 |
For the purpose of dispelling some common HIPAA fallacies, the Blue Plans in Pennsylvania have jointly written statements to refute the following myths about HIPAA. These myths have been grouped into major categories for ease of
use. HIPAA myths for health plan members HIPAA myths for health plan members General compliance Reality: No, it isn’t. HIPAA impacts all business units of a health care organization. HIPAA is not Y2K. It has serious impacts on such things as privacy, security, provider numbers, health care data communication and code sets. With health care organizations working to assess and modify their current operations to achieve compliance, patients may see changes in how their physician offices conduct certain activities pertaining to their health information.
Privacy Reality: Not entirely! While individuals are able to view and obtain copies of their records, the law specifically allows healthcare entities to impose a reasonable, cost-based fee for certain services. The following is an excerpt taken directly from the Final Privacy Rule; § 164.524 Access of individuals to protected health information: “If the individual requests a copy of the protected health
information or agrees to a summary or explanation of such information,
the Covered Entity may impose a reasonable, cost-based fee, provided
that the fee includes only the cost of:
Myth: HIPAA will eliminate the use of sign-in sheets in medical offices. Reality: Not true. The original intent of the law was not to prohibit the use of sign-in sheets but to make sure providers understand that care must be taken to protect the privacy of individuals. In the Final Privacy Rule published in the Aug. 14, 2002 Federal Register, the Department of Health and Human Services adopted modifications to the rule to clarify this and similar practices that are permissible "explicitly as certain incidental uses or disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule." In addition, an incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards and implemented the minimum necessary standards as outlined in the regulations.
Myth: Once Privacy is implemented, prescriptions can only be picked up at the pharmacy by the patient. Reality: No, the regulation explicitly dispels this myth. The regulation states “A Covered Entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays, or other similar forms of protected health information.” See Section 164.510(b)(3).
Myth: HIPAA will prohibit the use of faxes containing protected health information. Reality: Not true! HIPAA, as well as most federal regulatory requirements, does not specifically address the use of faxes. The American Health Information Management Association has a practice brief on Facsimile Transmission of Health Information available on its Web site. The Internet address of this practice brief is: http://www.ahima.org/journal/
Security Reality: False! Under HIPAA, employees of insurance companies or medical offices must take precautions to keep patient health information private and secure. They cannot, for example, leave folders lying out on counters or in public spaces. Also, employees are instructed not to discuss patients or their cases in public. Finally, information systems must have extensive security software in place.
Transactions and code sets Reality: No, not for non-Medicare claims; however Medicare claims may be affected. HIPAA does not mandate that health care entities that submit health information on paper today must submit it electronically when the standard transactions are implemented. However, the Administrative Simplification Compliance Act (ASCA) signed by President George Bush in December 2001 may have an impact on paper claims if submitted to Medicare. The following clarification comes from the Centers for Medicare and Medicaid Service’s Web site: “ASCA prohibits HHS from paying Medicare claims that are not submitted electronically after Oct. 16, 2003, unless the Secretary grants a waiver from this requirement. It further provides that the Secretary must grant such a waiver if there is no method available for the submission of claims in electronic form or if the entity submitting the claim is a small provider of services or supplies. Beneficiaries will also be able to continue to file paper claims if they need to file a claim on their own behalf. The Secretary may grant such a waiver in other circumstances. We will publish proposed regulations to implement this new authority.” ASCA defines a small provider of services or supplies as:
General compliance Reality: Not true. A software vendor, HIPAA consulting firm or clearinghouse can provide valuable services to Covered Entities. However, individual Covered Entities will still be responsible for doing much of the work needed to achieve compliance. No vendor can make a Covered Entity 100 percent HIPAA compliant through software alone. Covered Entities will be responsible for several items themselves, such as:
Myth: HIPAA is an “information technology” thing. Reality: No, it isn’t. HIPAA impacts all business units of an organization. HIPAA is not Y2K. It has serious impacts on such things as privacy, security, provider numbers, health care data communication and code sets. Regardless of whether a Covered Entity uses a clearinghouse, the Covered Entity itself will have to do much of the work needed to achieve compliance. This includes collecting and submitting much more data than today, training staff on the new requirements, and assessing and modifying many of its current operations.
