|
CorrectCare
HIPAA Is
Here. What Does It Mean For You?
By Jaime Shimkus
The deadline for compliance with the
Privacy Rule of the Health Insurance Portability and
Accountability Act has passed, but many correctional health care
providers are still in the dark as to how the rule pertains to
them. To shed some light, NCCHC held a conference call with a
compliance and enforcement expert in the HHS Office of Civil
Rights, which is responsible for enforcing HIPAA.
‘HIPAA
101’ and Other Resources
“The
law known as ‘HIPAA’ stands for the Health
Insurance Portability and Accountability Act of 1996.
Congress passed this landmark law to provide consumers
with greater access to health care insurance, to
protect the privacy of health care data, and to
promote more standardization and efficiency in the
health care industry.”
That
introduction comes courtesy of HIPAA 101, one of
numerous resources posted at the Web sites of the
Department of Health and Human Services and its
Centers for Medicare and Medicaid Services.
For
a wealth of information on the Privacy Rule, start
your search at www.hhs.gov/ocr/hipaa.
Here you’ll find a link to the Covered Entity
Decision Support Tool, a useful self-test for
determining whether you are a covered entity, a
business associate, a health plan or none of the
above. The tool is at www.cms.hhs.gov/hipaa/hipaa2/support/
tools/decisionsupport.
Beyond
HIPAA 101, CMS offers a series of papers that focus on
the law’s administrative simplification provisions.
The papers provide information, tips and guidance on
topics ranging from how to determine whether you are a
covered entity to compliance deadlines, implementation
and enforcement of the rule, with emphasis on
electronic transactions and code sets. Find the papers
at www.cms.hhs.gov/hipaa/hipaa2.
|
Key purposes of the call were to clarify the circumstances under
which correctional facilities and providers qualify as
“covered entities” and thus must comply with HIPAA’s
provisions, and for those that do, to explain their compliance
obligations. (David Mayer, the OCR official, noted that the term
“HIPAA” in such contexts is shorthand for Privacy Rule,
which in turn is one of four elements of the Administrative
Simplification component of the still broader HIPAA law.)
The upshot, according to teleconference participant Nina
Dozoretz, RHIA, CCHP: Being a correctional facility or health
care provider does not, in and of itself, confer covered entity
status, and since many prisons, jails and detention facilities
do not meet the covered entity requirements, HIPAA’s rules and
regulations do not apply to them. Dozoretz is a captain with the
U.S. Public Health Service and represents the American Health
Information Management Association on NCCHC’s board of
directors.
Covered
Entity Criteria
But that’s not the end
of the story, cautions T. Howard Stone, JD, LLM, a professor at
the University of Louisville’s Institute for Bioethics, Health
Policy & Law. “HIPAA didn’t devise of list of who is
excluded, but instead says that if you meet the criteria, then
you are covered,” says Stone, who also took part in the
teleconference. So what does it take to be a covered entity?
Stone summarizes the criteria as follows:
• Covered entities include health care providers who transmit
any health information in electronic form in connection with a
“covered transaction.”
• Health care providers include persons (e.g., physicians,
nurses, dentists) or organizations (e.g., hospitals) that
furnish, bill or are paid for health care in the normal course
of business.
Stone adds that once an entity qualifies as
covered, it must protect all individually identifiable health
information including demographics, not just information that is
transmitted electronically.
Technical details about these electronic
transactions can be found on HHS Web sites (see box at right for
useful addresses), but those are fairly straightforward and
include the Internet and extranets, electronic data interchange,
direct data entry and other forms.
Covered Transactions
But what about those covered transactions? That’s where
the light dims. “Covered entityness for correctional
institutions depends on how they bill and how they are
reimbursed,” Mayer said during the teleconference. “If the
governmental entity pays for the medical services to inmates,
the prison is likely not a covered entity. If there is a
contract with a third party to provide health care, like a
capitation fee or yearly fee but no billing using the electronic
standards, it is unlikely that the correctional institution is
covered.”
