Preparing for HIPAA Privacy
Below is a distilled excerpt from a PartnerTalkLive! conference regarding HIPAA held in 2002. John Canning, President and CEO of PCC, hosted a few dozen PCC clients and answered HIPAA-related questions.
Due to the length of the teleconference and the specific nature of some of the questions, certain portions of the text have been edited, including removing client data, summarizing questions or positions, etc. We've attempted to maintain the original intent in each instance, however.
Because the HIPAA rules are routinely updated, please note that this conversation occurred on October 31, 2002. By the time you find your way to this page, HIPAA may look quite different.
Finally, while we believe all of our comments below to be true and our intent is to help private practices navigate their ways through HIPAA, any commentary or advice below should not be mistaken for legal advice and should be confirmed by your lawyer. PCC does not take responsiblity for any actions you take (or do not take) as a result of the information here.
The Transcript
John: ...this is being recorded and when we formally start it they're going to do a transcription that's going to go up at pcc.com so people can later download what we discussed. I am just going to ask you real quickly, since it's only a couple of you, how many of you have done work with HIPAA already?
Attendee: I have.
Attendee: I have, also.
Attendee: We have the policy form done.
Attendee: I haven't done a real lot because the final stuff isn't out until January. As far as privacy policy goes, but I've started it.
Attendee: No, not really. I read a lot about your stuff, but
John: The way we are going to do this is that we are going to start with a two or three minute discussion, which will probably turn into a ten minute discussion on my part.
I am going to talk a little bit about what's up with HIPAA and where we stand and what kind of an action plan you should have in place. I am also going to talk a little bit about the deadlines, so that we are all familiar with those. After that, then I would like to open up with questions so that people can ring in and get their questions answered. As mentioned, when you joined the conference, the conference is being recorded and the reason that it is being recorded is that we are going to take a transcript of it and put it up on line so that when you go to PCC's HIPAA reference page you will be able to print out a copy of what we talked about today.
Real quickly, the deadlines you have to be aware of, the first deadline coming up is April 14, 2003, that's next April, you have to have your privacy policy in place. And to that end, you have to have your doctors trained and your staff trained and you have to have plans on how you are going to handle patients' privacy, notify them of their rights and also protect their privacy. We will talk about that in greater lengths in a couple of minutes.
Also beginning April, 2003, you need to start testing electronic claims using the new HIPAA required specifications. If you submit your claims through PCC through one of our approved clearinghouses, we are going to take care of all that for you so you don't have to worry about the EDI specifications. If there is a change to one of your codes that you have to make in order to be HIPAA compliant, Justin or Phil will get in touch with you and let you know about that. If you are not using PCC for a clearinghouse then you are going to need to contact your third party clearinghouse and ask them what they want you to do and what they are doing to make you HIPAA compliant
The third deadline is that, by October 16, 2003, all of your electronic claims are supposed to go to insurance companies in the HIPAA specified format (assuming you filed your HIPAA EDI Delay Form). And if you are using one of PCC's clearinghouses, you have nothing to worry about. If you are not using one of PCC's clearinghouses, it is up to you and your other clearinghouse to figure out how you are going to be HIPAA compliant.
Finally, the last deadline is that, by the end of 2003, you should have in place what is called a business associate agreement with your various business associates that basically says that they are going to treat your information confidentially.
So, that's a review of the deadlines. I have a suggested plan of action I would like to recommend to people. Some people have already started working on HIPAA and so you are probably part way through this. This plan of action is more or less designed for people who are who have been waiting patiently for HIPAA to finalize itself and it's sort of getting there.
The first thing I recommend you to do is put someone in charge of making sure your office complies with HIPAA. I recommend that be an administrative person to guide the process and that there be a physician who will assist with it. I found that when physicians get bogged down with HIPAA, it really takes them away from dealing with the patients. But, at the same time, someone needs to be an advocate for HIPAA in the office and that must be a physician in order for the other physicians to take it seriously.
The second thing I recommend is to visit the PCC-HIPAA reference page, where you will find links to all sorts of HIPAA information sent from the Federal Government that explains why we have HIPAA, what you need to do with HIPAA. There are also links that will take you to sample HIPAA policies and so forth.
Next, I suggest that you download a sample HIPAA policy. If you have a doctor who is a Fellow of the AAP, you can download their HIPAA policy for free. It's a very good policy; it's very user friendly. If you don't have someone in your office who is a Fellow of the AAP, there are other policies available that you can download for free as well from our web page.
The next thing you need to do is update the stock policy to meet the needs of your practice. You will get a sample policy that is in a word processing format; you will to need to go through it to configure it to your own practice (it's going to say "Put your practice name here, put your address here, etc."). Depending on which policy you use, you may need to simplify it a bit. For example, if you use the one from the AAP today, it hasn't been updated yet and won't be until sometime next year - as a result, there are entire paragraphs that you can delete because those rules are no longer there. For example, patients no longer have to give their consent before you treat them for you to use their name and medical records. Similarly, patients cannot revoke their consent because they no longer have to give it to you.
