HIPAA & Chiropractic
It's A Law... Are You Ready?
By Linda Nadeau (Consultant / Practice Management Analyst)
Disclaimer: The information
contained here is provided free of charge. It is intended for informational
purposes only and should not be construed as legal advice or a substitution for
obtaining legal advice from an attorney licensed in your state.
HIPAA was created from
the simple concept of protecting patient Privacy and to preserve patient rights
in their selection of healthcare, and has concluded with complex legislation and
legal jargon difficult to interpret. After years of regulatory turmoil, there
are only a few weeks remaining until the April 14, 2003 HIPAA Privacy Compliance
Deadline becomes effective. HIPAA is a law, and you must be compliant.
Many providers have procrastinated because of the difficulty in understanding
what the requirements of HIPAA are, or they believe that HIPAA does not pertain
to them, as patient Privacy has always been addressed in their practice,
however; all providers must institute changes to meet the letter of the new
Privacy law. Providers must have documented policies and practices clearly
stating patient Privacy and protected health information security, even if you
are a solo practitioner with no employees. Patients must receive policies from
you regarding consent, authorization, disclosure and rights.
No, there will not be a HIPAA Mod Squad storming your clinic on April 14th,
however, enforcement will be complaint driven by other healthcare providers,
payers, business associates and patients; to the Department of Health and Human
Services and the Centers for Medicare and Medicaid Services. Patients and
business associates will notice if your processes and services differ from other
providers, and you will be reported. There is no escaping HIPAA, it does apply
If you are in HIPAA violation, you will face civil and/or criminal prosecution
resulting in excessive monetary penalties and possible imprisonment.
Notwithstanding, Privacy advocates are eager to expose delinquent providers with
negative publicity that would quickly threaten your reputation, your livelihood,
undermine public confidence with your profession, and alter your acceptance in
the healthcare marketplace.
HOW TO GET STARTED
Designate a Privacy Officer, and a Security Officer
One person may be designated for both functions. This individual must have
authority for decision-making. The quickest, most effective way to achieve
Privacy rule compliance at this late date may be to assume that you meet none of
the regulatory standards and go from there.
Determine Data Flow
Be aware of how data flows from you system to third parties, (business
associates); such as your clearinghouse and payers. Use a clearinghouse that is
HIPAA compliant and uses transaction software that is X12 compliant. Ask the
clearinghouse if they will be able to transmit the transactions in HIPAA
standard format on your behalf, if not, ask what you need to do to ensure you
get the transmission capabilities required. Ask similar questions to your
billing system vendor. Verify that your identifiers and codes, (ICD-9 CM and
CPT-4,) are current with vendors and payers. If the vendor has developed a
HIPAA-compliant release, update your system if you have not already done so.
The only way long-term compliance with accounting of disclosure provisions
will be possible is if a disclosure of protected health information is recorded
from day one. Covering known security vulnerabilities by installing needed
measures to protect data confidentiality e.g., firewalls, passwords,
logon/logoff procedures, and workforce training in Privacy and security
Document Policies and
All requirements must be met by the compliance deadline. Verification of
having HIPAA requirements met is to have written documentation of the processes
of the HIPAA policies and practices. Some provisions affect patient
confidentiality more immediately than others and the absence of some may also
create greater legal risks for covered entities. Implement first the policies
and practices that are visible to the patient (such as the Notice of Privacy
Practices, Patient Rights, Policies on Treatment Records, Record Amendments and
Restriction of Access, Account of Disclosures, Staff Conduct and Standards.)
Consider jump-starting the policy process by investing in a high-quality set of
development of a comprehensive set of original HIPAA policies and operational
manual can take up to a year or more to develop, and cost several thousand
dollars. Customization of an authoritative set of templates can be accomplished
in less than a month. Once you have everything in place, you will need to audit
your practice every 90 days to ensure compliance is maintained.
HIPAA REGULATIONS SIMPLIFIED
All health care providers will have at all times, appropriate administrative,
technical, and physical safeguards to protect the Privacy of protected health
information and comply with The Health Insurance Portability & Accountability
Act of 1996, which includes Administrative Simplification, requiring:
- Improved efficiency in
healthcare delivery by standardizing electronic data interchange, and
- Protection of
confidentiality and security of health data through setting and enforcing
- Standardization of
electronic patient health, administrative and financial data
- Unique health identifiers
for individuals, employers, health plans and health care providers
- Security standards
protecting the confidentiality and integrity of "individually identifiable
health information," past, present or future.
All health care providers will
comply with HIPPA regulations with all healthcare organizations, including
healthcare providers, even if it is a 1-physician office; health plans,
employers, public health authorities, life insurers, clearinghouses, billing
agencies, information systems vendors, service organizations, and universities.
Effective compliance requires all health care providers to implement the
following steps prior to April 14, 2003; and maintain all policies, procedures
and process for the duration of the practice existence, with periodic review and
- Staff awareness of HIPAA.
