of treatment are allowable without a Business Associate Agreement, disclosures for Health Care Operations are not. Training, as expressed below, falls under the category of Health Care Operations; therefore, residency programs would be wise to implement contracts with the covered entities that provide residency training.

Q: If I submit aggregate data to another entity, do I need a Business Associate Agreement?

A: No. Aggregate data does not contain individually identifiable health information. If all that your accountant sees in processing your records is aggregate data, there’s no way any of the information he comes in contact with can be used to identify an individual.

Q: Are we held liable for clearinghouses’ noncompliance in billing?

A: Technically, you are. However, that’s what the testing and documentation processes exist for. If you contract with a clearinghouse that has provided you with proof of HIPAA-compliant billing processes and successful testing, you should have nothing to worry about. You need copies of those documents as your insurance, though—don’t hesitate to prod your clearinghouse until you get them.

Security

Q: What is the Security Rule?

A: The Security Rule is designed to provide standard safeguards—both physical and technical—for protecting PHI. It’s intended to ensure that PHI cannot be changed, misused, or destroyed in electronic transmission or storage, and that workforce behavior and administrative procedures reinforce the priority of patient information security.

Q: When is the Security compliance deadline?

A: The Rule has not yet been finalized. HHS expects that it will release the final rule in October of this year, which would mandate a compliance deadline of late 2004/ early 2005. However, until the Rule is released, all estimated deadlines are merely speculative.

Q: What does my organization need to do to become compliant?

A: Because the Rule has not yet been finalized, it’s difficult to say precisely what steps will be required to achieve compliance. However, the proposed Rule requires organizations to assess their security needs and risks and to devise and implement strategies to address those concerns. The requirements will fall into the following categories:

· Administrative Procedures. Formal practices must be documented, dictating how security measures will be selected and executed. The entire workforce must know and understand these procedures.

· Physical Safeguards. Computer workstations and systems, physical structures and equipment must be protected from hazards and intrusions.

· Technical Security Services and Mechanisms. Measures must be taken to monitor use of data and to prevent unauthorized access to patient information within the network.

Q: What is entailed in performing a gap/risk analysis?

A: The HIPAA Security Rule wants you to look closely at what your organization is doing and compare your practices with the ones the Rule requires. Assessing your current approaches to security is the best way to determine your next course of action. When you perform a gap analysis, you’ll want to look very closely at the way information flows through your organization. Who has access to what information? Is that access limited in any way? How is that information stored and transmitted between individuals and organizations? Pretend you’re a curious patient—sign in, wait in the waiting room, wander through the halls, and make note of the information you can easily come in contact with. Interview your IT and billing staff. Find out what practices and habits are occurring with respect to computer workstations, password use, logins, etc. Collect your findings, compare them to the Security Rule’s requirements, and determine where the areas of exposure are. What presents the highest risk to your organization? Once you’ve identified the areas that pose the largest risk, you can begin to create a prioritized checklist for implementation and change. Remember to document each step of the assessment process—keep all your notes from walk-throughs and interviews as records of your internal audit, and maintain a copy of your prioritized risk assessment in your records, as well.

Q: The proposed Rule alludes to some kind of certification process. How will this be accomplished?

A: Once again, we can’t be sure what to expect until the Rule is finalized. Some language within the proposed Rule indicates that certification may occur in-house, perhaps through a series of checklists and documentation requirements. Other language suggests that a third-party certifying authority will exist. This may be a small group of IT and security systems vendors who may receive some kind of accreditation as HIPAA certifying authorities. But until the final Security Rule is published, we won’t know for certain how the certification process will occur.

Q: Since the Security Rule isn’t finalized yet, is it necessary to begin work on implementation now?

A: While it makes sense to wait until the final Rule is published before spending money on security implementation, there are some things you can start doing now with in-house resources. You’ll have to begin examining your current privacy policies and procedures in order to meet the April 14^th, 2003 privacy compliance deadline. It makes sense to review your security policies and procedures at the same time. Make notes of security policies that will need to be changed. Get started on your gap assessment—you can start analyzing your current information flows now. When the final Rule is released, you’ll already have the information necessary to begin a comparison. You can also begin corresponding with your IT and software vendors.