With so much riding on all this, it's important to dispel the myths surrounding HIPAA compliance:
12. HIPAA compliance is only relevant to the doctor - Actually, HIPAA's passage was intended in large part to address the protection of patients' rights. The privacy and security components of HIPAA are not so much about how you practice, but how you protect your patients' rights to privacy and the security of their information.
11. Other providers will refer to me even though I'm not HIPAA compliant - Once other health care providers learn you are not HIPAA compliant, they are prohibited from referring patients to you and discussing patients with you without specific written authorization.
10. I don't have to do anything to be HIPAA compliant; my office software vendor says I'm already HIPAA compliant because its software is - While having HIPAA-compliant office software is important, it doesn't make your office compliant. You are required to abide by all of the other HIPAA requirements noted in this article.
9. My state laws have no effect on my HIPAA compliancy - You are required to consider the HIPAA laws and your state privacy/security laws, and abide by whichever are stricter. You must be aware of both as you make your office HIPAA compliant.
8. I don't need to be HIPAA compliant because I don't have more than 10 employees - This often-quoted misconception only applies to Medicare's HIPAA compliance requirement for electronic billing. You can apply for an exemption in this area, but you must be HIPAA compliant in all areas for all other types of patients. Medicare will require electronic billing effective Oct. 16, 2004, for those who do not qualify for an exemption.1
7. I don't need to be HIPAA compliant if I have a cash practice or don't do electronic billing - This is a common misconception. First of all, the HIPAA privacy requirements required as of April 14, 2003, still apply to your office. You can't escape your responsibility for the privacy portion of HIPAA, regardless of how you practice.
Second, as has already been announced by Aetna, most health insurance organizations will be requiring their providers to file reimbursement claims electronically. Paper reimbursement claims will no longer be accepted. Aetna will not accept paper claims after Sept. 15, 2003.2
6. My office doesn't need its own compliance manual - The HIPAA laws state clearly that your office is required to have "formal documented procedures" specific to your practice. These must include "core elements" of the HIPAA law, documented "required elements" and documented "implementation requirements," as they apply to your practice. Your practice needs to have a list of the HIPAA requirements and how your office procedures comply with those requirements. This information must be documented in your compliance manual.
5. My office doesn't have to have a privacy officer - Establishing a privacy office is not only required by HIPAA, but is necessary to ensure the privacy of your patients' health information.
4. All I need to do is use the right HIPAA forms to be HIPAA compliant - The right forms are important, especially when revealing private patient information to others (such as personal-injury attorneys). However, just having the right forms doesn't satisfy the other HIPAA requirements listed in this article, and it doesn't make your office HIPAA compliant.
3. My vendors don't have to provide my office with proof of HIPAA compliance - Besides other treating entities, every person and company you send or share patient health information with must sign a business associate agreement and possibly a "chain of trust" agreement that requires them to comply with the HIPAA privacy regulations. It is your responsibility to be certain they are implementing the HIPAA privacy standards before you share patient health information (PHI) with them.
2. I just need to know about HIPAA, I don't have to do anything else - This is one of the worst misconceptions about HIPAA, and the most likely to lead the doctor into situations that could result in disciplinary action. Knowing about HIPAA is not enough. The HIPAA privacy and security requirements must be implemented into the doctor's practice as part of standard procedures utilized in the care of patients.
1. No one will ever check to see if I am HIPAA compliant - Every vendor; payer; malpractice insurance company; personal-injury attorney; hospital; and health care provider is required to be HIPAA compliant, and most of them will require you to be as well. You will be asked to sign a "Business Associate Agreement" to demonstrate you are HIPAA compliant. Signing this agreement without being HIPAA compliant is fraud.3
In addition, the Office of Civil Rights has been assigned to investigate violations of HIPAA requirements. They have already instituted an online complaint form and severe civil and criminal penalties, with fines as high as $250,000 per occurrence. Disgruntled former employees, embarrassed patients and attorneys are expected to file most of the complaints against providers.4
- Aetna mandates electronic claims submission. Dynamic Chiropractic, July 14, 2003. www.chiroweb.com/archives/21/15/01.html.
- Business Associate Agreements are coming! Dynamic Chiropractic, Jan. 27, 2003 www.chiroweb.com/archives/21/03/20.html.
- HIPAA Privacy Laws: violators face jail time, fines up to $250,000, and no payments by insurance companies. Dynamic Chiropractic, Jan.1, 2003. www.chiroweb.com/archives/21/01/21.html.