Fw: hipaa codes

June 5, 2003

Hi Attilio,

I plied lots of info out of my friend Bill Terry. The tonic formula shall remain a family secret. ;-) I've removed some of the colorful language applied by Bill in an effort to keep this professional. Apparently working in the HIPAA field brings out one's profane side. If you patiently read through, I think most of your questions will be answered. In brief, if you have a private practice you don't need to register with HIPAA, nor is there any particular software. You could create your own brochure and copy HIPAA privacy guidelines for your patients. MDs with hospital privileges are another matter entirely and have to comply, but the training is simple.

All the Best,

Emmanuel Segmen

Bill Terry wrote:All -Here are a few comments interspersed with your's below. The reason you don't hear much from me these days is partially due to HIPAA, also numerous audits - including some knee-jerk responses to HIPAA and other security issues, as well as other federal and state (TX in my case) laws including the Gramm-Leach-Bliley Act (GLB). GLB (GLiB as I sometimes pronounce it) is to financial privacy as HIPAA is Health Care Privacy. Required compliance with GLB went into effect on May 25th (give or take a few days). GLB mostly concerns businesses that actively have financial information on folks. If you only have a retail operation (ie cash or credit cards), you are ok. If you do you own loans, look at credit information, etc. Then you better check into that, too.Yep, state laws can be more restrictive than other Federal including HIPAA. TX House Bill 11, for example had us envisioning many more requirements and hoops to jump thru. Fortunately some of the TX legislature had their ears working instead of their mouths and managed to get HB 11 realigned HIPAA. Not quite so true in many other states.The idea of HIPAA, with its privacy and security, was well intentioned but like much legislation, poorly developed, delayed, picked apart, amended way beyond intent (by BOTH sides of the house), misinterpreted, etc, etc. Simple incorporation of best practice business security and privacy practices would have sufficed - but we all know that one or two bad apples spoil the barrel. And one or two jerks/crooks/etc are often the cause of unneeded legislation - often by legislators who want the lime light, or a little pork, more than something that might actually benefit the common good.Generally, HIPAA applies to electronically stored, transmitted Protected Healthcare Information (PHI). If you have a practice that is entirely paper based (including your books/accounts which are PHI), you don't come under HIPAA. PHI, by the way, can be anything that can identify a patient to almost any data. Name and Zip code, or in some cases a list of names is sufficient. Needless to say patient records are PHI. And, even if your practice is entirely paper based, other laws require you to take reasonable care in protecting them.The KEY WORD, the key principle in HIPAA is REASONABLE. And everyone pretty much agrees on this. It is not HIPAA's intention of preventing care in any sense or fashion. There is nothing to prevent, for example, a consulting physician from consulting on a case. And - very important to small practices and businesses - what is reasonable and required? Not much actually - assuming you had reasonable privacy / security procedures in place. You don't need to install HIPAA approved software, acoustic tiles, etc. They simply don't exist. There may be classes, seminars, evaluations, gap analyses, etc that you can purchase, but they are not required. Don't let some huckster try to sell you something that it required to make you HIPAA compliant - you probably don't need it. There is a lot of snake oil for sale. What is reasonable? Let common sense prevail.If you have patients, you do need to have brochures to inform them of their rights. You do need to train yourselves and your employees. etc. etc.More interspersed below....At 01:17 PM 5/29/2003 , John R. Segmen wrote:

I have lots of material on HIPAA compliance from the American Psychological Association and other sources. There was a deadline in October to apply for an extension before being required to comply, and more recently a deadline of April 15 to be HIPAA compliant if one is keeping medical records and billing third party payers electronically. If one is compliant, it means that one has developed and promulgated to clients a privacy policy and is doing proper record keeping. There is no registration required as a matter of law that I know of, beyond last October 15 application for extension. My impression is that no one actually knows really how this is going to work. Case law will clarify that in time.You are correct. No registration, per se. Maybe so if you wanted to use alternative billing codes - but you don't have to use them to get paid. (You can always bill the patient directly (cash up front) and let them submit.) April 15? was the privacy compliance date. April 26 2005 for HIPAA security. Yes, look at places you trust APA, the HHS site, etc for help. Stay away from the hucksters.

There is a whole cottage industry developing to provide materials for HIPAA compliance, for a price. That may be what is being referred to.See above. There is no shortage of lies, bunk, myth, and snake oil. There are NO actual HIPAA required / compliant materials you need. You may need brochures, for example, but you don't have to buy them, you can make your own. You can get some one to design yours, but appropriate, free text exists.

Ironically, the way the HIPAA law was written under the Clinton administration and then altered and gutted by the Republicans, while it's a huge pain to do all of the compliance, in fact, medical records of people are now less protected than they were previously.Actually, it was written during the Clinton administration and then, quite obviously sat on / ignored for a few years. I think that everyone was hoping it would go away - and forgetting that it had a provision than would bring it into law without further action. Of course as the time drew neigh, the (explitive deleted) hit the fan, and a flurry of changes created a rule with so many exceptions that it practically does not exit but still requires all the protections, logs, audits, etc of the original. Some of our more graphic friends might call this a cluster (explitive deleted). But thats what we have and what we have to deal with. great for the attorneys. And of course all the patients with little to do, get to try to tell you how they want to change their record (no, they can't change facts) or not let their spouse know they have contracted AIDs, etc.