Attendee: This is the overall policy you are talking about? It's like a book that's fairly thick?
John: Exactly. If you download that, there is a patient consent form in there, so it's still outdated. And when we had the HIPAA workshop at PCC in September (2003), our clients found that they were able to chop the consent form to about one-half, one-third of its size. I assume the AAP is in the process of editing it and they will have a new version out there, hopefully, right after the first of the year.
The fifth step is to begin training your staff. And the best way to train your staff is to have them review your policy and then to have them discuss the privacy policy and what it means. You can also enroll them in courses being offered in your area. A lot of the different state medical societies are offering classes at very reasonable prices. You need to keep track of who attends the different sessions and who has been trained. It's important that people have ongoing training. You should have a plan where people review HIPAA every six months, every year---if you go to HIPAA courses once a year, something like that.
You also have to have a plan for training new employees when they come and start working for your practice. There are a lot of other HIPAA courses that are out there that are about the electronic claims process or about security and I would not be sending my regular staff to those classes, although if you are the HIPAA person in charge for your office, it might be a good idea for you to go to understand what's up with all those other things. But the typical person at the front desk doesn't need to know about the EDI standards and HIPAA.
The sixth step is to get your doctors involved. They need to pay close attention to training and also follow the HIPAA rules. The reasoning behind HIPAA is to protect patients' privacy.
And the last thing is that you need to be ready to provide your patients with information about HIPAA by April 14, 2003.
So, that's a quick overview of where we are with HIPAA, what the deadlines are, and what I think you should be doing. I'm happy to move on with a set of previous questions that we collected before this course and talk about those, or I'm ready to take questions from you folks, whatever you all would prefer. Does anyone have a question right now?
Attendee: I do, John. For protecting or making the patient aware of our privacy policy, can that be as simple as a two or three paragraphs piece of paper? And, do we need the patient to sign it?
John: According to the Federal Government, you need to do a couple of things: you need to let them know they have certain rights under HIPAA and that you can certainly have in that two or three paragraphs. By the time you've actually listed all the rights that they have under HIPAA, you are probably going to run into two or three pages.
So what AAP recommends, and what I would certainly agree with, is you have the two or three paragraphs that essentially state, "I've got these rights, I know I can request a copy of them" and that's the extent of it. The government asks that you make a good faith effort to get them to sign that piece of paper that basically says, "Hey, I've been made aware of them."
But if they say, "I don't want to sign this." Then you say fine, you know they don't want to sign it and then you just move on.
Attendee: Where would you store that within a chart?
John: It goes with the chart. They sign it once and it's good forever and ever. And the other thing with that is if you have a form already signed, giving you consent to treat, you can add it to that form, but it should be a separate signature.
Attendee: Okay. So you would need like a double signature, or whatever. Okay.
John: Finally, some offices thought it would be a good idea to post the privacy policies in full, like in the waiting room. I'm sure that in a couple of months you are going to get inundated with advertisements from people who will give you nice attractive laminated posters that you can put in your waiting room.
Attendee: I downloaded the Standards for Privacy of Individually Identifiable Health Information, Unofficial Version (the 45 CFR, Parts 160 and 164), and the latest, the most recent date is August 14th of this year. Given what you just said, where could I refer to in here what you just said about getting them to sign? I guess that is where I am having a problem.
John: Okay. So this is the actual text of the policy itself put by the Federal Government?
Attendee: Right.
John: I think that not necessarily a good place to start - unless you like reading legal documents.
Attendee: Well, I started with, you know, the web page. I guess - where can we find the answers like you just gave?
John: Okay. They have what is called the Frequently Asked Questions page and that goes into much more reasonable explanations of everything. There is also a link from our web page to the advice that they gave people earlier this year on how to implement HIPAA. They have now taken that down, although you can still get it through our web page, and they said that very shortly they are going to put up a new version of it. This document goes a long way, and I think it is still applicable because it explains you don't have to soundproof your waiting room, you don't have to rearrange your office, you don't have to rebuild a new front desk. It gets rid of a lot of the rumors about HIPAA.
Attendee: So, how long are you finding the canned privacy policies? How long are they ending up?
John: If you download the section from the AAP, it is a hundred page manual of which they have sample job descriptions, sample fax cover sheets, sample forms that you can just print out to keep track of people and when they receive training, etc.
Attendee: Right.
John: And that's got everything you could possibly imagine or need in there. If you download the Public Law or you download the actual Standards, you are getting into a lot of legal mumbo-jumbo. The HIPAA language, when you download the actual text that went into the Federal Register, the first two-thirds of it explains the process they went through, the public comments that they received, and how they updated the policy, and it's always the last handful of pages that actually get into the real HIPAA regulations, and they're actually are pretty short. If you could read from the back, you might be better off than reading from the front. Did that answer your question?
Attendee: Yes. What I'm wondering is that when we are looking at these, is it okay for your privacy policy to deal with the population that you normally treat, or do you have to write a privacy policy that's encompassing...for example, they refer to your incarcerated patients.