- Comprehensive assessing and
ongoing monitoring of information security systems, technical, and management
infrastructure policies and procedures.
- Develop an ongoing action
plan to monitor methodologies of HIPAA compliance.
- Implementing a comprehensive
action plan, including documented policies, processes, and procedures.
- Building a "chain of trust"
agreements with service organization.
- Redesigning a compliant
technical information infrastructure.
- Purchasing new, or adapting,
- Developing new internal
- Training and enforcement.
All health care providers will
comply with the four parts of Administrative Simplification including:
Electronic Health Transactions Standards
- Electronic Health
Transactions includes health claims, health plan eligibility, enrollment and
disenrollment, payments for care and health plan premiums, claim status, first
injury reports, coordination of benefits, and related transactions.
- All health care providers
will comply with the national standard format, thereby "simplifying" and
improving transaction efficiency nationwide. The proposed rule requires use of
specific electronic formats developed by ANSI, the American National Standards
Institute, for most transactions except claims attachments and first reports
of injury. (Proposed regulations for these exceptions are not yet out as of
- All health plans must adapt
to the national standards, even if a transaction is on paper, phone, or fax.
- Providers using
non-electronic transactions are not required to adopt the standards; although
if they don't, they will have to contract with a clearinghouse to provide
- All health care providers
must adopt Standard Code Sets to be used in all health transactions (ICD-9CM,
CMS Common Procedure Coding System (HCPCS), AMA Current Procedural Terminology
(CPT-4), American Dental Codes, and National Drug Codes (NDC) J Codes. For
example, coding systems that describe diseases, injuries, and other health
problems, as well as their causes, symptoms and actions taken must become
uniform. All parties to any transaction will have to use and accept the same
Security & Electronic
- All health care providers
will provide a uniform level of protection of all health information that is
housed or transmitted electronically and that pertains to an individual.
- Electronic signatures, if
used, will meet a standard ensuring message integrity, user authentication,
and non-repudiation. No transactions adopted under HIPAA currently require an
electronic signature, as of 12/05/02.
- The security standard
mandates safeguards for physical storage and maintenance, transmission, and
access to individual health information. It applies not only to the
transactions adopted under HIPAA, but to all individual health information
that is maintained or transmitted. However, the Electronic Signature standard
applies only to the transactions adopted under HIPAA.
- As of 01/18/03, the security
standard does not require specific technologies to be used; solutions will
vary from business to business, depending on the needs and technologies in
Privacy & Confidentially
In general, Privacy is about whom has the right to access personally
identifiable health information. The HIPAA rule covers all individually
identifiable health information in the hands of covered entities, regardless of
whether the information is or has been in electronic form. The current Privacy
- Limit the non-consensual use
and release of private health information;
- Give patients new rights to
access their medical/treatment records and to know who else has accessed them;
- Restrict most disclosure of
health information to the minimum needed for the intended purpose;
- Establish new criminal and
civil sanctions for improper use or disclosure;
- Establish new requirements
for access to records by researchers and others.
HIPAA regulations enforces
the five basic principles more strictly defined as:
- Consumer Control: The
regulation provides consumers with critical new rights to control the release
of their medical/treatment information.
- Boundaries: With few
exceptions, an individual's health care information should be used for health
purposes only, including treatment and payment. Under HIPAA, for the first
time, there will be specific federal penalties if a patient's right to Privacy
- Public Responsibility: The
new standards reflect the need to balance Privacy protections with the public
responsibility to support such national priorities as protecting public
health, conducting medical research, improving the quality of care, and
fighting health care fraud and abuse.
- Security: It is the
responsibility of organizations that are entrusted with health information to
protect it against deliberate or inadvertent misuse or disclosure.
- Review: Each time a patient
sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a
claim to a health plan, a record is made of their confidential health
information. For many years, the confidentiality of those records was
maintained by our family doctors, who kept our records sealed away in file
cabinets and refused to reveal them to anyone else. Today, the use and
disclosure of this information is protected by a patchwork of state laws,
leaving large gaps in the protection of patients' Privacy and confidentiality.
There is a pressing need for national standards to control the flow of
sensitive patient information and to establish real penalties for the misuse
or disclosure of this information.
As required by HIPAA, the final regulation covers health plans, health care
clearinghouses, and those health care providers who conduct certain financial
and administrative transactions (e.g., electronic billing and funds transfers)
All medical/treatment records and other individually identifiable health
information held or disclosed by a covered entity in any form, whether
communicated electronically, on paper, or orally, is covered by the final
Consumer Control over Health
Under this final rule, patients have significant new rights to understand and
control how their health information is used.
- Patient education on Privacy
protections. Providers and health plans are required to give patients a clear
written explanation of how they can use, keep, and disclose their health
- Ensuring patient access to
their medical/treatment records. Patients must be able to see and get copies
of their records, and request amendments. In addition, a history of most
disclosures must be made accessible to patients.
