Are You Sure You Are a HIPAA Covered Entity?
Since our Program has insured tens of thousands of psychiatrists over almost 30 years, it won’t surprise anyone that we have been studying and educating psychiatrists on HIPAA since 2000. We’ve presented entire CME seminars devoted to HIPAA, as well as covered HIPAA as one of many topics in our other seminars.
But fourteen years after the healthcare world first heard of HIPAA, some psychiatrists who attend our presentations are still learning (happily!) that they are not actually a “covered entity” under HIPAA, so they technically (more on that shortly) don’t have to comply with the regulations under HIPAA, such as the Privacy Rule, Security Rule, Breach Notification Rule, and Omnibus Rule.
Coverage under HIPAA turns on specific electronic transactions for which the Department of Health and Human Services (HHS) has created a standard. These electronic standards generally involve health plans, and the most common electronic transaction that makes a provider covered is the claim form sent electronically to health plans seeking payment for services rendered. Other transactions that if done electronically would make a provider covered under HIPAA include, but are not limited to, transactions for health plan eligibility, referral certification and authorization, claim status, healthcare payment and remittance, etc. The full list of transactions that if done electronically will make a provider covered can be found here (.pdf).
Note that if you do not actually transmit claim forms electronically to health plans yourself, but someone else does so on your behalf – such as a billing service – you are still covered by HIPAA and must comply with all of the HIPAA regulations.
The significance of not being a covered entity under HIPAA is that the government cannot come after you for HIPAA violations. However, the HIPAA regulations are seen as a floor of confidentiality and security protections for patient information – providers, particularly psychiatrists and other behavioral health professionals – are held to much higher standards under their ethical and professional obligations. And, all providers still need to worry about protecting patient confidentiality and the security of patient information under state law.
Please note: This post is for informational purposes only; nothing in this post should be construed as legal advice.
Donna Vanderpool, MBA, JD – Vice PresidentAs Vice President of Risk Management, Ms. Vanderpool is responsible for the development and implementation of PRMS’s risk management services for The Psychiatrists’ Program. Ms. Vanderpool has developed expertise in the areas of HIPAA and forensic practice, and has consulted, written and spoken nationally on these and other healthcare law and risk management topics. She most recently wrote a chapter concerning the risks of harm to forensic experts for Robert L. Sadoff, MD’s book Ethical Issues in Forensic Psychiatry: Minimizing Harm, (Feb. 2011/Wiley). Ms. Vanderpool received her undergraduate degree from James Madison University, and her MBA and JD from George Mason University. Prior to joining PRMS in 2000, Ms. Vanderpool practiced criminal defense law, taught business and legal courses as an adjunct faculty member at a community college and spent eight years managing a general surgical practice in Virginia. |