John: No. You want to write a privacy policy that is specific to your office. HIPAA covers a lot of different entities. So, if you treat patients who are in jail, then you need to understand that there are certain rules there you have to follow. I know that we have a number of clients who deal with patients who are in reform school. So, they are going to have to go in and become familiar with those parts of the rules. The gist of those rules says that when it comes to an incarcerated person, they don't have as many rights as a non-incarcerated person. So, you are allowed to tell the warden about their health without their permission. That's the kind of stuff that's in there about patients.
Attendee: What about wards of the state?
John: With wards of the state, I haven't seen anything specific to that. HIPAA rules were revised in August to essentially state, "Follow your State rules regarding minors." So, if you've got laws that say a teenager can come in and ask for a pregnancy test and ask you to keep it confidential and that's legal under your state, then that's what you are supposed to do under HIPAA as well.
Attendee: When you write your privacy policy, how do you find the wording? When you refer to the individual, is the individual the patient, the parent, the guardian...?
John: Usually, everything that I've seen talks about the patient and implies that in pediatric practice, we talk about the patient and their parents. I want to mention that there are two parts to the privacy policy. There is the external part that you are going to show your patients that says these are your rights and your rights are that you can expect that we are going to keep your information private, that we are not going to sell it to the drug companies or the advertising companies, etc.
The other part, the internal part is that they have a right to inspect their charts and to recommend changes to it. And, they also have the right to file a complaint if they think that you have violated one of their privacies. So, to that end, you have to have a plan in place for how you are going to handle those complaints or how you are going to handle someone who reviews their chart. You have to decide how you are going to handle these "helpful" recommendations you are going to get. And, you don't have to adhere to all of their requests.
One of the things that the AAP recommends in the external part of the policy is that you let patients know that you're going to send them reminders postpartum, that you're going to leave messages on the answering machine, or that you are going share information about their kids with any related parent or guardian who asks questions about it. And then you can say to them that if they object to this, they need to let us know and you will consider your objection. And if it is reasonable, we will figure out a way to process it.
So, if someone comes to you and says "I don't want you sending me post cards reminding me about my pregnancy test", that would be a reasonable thing to say, "Okay, maybe we will call you", or maybe put them in an envelope, you know, and put your name on them, as opposed to sending it the residence at 14 PCC Road or something like that.
Another part of the policy you need is a internal policy that talks about how you are going to handle all of these things, the way you outline your plans, for how you're going to train people, how you are going to keep track of things, etc. And it's that internal policy you can use along with the external policy for training your staff members. But you don't want to show the internal policy to your patients.
Attendee: In terms of the internal policy, though, a hundred to a hundred-fifty page manual is very helpful in this implementation process and I do agree the AAP seems to provide a good one. What I have been waiting for, and have not seen, and I'm wondering if anybody has, is that twenty-page manual that can be available more to the general staff, that they're actually going to pay attention to it and maybe the basis for the training.
John: I think if you take the document from the AAP and pull together five or six of the exhibits, you've got a lot of it right there. They've got a whole section in there on faxes and they've got a section in there on how to handle patients' complaints and how to handle charts and if you pull all of that together, I think you've got the start of such a thing there. Now, I am going to shut up and if anybody else has an answer to the question, I'd love to hear about it. Anybody else out there want to chime in?
Attendee: So, you're saying to download this from, say, the AAP, and then go through it as an administrator and pull out the pieces needed for your staff for training purposes.
John: Exactly. I think there are twenty-two or twenty-seven exhibits in this. Some of them are completely inappropriate for your office and some of them are going to be just perfect. Grab the ones that are appropriate for you. And the AAP booklet actually comes in two sections; there's an instruction manual and then there are the exhibits.
Attendee: Is the trainer, or the instructor, etc., who you are going to use for your office, required to have a certain certification from the State or Federal Government? Are they, in turn, supposed to be handling a class before they in turn start training?
John: To the best of my knowledge there is no way to become certified in HIPAA. I recommend the person who is going to be training your staff be familiar with HIPAA.
Attendee: But there is no specific training that you know of at this point that that person has to do?
John: No.
Attendee: Okay. In HIPAA, where they say you need to have a designated person where patients, or individuals, can address a complaint to, when you are a very small office, can that be the same person they are complaining about?
John: You run into that a lot with these policies that are required by law. For example, in Vermont, we are required to have a Sexual Harassment Policy and what we decided to do instead of having one point person, we set up having two point persons. This way, let's say that I am one of the point persons and Erica is the other point person, if they want to complain about me they can go to Erica. That may be one way to address it in a small office or even in a large office. The other thing is that if you look at the law, the law doesn't say you have to have a specific point person, the law says you have to have a way to handle patient complaints.
So, they could be submitting them to you in writing, which I would certainly encourage you to only accept patients complaints in writing, and maybe you have a Review Board that gets together and considers the problem and get back to the patient. I usually hear a lot of people say "oh you should have a point person," when I listen to different lawyers or consultants come up with on how to implement HIPAA. But, if you actually read the law, the law just says you have to handle patient complaints, it doesn't' tell you how you have to handle patients complaints.
