Clinicians who are new to private practice or considering opening a private practice, either as a Medicare provider or with private insurance contracts, need to know about federal privacy regulations and how they may apply. The following information will help audiologists and speech-language pathologists understand the privacy regulations of the Health Insurance Portability and Accountability Act (HIPAA) of 1996.
Q: Does everyone need to comply with HIPAA regulations?
No. HIPAA applies only to covered entities. Covered entities are health plans, health care clearinghouses, and health care providers that conduct certain transactions in electronic form. Not all audiologists or speech-language pathologists in private practice meet the definition of a covered entity, especially if they bill using paper documents rather than a computer software program. Providers who do not qualify as a covered entity are not required to adhere to HIPAA regulations. To determine whether or not you are a covered entity, go to the HHS Web site. Of course, all ASHA members are bound by the ASHA Code of Ethics to protect patient privacy at all times.
Q: If I bill Medicare as a private practitioner, am I automatically a covered entity?
Generally, SLPs or audiologists who submit bills electronically to Medicare are a covered entity. In most cases, Medicare requires claims to be submitted electronically. There are a few exceptions that allow for paper-based claims, including:
- Small providers—practices that employ fewer than 10 full-time equivalent staff members.
- Small number of Medicare claims—providers who submit fewer than 10 Medicare claims a month (in total, not 10 per carrier or intermediary).
- Other unusual circumstances—providers who can prove that a situation beyond their control prevents them from filing electronically.
Private practitioners should check with their Medicare intermediaries or carriers to determine if they may submit paper claims.
Q: HIPAA addresses only privacy, right?
HIPAA is more expansive than that. The rule includes provisions in three areas: the privacy of patient information; the security of such information through administrative, physical, and technical safeguards; and the electronic transmission of health care data. Each area has its own set of rules and regulations. Information about these rules can be found on the ASHA HIPAA Web site.
Q: I need to write a privacy notice. Are there any resources to help me?
The privacy notice is the most visible part of HIPAA compliance. You not only have to follow the rules that protect patient health information, you must also give all patients a copy of your privacy practices. Patients must sign an acknowledgement that they received a copy, which must be kept on file.
Most of us have visited our own physicians or other health care providers and received this notice of privacy practices. These notices are often written in a text-heavy and jargon-laced style. However, HIPAA requires that privacy notices be written in plain language (45 CFR 164.520, retrieved on July 16, 2009, from http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/notice.pdf [PDF]). Although it appears that this provision is not strictly enforced, audiologists and SLPs, as communication specialists, should take responsibility for making sure that their patients understand their rights under HIPAA. You can find help in drafting a privacy notice in plain language om the HRSA Web site.
Q: am a solo practitioner so I don't have a privacy officer and can't afford to hire a privacy consultant. What should I do?
Appoint yourself the privacy officer and dive into the world of HIPAA. Many small practices are covered entities but do not have the infrastructure or funding to hire consultants or HIPAA-specific staff. In response to this difficulty, the Workgroup for Electronic Data Interchange [PDF] published information specifically for small practices that guides you through the regulations and provides additional resources and links.
Q: What changes were recently made to HIPAA?
The American Recovery and Reinvestment Act of 2009 (the federal "stimulus bill") made some amendments to HIPAA privacy and security regulations. These changes are not yet in effect, but some will be implemented 30 days after publication of applicable regulations. ASHA will provide an update once regulations are published.
If the covered entity maintains an electronic health record, it must allow individuals access to their "protected health information"—individually identifiable health care information—in that electronic record.
A covered entity must also maintain an accounting of all disclosures of electronic health records, including disclosures for treatment, payment, and health care operations. This accounting of disclosures must be maintained for three years.
Business associates who handle a covered entity's protected health information will now be subject to the same security and privacy requirements as covered entities. For example, if you contract with someone to handle the billing for your practice, that person must comply with all HIPAA regulations.
To the extent practicable, a covered entity must limit use or disclosure of protected health information to a "limited data set" that excludes certain information. Further information is available on the ASHA Web site.