Dozoretz backs his interpretation: “Many
correctional facilities and providers do not produce electronic
medical claims using the standard transaction code sets. In
fact, many do not submit medical claims at all and receive their
operating dollars from local, county, state and federal
governmental sources.”
A facility that does generate medical
claims but in paper format does not qualify as a covered entity,
says Dozoretz, nor does a facility that transmits paper claims
via fax. Also not covered: a facility that has an electronic
medical record system but does not use it to produce electronic
medical claims.
Nevertheless, correctional health care
providers cannot assume that they’re off the hook, Stone says.
With the caveat that laws often change, that they may not be
applied uniformly and that interpretations vary, he cites two
standard transactions that may be common among correctional
health care providers—and thus subject them to covered entity
status if these transactions are conducted in one of the defined
electronic forms:
• Under “health care claims or
equivalent encounter information,” a bulleted clarification
reads:
– If there is no direct claim, because the reimbursement
contract is based on a mechanism other than charges or
reimbursement rates for specific services, the transaction is
the transmission of encounter information for the purpose of
reporting health care. [emphasis added]
• Under “referral certification and
authorization,” the following transmissions are specified:
– A request for the review of health care to obtain an
authorization for the health care
– A request to obtain authorization for referring an
individual to another health care provider
– A response to either of the above requests
“Many people get hung up on claims but
disregard these two areas, which are defined in the Code of
Federal Regulations,” Stone says. “For example, if each
month a prison clinic submits to a central office a list of
patients and the services they received, that’s reporting
health care encounter information.” The information would have
to be individually identifiable, not aggregate, to be covered by
the regulations, he adds. Further, such protected health
information (PHI) would have to be transmitted in one of the
covered electronic formats.
Unfortunately, the status of “internal”
transmissions (e.g., between a state prison and a central
administrative office) remains an open question. Indeed, Mayer
said that the OCR might not interpret such transmissions as
qualifying for covered entity status.
Reinforcing the truism that laws and
regulations are mutable, Rachel Klugman, an expert on standard
transactions with the HHS Centers for Medicaid and Medicare
Services, says that there has been some debate on transmission
of “in-house” encounter data.
Be Informed
Even though “it is not the norm” that jails and prisons
would be covered entities, says Dozoretz, “it is important to
remember that HIPAA did not replace existing law and statute,”
and that institutions still must comply with local, county,
state and other applicable federal patient privacy and
disclosure laws and statutes.
Covered entity or no, the Privacy Rule does
apply to many community health care organizations, such as
hospitals, and thus still may have a great impact on
correctional providers and their ability to obtain medical
information.
“While correctional facilities need not
undertake undue financial and administrative burdens if they are
not covered, it is in their best interest to understand what
HIPAA means to covered entities,” says Dozoretz.
She recommends contacting local health care
providers and institutions and explaining your role in the care
and safety of inmates. Many providers will be unaware of the
legal exceptions and exclusions in HIPAA that allow them to
disclose medical information to law enforcement, so educate them
about that, as well. If you don’t, you may find that you’re
denied access to medical information on inmates that you have
referred to community providers.
Below Dozoretz cites these important
exclusions and exceptions to the disclosure and consent
provisions that apply to law enforcement, as spelled out in the
Code of Federal Regulations:
• Section 164.512(f), Disclosures for Law
Enforcement Purposes, lists the situations where disclosures by
covered entities to law enforcement is allowed without patient
consent.
• Section 164.528, Accounting of Disclosures of Protected
Health Information, includes more exceptions that allow access
to medical information by law enforcement.
• Section 164.520(a)(3), Notice of Privacy Practices for
Protected Health Information, describes where inmates are not
entitled to receive the notice describing their rights or where
a correctional institution is not required to produce this
notice.
Stay tuned for more information on the
HIPAA Privacy Rule in the next issue of CorrectCare.
— About the author:
Jaime
Shimkus is NCCHC’s publications editor.
[This article first appeared in the
Spring 2003 issue of CorrectCare.]
|