Attendee: If the parent wants to complain about a staff or we have an issue with a staff member, if the patient is not willing to put it in writing, do we will still have to consider it as a valid complaint, verbally?
John: I think, at that point, I would consider it hearsay. If they are not going to take the time to put it in writing to really explain it. I've seen a lot of situations where people have, voiced complaints in person and when they ask you to sit down and write it down they start thinking about it, they change their mind.
Attendee: We have this a lot in my office where we just had a mom who wants to tell on somebody, she doesn't like her co-pay, or whatever. To me that's not really a valid, to them it's valid I guess, but I guess my question is can we kind of insist that the complaint is in writing in order for it to be dealt with appropriately?
John: I strongly recommend that and I'm confident that there'll be some backing behind you in the HIPAA regulations that the complaint should be in writing.
The other thing is, when we talk about complaints, if they want to complain that I've been rude to you, that doesn't have anything to do with HIPAA. The only thing they should be complaining about in HIPAA is that you have gone and violated my privacy.
Attendee: Exactly.
John: And to that end, I would have a form that I would give to a patient who wanted to complain that would ask for demographic information, a description of the privacy violation, how it happened, when, etc. But ask them specific questions that are going to help them focus on the fact that it has to do with a privacy violation.
Attendee: What I would like to know is what are you doing with any reports that have come from a different doctor that are in this child's chart?
John: That is in one of the FAQ's that have just came out from the Federal Government and there have been lots of different discussions like "oh, you didn't generate that so you shouldn't pass it on", and the Federal Government has gone basically and said, I'm pretty sure, it's fine to go ahead and pass that on, as long as it's clear it came from another place.
Attendee: I think Massachusetts may be tighter on that.
John: Okay, well that's the other thing to never forget: if you've got a State law that is more restrictive, then you should follow that State's law.
Attendee: I guess I would also say that several years ago we stopped copying the charts and just give the account history report from Partner, you know, and most of the times the payee was very satisfied. We don't copy the office notes any more unless they specifically request it after they received that.
John: And that's the kind of thing you want to put in your privacy policy that patients have available to. You are going to say, "If you want us to transfer your records, or you want to review the records, we are going to print out a summary and you have the right to look it over and there is a charge (or no charge) for that. If you want to look at the whole chart and you want it photocopied, then we are going to charge you ten bucks a page or five bucks a page to see that and you've got to pay that up front."
Attendee: But the summary is that just coming from the Partner account history program?
John: Actually, it's the Patient History report, which shows problem lists, allegies, major diagnoses, etc. Remember, HIPAA allows you to charge people for photocopying their charts. It's very clear about that. But again, you need to let them know in your privacy policy what the charge is ahead of time.
Attendee: Okay.
John: We will come back to the privacy policy, I'm sure, before the end of this, so, if there are no other questions, let's move on to the question about EDI stuff, electronic claims.
Attendee: Yep. We do submit everything through you as much as possible, most of which goes through Envoy, but then there's Medicaid, that still goes through HBO.
John: Okay.
Attendee: What are our exposures there and what are you going to do to be able to help us?
John: We have already started testing with Envoy and HBOC claims going to different carriers using the new HIPAA format. I don't know which insurance carriers we have actually done the testing with and which ones we still have to do the testing with, but I know that it started about a month ago, and Justin and Phil are the ones who are handling that. And basically, if you already submit claims through one of our clearinghouses, any claim that goes through one of our clearinghouses will be HIPAA compliant; and it will either be HIPAA compliant when it leaves your office or we will make it HIPAA compliant in our office, or Envoy will be making it HIPAA compliant. But that's all part of the service that is being provided. One of the things that is going on with the HIPAA/EDI side of things is that we have this deadline of October of 2003 that we have to adhere to things. The Federal Government suggested changing the HIPAA - EDI specs in May of this year. They haven't finalized that yet. So, that is still in flux. And so, we are still waiting for them to get their act together as to what they want us to do with these electronic claims.
The other part with these electronic claims, and this is the part that really makes it challenging and annoying, is that the whole plan behind HIPAA was that, for this to work, we are going to have one ID number for the provider, for every insurance company, and we are going to have a different ID number, but one ID number again, for every patient. And we are going to have the same ID number for all of plans. You know, basically there are going to be some standard identifier numbers that we are going to be able to use. And the EDI specs calls for that.
Attendee: Regardless of what insurance companies you ever had?
John: Right. Exactly. And wouldn't that be cool? Because then, okay, they come in and say, "I think I'm on Blue Cross/Blue Shield", we punch in my ID number and you say, " No, you are not...maybe it was the Blue Blue Choice? "Oh yeah, that was it." The Federal Government has not done their part of all of that. Yet, the EDI specs that we are supposed to be following expect that would have been done.
Attendee: In terms of individuals, isn't there a good chance that could have gone the other way because the HIPAA privacy concerns might lead them not want to give a common, I mean a logical common identifier is a Social Security Number.