One curious feature is that HIPAA does not trump state law--usually federal law supercedes state and local law. That means that if your local existing state law makes more stringent confidentiality requirements than does HIPAA (which it undoubtedly does), then you must also comply with those state laws as you probably already are doing. This is my current understanding of the matter. I think that one way of complying as a solo practitioner who works with paper, not electronic communications channels, is to just not ever share medical records, period.-JohnTrue, but not always practical on the records. And if you take insurance there is certainly more to it. On the other hand if you only take cash, and let them submit insurance (a growing trend) then you have that covered, too.BTW, as Emmanuel mentioned, I'm the Information Security, HIPAA Security Officer for a Med school, and now pretty much so for a medical center that includes about 13,000 employees, 800 beds, etc. We trained 13,000 people in March and April. The physicians who had managed to not comply with what amounts to some pretty easy training will have hospital and clinic privileges yanked and loose their incentive pay (substantial). Like it our not, our adminisitration has to take this seriously - and does.My 2 cents. "Your mileage may vary. Do not attempt this at home."Yours, for better privacy in Healthcare....Bill T.a bit more below...

At 1:01 AM -0700 5/29/03, Emmanuel Segmen wrote:

Hi Dr. J.,I'm copying to my brother who also has a practice that may or may not rely on third party payments. My good buddy Bill Terry is the reigning "expert" in my current circle of friends regarding HIPAA. But Bill administers the University of Texas and might not have first hand knowledge of how thingswork for a licensed acupuncturist like you or a licensed psychologist like my brother.With regard to HIPAA, quite a few "deadlines" have passed. Did your heart stop beating? Did the sun continue to rise in the east? I believe the right to register and receive third party compensation passed us by in March or April. I believe this was for alternative billing codes. see comments above.

Emmanuel wrote:

There's some other ominous deadline in October that I can'tremember. If you have a claim already in the works prior to these deadlines, I believe you will still be paid whether you've registered or not. There are people even now just starting medical school and even being born. I believe they will be permitted to register with HIPAA at some point. Thus, I'm pretty sure you will still be allowed to register withHIPAA at some future date if it makes sense to you.

Bill Terry wrote:

Ain't no registration required. Training and other compliance, etc.

Emmanuel wrote:

Since I don't help Dr. Kang so much any more with his clinical stuff, I'm out of touch with whether he's getting insurance or MediCal payments anymore. AAOM announcements which you no doubt get spammed with tell us that for a price you can take their weekend seminar on how to be an LAc registered with HIPAA.

Bill Terry wrote:

You can take and pay for the seminar, but it isn't required.

Dr. J. wrote:

hi -- have you signed up for the "privilege" of using hipaa codes yet?according to "alternative link," a website i was linked to from the nccaom website, tomorrow, thursday, 5/29 is the final deadline for securing your rights to use and evaluate ABC codes in HIPAA transactions. they say you must complete your registration at their site to secure those rights. the way they presented it, it felt like a scam, so i haven't done it yet.

Bill Terry wrote:

You don't have to use the AlternativeBCs. You do have to register to use them. And I believe the current registration is only for those actually using them before some other date long since gone by. As I understand it, last October was the date to register to use the alternative billing codes if you weren't using them already.

Dr. J. wrote:

i called the nccaom to ask about it (still waiting for an answer) and my malpractice carrier, because at that website, they require your ss#, etc., and i'm extremely reticent to give out that type of information to anyone i know nothing about, one of maybe many who say you have to do the registration at their site to secure those rights.

Bill Terry wrote:

SSN are not required for HIPPA. In fact, it is illegal to use them for any use other than their intended use. Although they may be required for some federal, healthcare related something, you can, for example use them as a patient record number, etc. This is going to be a bigger thing if the future.

Dr. J. wrote:

i also thought that if you do not know anything about this, and tomorrow is in fact that deadline, you may be left behind in this new world. i also thought you might be willing to share some info about this if you have any...

Bill Terry wrote:

You won't exactly be left behind. You just might not be allowed to participate in alternative billing codes. For a small practice, good ol' mainstream cash might just beat alternative billing. Of course if you really want to go alternative, you could always barter for chickens, eggs, window washing or whatever.....

June 5, 2003

Attilio,

A post on CHA by Geoff Hudson on May 31st spells out quite clearly how he as a Washington state CM practitioner gets paid by insurance within two weeks. He uses an HIPAA "clearing house" agent as he puts it. He's quite articulate in his post and makes it clear that he gets money from insurance when the economy is too weak to support much out-of-pocket cash paying patients. Those on the CHA list can go to message #17391 to see it.

Emmanuel Segmen