September 2, 2008 Bottom Line

Bottom Line: Private Practice and HIPAA

Medicare, Medicaid, and private payers increasingly emphasize electronic billing and medical records. Many are paying electronic claims faster than paper submissions. E-mail and e-prescriptions have made faxes and regular mail almost obsolete—a situation that is especially true with third-party payers. The Health Insurance Portability and Accountability Act (HIPAA) privacy and security rules require that practitioners who submit claims or transmit a patient's health care information electronically must comply with HIPAA requirements.

Q: Do I need to comply with HIPAA regulations?

Covered entities are required to comply with HIPAA regulations. A covered entity is defined as a practitioner who either bills electronically or uses a clearinghouse for billing purposes. However, practitioners may want to consider adding privacy policies to their practice regardless of HIPAA in order to educate consumers on how the practice protects their medical records. Individuals who file electronically must have a National Provider Identifier (NPI) in order to be HIPAA-compliant.

Q: How do I obtain a National Provider Identifier?

Audiologists and speech-language pathologists can apply online for their NPI, free of charge, by going to the National Plan and Provider Enumeration System (NPPES) Web site or by calling 800-465-3203 to request a paper application. It takes less than five minutes to apply online and the number is issued within a few minutes.

Q: Does an NPI automatically allow me to bill private insurance and Medicare?

No, the NPI is an identification number. SLPs and audiologists must also enroll separately in either the Medicare program or private health plans. Medicare and most private health plans now require a provider to have an NPI. You must have a Medicare provider number as well as an NPI in order to bill Medicare.

Q: How do I conduct an analysis of my practice's current compliance with HIPAA?

The best place to start is to conduct a risk analysis of your office to ascertain where privacy breaches may take place. Additional information on conducting a risk analysis can be found on the WEDI Web site [PDF].

Q: What should be included in my privacy plan?

Every covered entity must have documentation to show how the practice complies with the privacy rule. These documents must be retained and available to show compliance with HIPAA regulations. The documentation may include the designation of the privacy officer; the development of a training program for employees; methods of implementing safeguards to protect health information from intentional or accidental misuse; a means for individuals to lodge complaints about an entity's information practices; and a system of sanctions for employees and business associates who violate the entity's policies and procedures for compliance. In addition, the covered entity must have an authorization form and notice of privacy statement available for the patient's signature.

Q: How do I develop a Notice of Privacy Statement?

The Notice of Privacy Statement must mirror your privacy policies and include information related to both state and federal privacy regulations. Guidelines for developing this document can be found on the HRSA Web site.

Q: What code sets should I use?

HIPAA requires providers to use Current Procedural Terminology® (CPT), International Classification of Diseases, 9th Revision, Clinical Modification (ICD-9-CM), and Healthcare Common Procedural Codes (HCPCS) when filing electronic claims. These codes and information on their use can be found on ASHA's billing and reimbursement Web site.

Q: How long do I need to retain records?

HIPAA requires that covered entities retain records for six years.

Ingrida Lusis, director of federal and political advocacy, can be reached at

cite as: Lusis, I. (2008, September 02). Bottom Line: Private Practice and HIPAA. The ASHA Leader.


Advertise With UsAdvertisement