John: Well, except by law they are not allowed to use that.
Attendee: Well, that's the point - and yet, many of them are.
John: That is another interesting problem that we deal with all the time. Just to give you a little privacy lecture here. I paid twenty dollars to an Internet company to see what they could find for me on the Internet, and I gave them my name, my birth date, and my current address. And they came back to me with information about myself, including my Social Security Number, information about my dad, because he has the same first name, and in the past we've had an address in common, and then information about a John Canning from Indiana, who has the same birth date as me, okay, but obviously a total different person, no addresses in common. I have a list of all the Boards he has ever served on, all of the public offices he has held, all the real estate he has owned, and his Social Security Number.
Attendee: That's what I was waiting for.
John: All for twenty dollars.
Attendee: Same thing with a credit bureau.
John: Yeah, that was basically through a credit check, through a credit agency. So, the Social Security number is not a good identifier is what I am getting at. We also reuse Social Security numbers when people die, and the HIPAA rules calls for something different than that. In any case, going back to the testing stuff, things are in flux with the EDI stuff. We are expecting that in February or March the Federal Government is going to come out and issue some clarifications on where we are really heading with this and what's going to happen. In the meantime, we've gone ahead and started the testing. We don't expect to have our own HIPAA claims generator ready until the Spring of next year for general consumption.
When that happens, by the way, once we have this generator in place, and once everybody is actually using HIPAA standards, we should be able to give the electronic claims to any and all insurance companies without having to pay a per claim charge to all of these clearinghouses like we have to do right now. That's the theory. Who knows if that is ever going to materialize?
And the other thing that goes along with that is that we should be able to do eligibility verification and get claim remittances all on a standard format. So, imagine if Partner, at night, could go out and check the eligibility of every patient who is coming in the next day, so that when you got in you knew that these eighty patients were ok, but these ten patients have invalid insurance information in their accounts? That to me would be really, really cool. And that's the promise, well, that is what we are hoping is going to come out of HIPAA.
Attendee: Now, one sentence that's very nice to hear, is that if you are submitting through us, meaning PCC, don't worry, that it's all taken care of. It's nice to hear that that black box over there is going to take care of everything that's not there. But since you said some of it will be a matter of what comes out of our office, I guess I'd be interested in how, in assuring that specific, you know, if there is a change, that, okay, everybody's agreed, the Fed's got their act together, everybody has agreed that you can't bill this way, you've got to bill that way, how early is that information going to be provided to our billing staff?
John: Well, we've already started now running the checks on diagnostic codes. So, our support staff is going through each one of your offices and checking your diagnoses table to make sure you've only got valid diagnoses codes in there, and those are the codes that are valid as of 2003. So, if you have any invalid diagnoses codes, we are going to let you know about that. As far as PCC's post goes, those are checked when you submit the claim electronically. If you are submitting claims electronically right now, you are not submitting any claims that have invalid PCC codes on it because they don't go out of your office. So, to that end, if there are some coding changes you are going to have to make, unless it is a diagnoses code change, we have already talked to you about it.
Attendee: I guess, what I am thinking is what if there is some change in order to standardize it or something?
John: I believe you are asking, `What if there is a change that I have to make for coding in order to be standard or to be compliant?' Under HIPAA, you have to use CPT-4 codes for procedures and IC-9 codes for diagnoses and you are already doing that. And that's pretty much it that you are required to use that impacts the pediatric office.
Attendee: What about the use of modifiers and things?
John: Modifiers are all part of the CPT-4. There are some new modifiers that are coming out in 2003, and it has nothing to do with coding issues, and those modifiers are hopefully going to allow pediatricians will get paid better when it comes to certain immunizations and things like that and that is something your doctors need to learn about or you need to learn about anyway, but that is not HIPAA related, that is just general code practices.
Attendee: I was under the impression, that here in Massachusetts for example, there was a committee that was sort of getting started by fits and starts that was supposed to go over particularly the immunizations, etc. There were too many plans that were using differently...modifiers and things, and now you would require to just, say, use two codes for administration.
I know there has been some confusion here because there have been times that supposedly a change was going to go in and then no, it wasn't going in. I guess what I want to make sure is that we are not quite going the wrong way when something like this does bite.
John: Right, well, let's take the diagnoses codes as an example. This year the diagnoses codes were published in October and some insurance companies are already requiring that you use the new diagnoses code and they are rejecting anything that uses an old diagnoses code. Other insurance companies aren't planning to use these new codes until either January 1st or April 1st, depending on which insurance company you are dealing with. And this I think is just part of the ossification that the insurance companies just love to practice just to give everybody a hard time. But that is not HIPAA related, that's just general, insurance companies being difficult.
Attendee: John, in Pennsylvania, we have three different Medicaid plans and so, you know, until they can get their act together, which I don't think is going to be anytime soon, I don't think you will really get caught up in too much.
John: Right.
Attendee: I haven't heard you say it, John, but I think you are saying, I think I hear you between the lines saying the answer to us is as soon as you know, we'll know?