Privacy Reality: Not entirely. While patients are able to view and obtain copies of their records, the law specifically allows Covered Entities to impose a reasonable, cost-based fee for certain services. The following is an excerpt taken directly from the Final Privacy Rule; § 164.524 Access of individuals to protected health information: “If the individual requests a copy of the protected health
information or agrees to a summary or explanation of such information,
the Covered Entity may impose a reasonable, cost-based fee, provided
that the fee includes only the cost of:
Myth: HIPAA will eliminate the use of sign-in sheets in medical offices. Reality: Not true. The original intent of the law was NOT to prohibit the use of sign-in sheets, but to make sure providers understand that care must be taken to protect the privacy of their patients. In the Final Privacy Rule published in the August 14, 2002 Federal Register, the Department of Health and Human Services adopted modifications to the rule to clarify this and similar practices that are permissible "explicitly as certain incidental uses or disclosures that occur as a by-product of a use or disclosure otherwise permitted under the Privacy Rule." In addition, an incidental use or disclosure is permissible only to the extent that the covered entity has applied reasonable safeguards and implemented the minimum necessary standards as outlined in the regulations.
Myth: Once Privacy is implemented, prescriptions can only be picked up at the pharmacy by the patient. Reality: False, the regulation explicitly dispels this myth. The regulation states “A Covered Entity may use professional judgment and its experience with common practice to make reasonable inferences of the individual’s best interest in allowing a person to act on behalf of the individual to pick up filled prescriptions, medical supplies, X-rays or other similar forms of protected health information.” See Section 164.510(b)(3).
Myth: HIPAA will prohibit the use of faxes containing protected
health Reality: Not true. HIPAA, as well as most federal regulatory requirements, does not specifically address the use of faxes. The American Health Information Management Association has a practice brief on Facsimile Transmission of Health Information available on its Web site. The internet address of this practice brief is: http://www.ahima.org/journal/
Security Reality: No, this is not the intent of the proposed regulation. The Department of Health and Human Services has addressed this issue in its Frequently Asked Questions on Security. It is the department’s opinion that “To select a specific technology to satisfy the security requirements found in HIPAA would tend to bind the health care community to systems and/or software that may soon be superseded by rapidly developing technologies and improvements. The Security Standard was developed with the intent of remaining ‘technologically neutral’ to facilitate adoption of the latest and most promising developments in this dynamic field and to meet the needs of health care entities of different size and complexity. The Security Standard is a compendium of security requirements that must be satisfied. The particular solution will vary from business to business but each will meet the basic requirements.”
Transactions and code sets Reality: Not exactly! On Dec. 27, 2001, President George Bush signed into law the Administrative Simplification Compliance Act (ASCA). The provisions in this law allow Covered Entities to be granted a one-year extension on the implementation of the Standard Transactions and Code Sets if the Covered Entities file for a HIPAA extension. ASCA does not extend the mandated Privacy compliance date of April 14, 2003. Covered Entities must complete a Compliance Extension Plan and submit it to the Department of Health and Human Services (HHS) by Oct. 15, 2002, to receive an extension. All Covered Entities who properly file for and receive an extension must begin testing HIPAA compliant transactions no later than April 16, 2003, and implement these into production by Oct. 16, 2003.
Myth: HIPAA will eliminate paper claims. Reality: No, not for non-Medicare claims; however Medicare claims may be affected. HIPAA does not mandate that Covered Entities that submit health information on paper today must submit it electronically when the standard transactions are implemented. However, the Administrative Simplification Compliance Act (ASCA) signed by President Bush in December 2001 may have an impact on paper claims if submitted to Medicare. The following clarification comes from the Centers for Medicare and Medicaid Service’s Web site: “ASCA prohibits HHS from paying Medicare claims that are not submitted electronically after Oct. 16, 2003, unless the Secretary grants a waiver from this requirement. It further provides that the Secretary must grant such a waiver if there is no method available for the submission of claims in electronic form or if the entity submitting the claim is a small provider of services or supplies. Beneficiaries will also be able to continue to file paper claims if they need to file a claim on their own behalf. The Secretary may grant such a waiver in other circumstances. We will publish proposed regulations to implement this new authority.” ASCA defines a small provider of services or supplies as:
HIPAA myths for employer groups General compliance Reality: Not true! While HIPAA does not cover employers, it does impact an employer’s group health plan. While self-insured group health plans will be most impacted by HIPAA regulations, fully insured group health plans have a responsibility to comply as well.
