DC: Many doctors are hearing and talking about HIPAA, the Health Insurance Portability and Accountability Act of 1996, but are uncertain about their obligations. Can you give us your background on HIPAA, and your level of authority?
Ross: I have been a health insurance and health management consultant to chiropractors since 1972. For the last three months, I have been specifically working on the issues of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) from the standpoint of what's going to be required to teach in my seminars, and the management of the doctor's office relative to HIPAA. My office has been assembling and coordinating all the HIPAA documents available from the public and private sectors, so that we have a decent database of information and briefs.
I'm working with a number of groups, including the Maryland Health Care Commission, which was sanctioned in 1999 as a consortium under a state grant, and also has a contract grant through the Department of Health and Human Services (DHHS) for the assistance and implementation of HIPAA. I'm on the commission's structure committee, which consists of about 30 people. I'm also on the North Carolina Health Information and Communications Alliance. In both of these relationships, I worked on and assisted in the preparation of the Guide to Privacy Readiness, which was produced by the Maryland Health Care Commission, and a program developed by the North Carolina Health Information and Communications Alliance called Early View, which was sold to its member doctors to determine if they were in compliance with policies and procedures.
I'm also on a committee of the Workgroup for Electronic Data Interchange (WEDI) out of Virginia, a large consortium of different types of organizations, including insurance companies and electronic data facilities, and they are the ones that have created the majority of the work. They are also under a DHHS contract and created the ASCX Electronic Data Interchange standards for claims submission process, and the other eight claims standards that were created by HIPAA. They've also created the Strategic National Implementation Process (SNIP). In a subcommittee of the SNIP, we created a small practice implementation discussion draft (SPIDD), which we have now disseminated over the last month or two to members of SNIP.
I'm also on a subcommittee for Georgetown and Columbia Universities, which have DHHS grants for implementing HIPAA.
DC: Can you give us a brief overview of HIPAA and its general objective?
Ross: HIPAA was passed by Congress in 1996, and was meant to make insurance portable for employees that are changing jobs. People were losing their health care benefits when going from one employer to another. There needed to be a law to prevent loss of benefits, since each state had a different set of laws on how pre-existing conditions affected new policies. They changed pre-existing conditions clauses and created an accountability section. There are four things that a doctor needs to be concerned about:
Ross: The first two of these provisions (national standards and identifiers) are just going to happen to the doctor; they [DHHS] have created eight different kinds of national standards for submitting insurance information electronically. These are electronic:
DC: At what level is the doctor liable when privy to patient information under HIPAA?
Ross: Faxing, for example, falls under the security and privacy provision of the act. The cost of administering health care is currently 25 cents on every dollar. When Congress worked on this, it asked, "What are some of the ways we can simplify administration and cut costs?" One solution was a design such that each insurance company doesn't have different claim forms or other qualifications, and no company can request a different claim form, or request to verify eligibility one way as opposed to another. With this plan, they basically standardize the submission process.
DC: For doctors to take advantage of this, they will have to be under HIPAA jurisdiction?
Ross: You are a covered entity if you utilize any one of the eight standards mentioned earlier. I don't usually worry about things like national HIPAA standards, because once doctors submit something that is wrong, they will get the claim back unpaid, saying that it doesn't fit in with the correct standards - either that, or you're running a free clinic! Whether it's in paper or electronic form, it won't make a bit of difference to the insurance company.
The national HIPAA standards also include some coding issues. Everybody will use the CPT codebook, and the ICD-9 diagnosis codebook, and the federal medical devices codebook. Since October 16, doctors are no longer able to use what's called a "local code." If they fail to comply with these standards, they will find out real quickly!
On national identifiers, every doctor will be given:
DC: Can you address some of the things a doctor might be liable for in an office under HIPAA?
Ross: The doctor, whether considered a "covered entity" or not, must maintain privacy, because the privacy issue isn't going to go away. Doctors must make sure they have established a policy, a procedure, and are training their staff to protect patient privacy. Two examples are computer monitors with patient information on them, or the recent question answered by the DHHS and OCR, concerning public sign-in sheets that can state a patient's name, but not a condition. Also, charts and records left on the door of a doctor's office are permissible, but come with the responsibility of the staff making sure those records are not left in the hands of those unauthorized to see them.