John: Basically, when it comes down to coding issues, the insurance companies should be communicating with you already coding changes and how they expect you to submit things things. Unfortunately, the way that coding works is that there is always going to be a different way to do things, even with HIPAA, there are always going to be two ways to code some things that happen in your office. Fortunately, Partner has a lot of flexibility in it and you can punch in "DPT shot" and it appears with one code without a modifier on one form but for another insurance company it appears with a modifier. Partner has that ability already in it and we are going to leave that there so we can continue to play these games with the insurance companies to make sure that things are coded correctly and that you get reimbursed properly. We are not going to take that out.
Attendee: I guess I had the naive impression of HIPAA that it was supposed to say that you couldn't do that any more.
John: No, HIPAA just says you have to use the CPT-4 code set, which we are already using. And the CPT-4 code set happens to say that you should only apply modifiers to procedures that begin with 99, but that hasn't stopped anybody from requiring that we use modifiers on other procedures. And that is not going to either, unfortunately. I mean, you could then write a letter to Tommy Thompson and say, "Hey, this insurance company is expecting me to code differently and they are not following the rule," but, my guess is that Tommy Thompson is going to write back it would cost them to much money to follow the rules and he is going to give them a waiver, because that's what he has done in ever instance so far.
Attendee: John, I don't understand. How is this electronic finagling with the electronic coding and how we are submitting claims electronically protecting an individual's privacy?
John: It's not! If we go back to where HIPAA came from, the whole idea behind HIPAA was to figure out how can to reduce the amount of money we are spending on Medicare. They did some research and they figured out one-third of the dollars they spent on Medicare they spent on filling out paper claims and then punching the data into the computer. So, in their infinite wisdom, they mandated by law, that by 1988, all Medicare claims had be sent in electronically. Well, that never came to pass, for a lot of different reasons, but as they were working on the law, a lot of privacy advocates came and said, "we don't want all of this stuff to be going electronically, you are just going to build this big database". So, to placate the privacy concerns, they added this privacy section to HIPAA.
Attendee: I see.
John: So, and again this is the typical Government's way of approaching things, what they're doing, the whole intent was we've got to simplify things and cut down on the costs of providing healthcare, especially the administrative side of healthcare. So, all of that part, the hard work, they haven't done, but what they are doing is they are going out and saying, "You've got to protect patients' privacy." And it's like, "Hello, we already do." So, the privacy side is there to make us feel safe so that when all of this data goes electronically, we don't feel like we are being spied on. Of course, a lot of data is already going electronically. Right now when you submit claims to any insurance company, they've likely contracted with another company to store all of those claims for them and to help them analyze them. And that is because they don't have the computer software or facilities in-house to do that. So, there third parties already out there for each insco that's gathering all of their claims. And if they want to go and sell some of the demographics or sell some of the information that's in their database to somebody else, there is nothing that prevents them from doing that. And that is the one good thing that is going to come out of these HIPAA privacy rules is that starting in April, insurance companies are no longer going to be able to sell information about all the patients who are obese, all the patients who smoke, or all the patients who have hair loss problems, to drug companies or marketing companies. So, that's a good thing. We are caught in the crossfire in the meantime. So, other questions?
Attendee: We've been trying to get ahead on our business associate contact, and obviously one of them that comes up is with you guys and you've noted with your community that you are going to do it through your Fine Print.
John: Yes.
Attendee: Could briefly review where that stands?
John: Other people are working on the Business Associate Agreement and we've turned it over to our lawyer, who is a specialist in HIPAA. She promises that she is going to take it and turn it into a Business Associate Agreement that is specific to our relationship with our clients and is going to simplify it and put it in English so that they can understand it. Erica just sent me e-mail like a half an hour before this conference started saying that if you go to the magazine called Physician's Practice , they have a HIPAA Business Associate Agreement in it which is really, really good. It's in plain English; it's very easy to understand to the layperson, and it's also already been simplified for a physician practice. If you read the advice that the Federal Government gives you on how to set up your Business Associate Agreement, they've gone and assumed that you're an insurance company, and you're a jail, and you're a doctor's office, and you're a lab, and you're this and you're that, all these different things. And the cool thing is that this is an agreement just looks at it from the point of view of a doctor's office. Your clearinghouse doesn't need a Business Associate Agreement because they are just considered a conduit. They are not actually put to see or touch the information.
Attendee: How about your companies that supply your vaccines?
John: Do you give them the names and addresses of the patients that get the vaccines?
Attendee: No.
John: No, then you don't need to worry about them.
Attendee: I can foresee the electronic medical records.
John: Electronic medical records open up a whole new can of worms when it comes to HIPAA. There is a lot of HIPAA you don't have to follow or worry about if you don't store records electronically. And in Partner, you only store a very limited amount of records electronically. So, we focus on that part of control there.