- Receiving patient consent
before information is released. Patient authorization to disclose information
must meet specific requirements. Health care providers who see patients are
required to obtain patient consent before sharing their information for
treatment, payment, and health care operations purposes. In addition, specific
patient consent must be sought and granted for non-routine uses and most
non-health care purposes, such as releasing information to financial
institutions determining mortgages and other loans or selling mailing lists to
interested parties such as life insurers. Patients have the right to request
restrictions on the uses and disclosures of their information.
- Ensuring that consent is not
coerced. Providers and health plans generally cannot condition treatment on a
patient's agreement to disclose health information for non-routine uses.
- Providing recourse if
Privacy protections are violated. People have the right to complain to a
covered provider or health plan, or to the Secretary, about violations of the
provisions of this rule or the policies and procedures of the covered entity.
Medical/Treatment Record Use and Release
With few exceptions, an individual's health information can be used for health
- Ensuring that health
information is not used for non-health purposes
Patient information can be used or disclosed by a health plan, provider or
clearinghouse only for purposes of health care treatment, payment and
operations. Health information cannot be used for purposes not related to
health care - such as use by employers to make personnel decisions, or use by
financial institutions - without explicit authorization from the individual.
- Providing the minimum amount
of information necessary. Disclosures of information must be limited to the
minimum necessary for the purpose of the disclosure. However, this provision
does not apply to the transfer of medical/treatment records for purposes of
treatment, since physicians, specialists, and other providers need access to
the full record to provide best quality care.
- Ensuring informed and
voluntary consent. Non-routine disclosures with patient authorization must
meet standards that ensure the authorization is truly informed and voluntary.
Ensure the Security of
Personal Health Information
The regulation establishes the Privacy safeguard standards that covered entities
must meet, but it leaves detailed policies and procedures for meeting these
standards to the discretion of each covered entity. In this way, implementation
of the standards will be flexible and scalable, to account for the nature of
each entity's business, and its size and resources. Covered entities must:
- Adopt written Privacy
procedures: These must include who has access to protected information, how it
will be used within the entity, and when the information would or would not be
disclosed to others. They must also takes steps to ensure that their business
associates protect the Privacy of health information. Train employees and
designate a Privacy officer. Covered entities must provide sufficient training
so that their employees understand the new Privacy protection procedures, and
designate an individual to be responsible for ensuring the procedures are
- Establish grievance
processes: Covered entities must provide a means for patients to make
inquiries or complaints regarding the Privacy of their records.
Establish Accountability for
Medical/Treatment Records Use and Release
Penalties for covered entities that misuse personal health information are
provided in HIPAA.
- Civil penalties: Health
plans, providers and clearinghouses that violate these standards would be
subject to civil liability. Civil money penalties are $100 per incident, up to
$25,000 per person, per year, per standard.
- Federal criminal penalties:
There are federal criminal penalties for health plans, providers and
clearinghouses that knowingly and improperly disclose information or obtain
information under false pretenses. Penalties would be higher for actions
designed to generate monetary gain. Criminal penalties are up to $50,000 and
one year in prison for obtaining or disclosing protected health information;
up to $100,000 and up to five years in prison for obtaining protected health
information under "false pretenses"; and up to $250,000 and up to 10 years in
prison for obtaining or disclosing protected health information with the
intent to sell, transfer or use it for commercial advantage, personal gain or
Responsibility with Privacy Protections
After balancing Privacy and other social values, HHS is establishing rules that
would permit certain existing disclosures of health information without
individual authorization for the following national priority activities and for
activities that allow the health care system to operate more smoothly. All of
these disclosures have been permitted under existing laws and regulations.
Within certain guidelines found in the regulation, covered entities may disclose
- Oversight of the health care
system, including quality assurance activities
- Public health
- Research, generally limited
to when a waiver of authorization is independently approved by a Privacy board
or Institutional Review Board
- Judicial and administrative
- Limited law enforcement
- Emergency circumstances
- For identification of the
body of a deceased person, or the cause of death
- For facility patient
- For activities related to
national defense and security
The rule permits, but does not
require these types of disclosures. If there is no other law requiring that
information be disclosed, providers and hospitals will still have to make
judgments about whether to disclose information, in light of their own policies
and ethical principles.
Audit your practice every 90 days to ensure compliance is maintained.
Linda Nadeau became a CA in 1982, and has been a consultant and practice
management analyst for both the chiropractic and medical industries since 1993.
Linda is the author of DRS ADMIN, a HIPAA Compliant Operations Manual,
templates of policies and forms designed for chiropractors to maintain HIPAA
Compliance while assuming an effective leadership role in the administration of
their practice. This work is a collaboration of 22 years of experience in the
health care industry; which encompasses the private and public sectors, teaching
facilities and political sub-divisions of state institutions.