There is also a "chain of trust," which applies to those contracted with a doctor to send and receive patient records. Such contractors are covered entities, business associates, and all must meet the same requirements for privacy and security as if they were covered entities.
DC: So you're saying that if doctors don't comply, they can be denied payment?
Ross: That could be one of the outcomes, but I'm not going to say that this is automatic. An insurance company is required under the gigantic federal law to make people business associates. You can rest assured they're not going to pay a doctor who's not a business associate.
DC: So, one way or another, the doctor must comply with the HIPAA privacy provisions?
Ross: Yes, the associated business is under the chain of trust contract; even a company such as a janitorial service may have to sign a statement of confidentiality or a chain of trust form.
Let's say you faxed something out, and it went to the wrong person; the patient files a complaint, and it goes to OCR. Representatives come to your office, and you show how your equipment proves that it went to the right phone number, and that you have authorization on a patient disclosure form to use a fax or email. You have only made a mistake, and you won't be fined or penalized. Without that manual that is specific to you or your office (and if it looks like a 'boiler-plated' manual, the OCR and DHHS won't consider it applicable to your office), this complaint could result in a fine or worse. We saw this in the past, when a number of offices copied manuals, and they found that no work was done to make the manual applicable.
DC: It looks as if the doctors are going to have to go after this proactively.
Ross: One important thing to remember about this is that if you read too much into it, it becomes extremely complicated. Once you put into writing what is necessary, you don't have a lot of work to do. If a step-by-step procedure is written, one doesn't have to worry. For the small practitioner, manuals can be less than 100 pages. Requirements for matters such as privacy will just boil down to a simple procedure, involving such things as firewalls to protect computer systems and passwords to protect information. Common sense says that one doesn't have to tear an office up and buy thousands of dollars' worth of equipment.
Many people have asked me about information transmitted through copy machines, fax machines and computers, and we have adopted all these in our practices. There are currently some viruses that are specifically designed to enter and find patient names and diagnoses. The chiropractic profession doesn't know much about this; it doesn't know about the pharmaceutical companies attempting to obtain names and addresses of patients, and the marketing that goes on in that area. Yet, that is a large issue, and one of the main reasons that HIPAA's privacy and security will go into effect. Your systems are vulnerable; the diagnoses of your patients are vulnerable. Once the diagnosis can be tied to your patient's name and address, you have a problem.
We have more laws protecting credit information than protecting patient diagnosis information. Now you're seeing the first law for patient protection. Instead of having patchwork state laws do it, we have a baseline federal law. This is going to be implemented locally, allowing states to individually implement it, with the states' rules generally being tougher than those of HIPAA. An example of this is the time deadline for giving a patient a copy of records, which is five days in California, but 30 days under HIPAA. Of course, the five-day deadline would apply in this case.
DC: What about security issues?
Ross: Inside the security provision, the act requires that four issues be addressed:
DC: Thank you, Mr. Ross, for the wealth of information. We anticipate a large number of responses and questions from your interview. Would you be willing to answer questions from our readers in another article?
Ross: I will be glad to answer any questions from your readers, and provide a consortium of others available to readers.
(Editor's note: Readers with HIPAA-related questions may submit them to editorial@mpamedia.com. We will compile your questions, and have Mr. Ross answer them in an article.)
Many relevant diagnostic signs are not performed deliberately by the examiner or by the patient at the examiner’s direction. They are observed as the patient reacts to their condition. Fortin’s finger sign, Minor’s sign, and Vanzetti’s sign are three examples of this principle.
On Feb. 1, 2024, two more legislators – John R. Carter (R-Texas) and Robert “Bob” Good (R-Va.) – co-sponsored the Chiropractic Medicare Coverage Modernization Act of 2023, bringing the co-sponsor total to 155, two more than the total achieved over the entire two-year congressional cycle in which identical legislation last appeared (2021-22).
While working at the Lovelace Medical Center in Albuquerque, N.M., one of the primary care physicians stated that imaging every patient prior to receiving chiropractic was not medically necessary. It was at that point I reconsidered the need for the imaging of every patient to avoid malpractice.