One interesting thing about HIPAA and a Business Associate Agreement is with the janitorial services. For the last three or four years I've been hearing that the janitorial services have been used as a prime example of who you need to have a Business Associate Agreement with, because these are people who come into your office at night, they are not supervised, they've got keys to the whole place. What's to keeps them from going and photocopying and selling all the charts to some buyer, or something like that? Well, the Federal Government, in its infinite wisdom, has decided that janitorial companies are not business associates because they're not supposed to come in contact with protected health information, i.e., names, addresses, zip codes, insurance I.D. numbers, birth dates, things like that. So, you should just have a contract with them that says, "we are going to clean your office" and then if for some reason they do decide to go and photocopy your charts, you know, read your charts, you can just go and fire them on those grounds without having to get into having a separate agreement with them.
Attendee: But I am already being sued at that point.
John: Well, I'm just telling you what the Federal Government said. One of the things that is covered in their FAQ, that they just put out on October 8th they said specifically you don't have to have a business associate agreement with your cleaning service. Again, going back to charts and what's reasonable and what not, earlier I think the Federal Government noted that if you have charts stored in a room and there is a door on that room, you should put a lock on that door. That's a reasonable change because a lock costs about a hundred bucks. But if you store your charts behind the front desk, and to go and lock those up at night would require remodeling the entire front office and that's thousands of dollars, and that's not reasonable and they are not expecting you to do that. But if you do have a lock on your chart door, you should use it. You should lock the charts up when the last medical person leaves and then you don't have to worry about your cleaning person getting into it and you wouldn't have to worry about being sued. Now, the other thing -
Attendee: Except for all the charts on people's desk waiting for them to see?
John: That's another good point and that was something we talked about in length at the HIPAA workshop at PCC in September. And one of the things we talked about was encouraging doctors to keep their desks neat, and the other thing we talked about was putting something in your policy notice that you give to patients that says "Look, there's chart and there's protective health information all over this office. We expect you to observe other people's privacy and you are not allowed to go and look at other people's charts or look at things that are on peoples' desks." So you should layout your expectations of the patient as well, and then if somebody, if you catch someone reading someone's chart, that could be grounds for dismissing them from your practice.
Attendee: Let's come back to the janitor now. My sense is that we are sort of caught in a trap here because on the one hand, originally it was a requirement of HIPAA that you do this. I guess I don't think of that as the important part of it because basically, my sense is that any industry that has a lobbyist is probably going to them and getting exemptions because I am hearing from the phone company that they're just a conduit, and you are saying the thing's just a conduit, but the fact is the phone company can have an employee who takes advantage of, or who listens in.
John: Right. But there are other laws that already say that it's against the law for those people to do that. The other thing with HIPAA to remember is that the only people who can bring charges against you under HIPAA are the Federal Government. The thing that the lawyers point out though, is now that we have a standard for what is considered confidential and how confidential information should be treated, there's probably consumer protection laws which allow people to sue you using the HIPAA standards as the standard under which you should be maintaining things.
But another thing to remember about HIPAA as well, is that the way HIPAA is worded, is that if, lets say that we'll deal with PCC right now, okay? You guys give us protected healthcare information all the time when you call up and say, "The John Canning account is broken, would you please look at it for me." Okay, so I go in and I see all the charges and all the payments and all the diagnoses and all the procedures, and I help you fix it and everything is fine. Now, any information that I have written down to fix the problem that has names on it, birth dates, whatever, I need to shred so that nobody else has access to that, and if I store something about it in my data base, okay, I need to make sure that that data base is protected so that other people can't get to it. And we have a big firewall to go and do that. But lets say that we have an employee who decides to be mischievous, and goes and tells somebody about some protected healthcare information that they found while working at PCC from one of our customers. When I find out about that, I need to let you know that happened and I also need to let you know what I'm going to do to make sure that it doesn't happen again, and also what I've done to make sure that that person, not just been punished, but if that person was prone to - like if we thought that person was going to continue doing it, that I fired that person, basically. So, at that point in time we've now satisfied the rules of HIPAA because you know about the violation, you've noted it in your charts that this has occurred, and that steps have been taken to make sure it doesn't happen again. You don't have to go back to the patient. The only time you have to report it to the Federal Government is if I wrote to you and said, "Yeah, we sold all of your information to somebody and we plan to do it again next Thursday and we are going to do it every week now and we don't care about your privacy." At that point in time then you would be expected to report it to the enforcement office at the OCR, Office of Civil Rights, who doesn't really have a budget to enforce it, but that is a different issue.
Attendee: And to pull the contract and to sue you?
John: Yeah, well, again, what are you suing the people for?
Attendee: Well, in that case to enjoin you from doing that.
John: Okay, yes.
Attendee: Okay, and that sounds very reasonable. What you just described is exactly what I understood the Business Associates Agreement to be designed for. But, what's very bothersome, and obviously I would be doubly concerned if you guys claimed it, but I am not hearing that and so that's great...what is of concern is all of these places that you're saying, and indeed we are hearing back from places, they say "Well, we've been exempt under such and such and we don't have to worry about this and we are just a conduit," so, for example, from the phone company, "We only check this when we need to and therefore we are not covered by this." Which sounds absurd on its face.
