RM Services
Frequently Asked Questions
Office Practice Risk Evaluations
Arbitration
Self-Evaluation Toolkit
RM Articles
CAPsules Editions
CME Program/Schedule
RM Questions
RM Materials / Forms
RM Alerts
Case Of The Month - Past Issues

More HIPAA Compliance Issues for Physicians

by Dan Groszkruger, JD, MPH
Consulting Editor

By now, most physicians are aware of the federal HIPAA regulations

Physicians must submit a request, on or before October 15, 2002, in order to qualify for the one-year extension of the deadline for Transactions & Code Sets compliance.

(the Health Insurance Portability and Accountability Act of 1996), that will change the way physicians deal with medical records, both at hospitals and in their own medical offices. This article is another in a series, designed to alert CAP-MPT Members to the new requirements of HIPAA and to provide some practical information to assist in the HIPAA compliance process.¹

In essence, health care providers will be required to adopt new safeguards on patient privacy when medical records are sent elsewhere.

Keeping in mind that future changes are likely, and that the following advice is based on the latest facts, this article focuses on just two important questions:

1. Will most physicians, even those in solo practice, come under the new federal HIPAA requirements?
   • All signs indicate YES!
     Perhaps a natural reaction to first hearing about this new federal regulatory scheme is, “HIPAA cannot apply to me!” But, it appears that most physicians (and virtually all other providers of health care services) will have to comply with the new rules. Specifically, every provider who transmits health information in electronic form must comply with HIPAA.² Physicians in small practices (i.e., fewer than 10 FTE employees) are exempt from the requirement to submit Medicare claims electronically.³ It remains unclear, however, whether other claims may also be submitted on paper. And, if their paper claim forms are subsequently converted to electronic form (e.g., by an insurer or billing service), those same physicians may still have to comply with HIPAA laws governing Privacy and Security. That is, most physicians may not be able to maintain their small medical practices in a purely “paper world.”
     
     
   • There are no exceptions for solo or small-group practitioners. The only feature that recognizes differences between a rural family practice and a university teaching hospital is “scalability.” This is an admission by the regulators that smaller, less sophisticated entities will be unable to apply the type of skills and resources that may be available in a larger organization. But, no physician practice appears likely to avoid HIPAA compliance altogether.
   
   
2. What compliance deadlines apply to physicians?
   • Most compliance questions center on exactly what deadlines will apply. In fact, there are three separate sections of the HIPPA Administrative Simplification section, each with different compliance deadlines:
     • Transactions & Code Sets,
     • Privacy, and
     • Security
   • Compliance with HIPAA’s “Transactions & Code Sets” EDI (Electronic Data Input) rules will be due October 16, 2002:
     By October 16, 2002, physicians submitting claims for payment electronically will have to comply with these new rules.⁴ This submission will require standardized:
     • physician identifier codes,
     • patient identifier codes,
     • encounter and procedure codes, and,
     • billing codes.
     
     The Department of Health & Human Services (DHHS), however, has not yet finished the specific identifiers or code sets that will be accepted. Thus, accepting DHHS’s offer to extend this deadline for an additional year appears to be a practical necessity for most physicians or medical groups. But, the physician/group must submit a request for an extension. The application form for requesting the one-year extension for compliance with Transactions & Code Sets may be accessed and submitted via the Internet, at: http://aspe.hhs.gov/admnsimp. If you do not have access to the Internet, please contact CAP Risk Management at 213-473- 8788 to receive a faxed copy.
     
     
     • Compliance with the new HIPAA Privacy rules is due April 14, 2003: Although the final rules were published over a year ago, DHHS has changed them significantly. It is still unclear whether further changes to the Privacy rules are yet to come.
     • Compliance with Security regulations will be two or more years away. The final Security regulations have not yet been published. Although the final Security regulations are expected this summer, no compliance deadline exists. The regulations require compliance 24 months after publication.
   
   The clear intent of the HIPAA regulations is to achieve great breadth of application. Physicians are well-advised to assume they must comply, rather than delay any action, hoping for an exemption.
   
   

   ---

   ¹ CAPsules does not offer legal advice, and this article is not intended as a substitute for professional legal advice. The information contained in this article is offered for general information purposes, only. You may need to consult a qualified attorney if you seek legal advice about specific compliance issues.
   
   ² 42 CFR § 160.103.
   
   ³ Public Law 107-105 exempts “small providers of services” from Medicare electronic filing requirements.
   
   ⁴ “Small Providers of services,” including physicians with fewer than 10 FTE employees, are not required to submit claims electronically; there is a possibility, not a probability, that small medical practices will be able to avoid compliance with HIPAA by remaining exclusively “paper-based.”