CAs, can we talk? Since 1996, the health profession has been talking about the Health Insurance Portability and Accountability Act (HIPAA). What is it? What are the rules? How will it affect our patients? Will it change the way our clinics are run? Will we need a new computer program? Is there going to be a seminar on this? (I sure hope so!)
There are so many questions and so few answers, I did not know if I should even attempt to write this article. However, the time has come. The HIPAA regulations have been published by the federal government and read like an I.R.S. publication. It's really fun stuff - not! The Department of Health and Human Services has graciously given all health care providers the opportunity to file a one-year extension, so we can all figure out what we need to do.
The deadline for filing a compliance plan was October 15, 2002. The one-year extension was for claims processing only. You must also have a complete HIPAA compliance plan in place by April 2003. Those who filed the online form immediately received a confirmation number that could be printed on the clinic's compliance plan manual. It's estimated that only four-to-five percent of health care professionals, institutions and EDI clearinghouses filed for the extension.
Some professionals have the false understanding that if they have a clinic that does not utilize a computer or bill electronically, they are exempt from developing and implementing a HIPAA compliance plan. Computer transactions, on-or offline, are only a small part of the rules.
Let's talk about privacy and security. Under HIPAA, a clinic needs a privacy officer and a security officer. These two positions can be assigned to the same person, or two people can be responsible. This person could be the doctor or a doctor's spouse that works part-time. Each position will need its own written job descriptions. These staff members will be responsible for preparing an initial analysis of the clinic's needs to improve privacy and security issues; have a written plan of action to implement improvements; give proper training to staff members; test the implementation plan; and keep proper documentation of all of the privacy and security plans. The gist of this is to prepare and implement our legal responsibilities as health care providers. We must show reasonable attempts to keep patients' health information and histories in our possession protected and secured.
A CA recently asked me what the "big deal" would be if the doctor wouldn't comply with these new guidelines. Frankly, it could be costly to your doctor and clinic. Just think of the potential for damages that will exist. For example, a disgruntled patient may want to cause the clinic trouble, and whether your doctor's malpractice insurance will cover claims involving these types of violations, I believe, is still unclear, but the good news is that the maximum fine for violation is "only" $25,000.
My point in writing this article is not to tell you that if you did not file for your extention, the HIPAA police may come and take you away, nor to tell you how your clinic can be compliant, because I can't. Every clinic has different needs. I'm not trying to scare you about the possible financial liabilities so that you want to get out of the profession. If you think our individual chiropractic clinics are unsure and confused, I am sure any hospital or chiropractic college clinic in the country would be glad to trade places with you. The point is that doctors and CAs are affected by this, so do not put it off! Work with your national and state associations, and get the facts from reliable sources so you can do it right the first time.
Until next time, CAs, go out and make a difference - but remember - April 2003 will be upon us before you know it.
Rose Jacobs
Chesterfield, Missouri