John: Well, I mean, there are laws that say that the postal service is a conduit. There are other laws that say that the telecommunications infrastructure is just a conduit. So, the fact that they are telling you they are a conduit, there's been lots of other case law that backs that up. There are laws, or you know, all sorts of lawsuits back and forth where people have been listening in on cell phone conversations, or wireless conversations, you know, using the little scanners or whatnot, and the telephone companies in each case have been found innocent. So, I think, in that respect, I mean, if I look at a pediatrician's office -
Attendee: - That is because wireless technology is considered basically an open technology -
John: - Right. But still, if I was going to worry about Business Associate Agreements, there is a new tool that the Government just put up that helps you to decide if this is some one who you need to worry about is a business associate, it's on their web page. They just put it up earlier this week on the 25th.
But basically, the gist is, if you are giving these people names, addresses, birth dates, or other medical information about your patients for some reason, then you need a Business Associate Agreement with them.
Attendee: John, why would you be giving that information to anybody?
John: Well, do you ever use a lab? Do you contract with a lab?
Attendee: My insurance companies contract with a lab, but my practice doesn't.
John: But you're going and you are sending information to a lab. You are giving that information to a lab?
Attendee: Yes, the lab is coming and picking up...
John: Okay, so, that would be an example of a place where you might want to put in place a contract.
Attendee: With the insurance company?
John: Or with that lab that they've contracted.
Attendee: Well, no, the insurance companies are telling me what lab I have to use.
John: Then the insurance company has to go and have a business associate agreement there.
Attendee: And indeed, we're being told that another one of the exceptions is for anybody who you send to specifically for provider reasons, for medical reasons, is exempt. Until this moment I thought was a reasonable one, basically because they are directly, sort of traditionally liable, so there is no need for a business agreement.
John: Right. Because like with the lab you are saying? Again, Okay.
Attendee: Well, with a specialist, or with a lab, or any of it.
John: Right. I would agree with that. But what I was going to say is - I guess a good example would be PCC. We're somebody that you're going to give information to on a regular basis.
Attendee: But other than you, with electronic filing, I guess I'm a little perplexed; who else would you release this kind of information to?
John: Do you have a transcriptionist - ?
Attendee: Okay. What about a collection agency?
John: Collection agencies - There are specific rules about collection agencies under HIPAA, and basically HIPAA allows you to use a collection agency, HIPAA allows you to report people to the credit bureau, but I think a collection agency would be another good example where aside from reporting people to the credit bureau, they've got to agree to keep things confidential.
Attendee: So, I do need an agreement, or contract, with them?
John: Yes. And you probably already have a contract with them, which probably I would hope, keeps things confidential.
Attendee: Well, you'd hope, but I need to look at it. Is the business agreement that you are talking about that is to be implemented at the end of next year, is that anything more than a statement to the people we're associating with or is there an actual contract we are going to have to create?
John: Some people will tell you that if you put it in a separate contract that demonstrates that you've actually sat down and thought about this and you've reviewed this with that person. The approach that PCC is taking is that we're being pro-active and we're putting it in the Fine Print ahead of time and then explaining what we are going to do. The Business Associate Agreement, according to the HIPAA rules, needs to cover three things.
Number one: they're going to protect the information and keep it confidential, and are only going to release it when instructed to do so by you or by a court of law.
Number two: if they break confidentiality, they are going to let you know about it.
Number three, if they continue to break the confidentiality and don't solve the problem, that you have the right to terminate the agreement.
Those are the three things that need to be in it. There's sample language provided by the Federal Government, which is about five pages long, you know, that covers those three things and it turned it into five pages of text. I encourage you to check out the sample from Physician's Practice magazine.
Attendee: What about your insurance companies when it comes to referrals? I mean that has the patient's name and social security number, and policy number and date of birth on it -
John: And that's always given. What HIPAA has noted is that when they come to do a chart audit, that you should, if it's reasonable, restrict the chart audit just to dates that they're covered by that insurance company. But it is generally assumed that you are going to be releasing information to the insurance company for treatment, payments, or other healthcare operations. So the fact that you have to refer that part of the treatment process, or the fact that you are releasing that information on a HIPAA form or an electronic claim, that's for billing purposes.
Attendee: But actual referral forms that they need to take to specialists, and that kind of stuff, is that covered under your contract with the insurance company?
John: No, that is covered under the fact that you are releasing that information for their benefit as a treatment.
Attendee: Okay.
John: Okay, so, you don't need an agreement there. But if you were going to contract with someone to send out letters, like to print your newsletter, for example, that would be someone who, if they were going to do the mailing for you, you would have an agreement that says, "Look, you're going to keep the names and addresses confidential. You are not going to go and sell them to someone else."
Attendee: Okay.
John: Those are the things, the people that you need to think of. I'm noticing that we are running out of time and I want to apologize for having cut this short.
If you have specific questions about HIPAA, feel free to send me an email message, you can also send email to hipaa@aap.org if you want the AAP's advice for help with HIPAA. Good luck, take care everybody, and please watch out for the beeps when you hang up.