Myth: If I, as a self-insured health plan, contract with a vendor or vendors for transactions and code sets, privacy and security, they will make me 100 percent HIPAA compliant. Reality: False. A software vendor, HIPAA consulting firm or clearinghouse can provide valuable services to Covered Entities. However individual Covered Entities will still be responsible for doing much of the work needed to achieve compliance. No vendor can make a Covered Entity 100 percent HIPAA compliant through software alone. Covered Entities will be responsible for several items themselves such as:
Myth: HIPAA is an “information technology” thing. Reality: No, it isn’t. HIPAA impacts all business units of an organization. HIPAA is not Y2K. It has serious impacts on such things as privacy, security, provider numbers, health care data communication and code sets. Regardless of whether a Covered Entity uses a clearinghouse, the Covered Entity itself will have to do much of the work needed to achieve compliance. This includes collecting and submitting much more data than today, training staff on the new requirements, and assessing and modifying many of its current operations.
Myth: HIPAA prevents an employer from using any health information for personnel decisions. Reality: Not entirely. There are limited exceptions such as medical surveillance of the workplace, work related illness evaluations and drug tests used to comply with the Drug-Free Workplace Act. While HIPAA does not include employer per se as covered entities,
the employer entity may be subject to other laws and regulations
applicable to the use or disclosure of information in an employee's
employment record. The HIPAA Privacy Rule excludes employment records
maintained by a covered entity in its capacity as an employer from
the definition of "protected
Privacy Reality: False. HIPAA, as well as most federal regulatory requirements, does
not specifically address the use of faxes. The American Health Information Management
Association has a practice brief on Facsimile Transmission of Health Information
available on its Web site. The internet address of this practice brief is:
Security Reality: No, this is not the intent of the proposed regulation. The Department of Health and Human Services has addressed this issue in its Frequently Asked Questions on Security. It is the department’s opinion that “To select a specific technology to satisfy the security requirements found in HIPAA would tend to bind the health care community to systems and/or software that may soon be superseded by rapidly developing technologies and improvements. The Security Standard was developed with the intent of remaining ‘technologically neutral’ to facilitate adoption of the latest and most promising developments in this dynamic field and to meet the needs of health care entities of different size and complexity. The Security Standard is a compendium of security requirements that must be satisfied. The particular solution will vary from business to business but each will meet the basic requirements.”
Transactions and code sets Reality: Not exactly! On Dec. 27, 2001, President George Bush signed into law the Administrative Simplification Compliance Act (ASCA). The provisions in this law allow Covered Entities to be granted a one-year extension on the implementation of the Standard Transactions and Code Sets if the Covered Entities file for a HIPAA extension. ASCA does not extend the mandated Privacy compliance date of April 14, 2003. Covered Entities must complete a Compliance Extension Plan and submit it to the Department of Health and Human Services (HHS) by Oct. 15, 2002, to receive an extension. All Covered Entities who properly file for an extension by Oct. 15, 2002, must begin testing HIPAA compliant transactions no later than April 16, 2003, and implement these into production by Oct. 16, 2003.
Myth: HIPAA will eliminate paper claims Reality: No, not for non-Medicare claims; however Medicare claims may be affected. HIPAA does not mandate that Covered Entities that submit health information on paper today must submit it electronically when the standard transactions are implemented. However, the Administrative Simplification Compliance Act (ASCA) signed by President Bush in December 2001 may have an impact on paper claims if submitted to Medicare. The following clarification comes from the Centers for Medicare and Medicaid Service’s Web site: “ASCA prohibits HHS from paying Medicare claims that are not submitted electronically after Oct. 16, 2003, unless the Secretary grants a waiver from this requirement. It further provides that the Secretary must grant such a waiver if there is no method available for the submission of claims in electronic form or if the entity submitting the claim is a small provider of services or supplies. Beneficiaries will also be able to continue to file paper claims if they need to file a claim on their own behalf. The Secretary may grant such a waiver in other circumstances. We will publish proposed regulations to implement this new authority.” ASCA defines a small provider of services or supplies as:
|
|
HIPAA FAQs:
