|
| |
|
CMS HIPAA IMPLEMENTATION ROUNDTABLES | |
|
In February of 2003, the Centers for Medicare and Medicaid Services began a series of monthly roundtable discussions concerning HIPAA implementation issues. Staff from the Office of Civil Rights were sometimes on hand to answer questions about the Privacy Standards. The most interesting points from the February 2003 through September 2003 discussions are summarized below.
APPLICABILITY Two additional clarifications were made: (1) If a physician checks a health plan’s website to verify patient eligibility, the physician would be a covered entity under HIPAA, even if that is the only transaction the physician does electronically, and (2) If a provider is using a computer program to create a fax (instead of using a stand alone fax machine), the fax is considered an electronic transaction. PRIVACY STANDARDS Accounting of Disclosures The definition of a disclosure includes providing access to information. Therefore, if a survey organization has access to all of a provider’s records during its visit, this access is considered a disclosure of all records, even if the survey organization did not technically look at every record. Consequently, when completing an accounting of disclosures, providers may record that the oversight agency was there on certain dates and that they had access to all records on that date. Similarly, if the survey organization had access to a database then that would be a disclosure of every record in the database, whether or not they actually looked at every record. Business Associates If you are a provider, you are not considered a business associate of your health plan. Notice of Privacy Practices Indirect treatment providers (i.e., providers who provide results back to a primary provider and not directly to an individual) must have a notice of privacy practices and must post the notice and provide it to patients upon request. However, indirect treatment providers do NOT have to send a notice to every patient. Psychotherapy Notes Psychotherapy notes cannot be redacted from the record once there is a request for the record. Psychotherapy notes must be kept separate from the rest of the record as soon as a provider begins keeping a patient record. SECURITY STANDARDS Encryption Encryption over an open network is not required because, under the HIPAA Security Rules, encryption is an addressable specification (instead of a required specification). ELECTRONIC TRANSACTIONS AND CODE SETS Paper vs. Electronic Transactions Providers can choose whether to send paper or electronic transactions to a health plan, but if a provider wants to send electronic transactions, then the health plan (and any TPA) is obligated to accept those in the standard format. A provider has the option of transmitting transactions electronically or conducting transactions on paper and that decision can be made transaction by transaction, payer by payer. But, if a provider does transmit electronically, the provider must use the standard format. Additionally, if a small provider is exempt from the requirement to bill Medicare electronically, the provider may continue to bill via a paper format. Although there is no official guidance on this, providers can assume that an entity cannot “take back” their covered entity status by converting back to paper claims once claims have been made electronically. Contingency Plans If a covered entity has deployed a contingency plan for meeting the Transactions and Code Sets standards after having made a good faith effort to be compliant, and CMS then receives a complaint concerning the covered entity, CMS would not take enforcement action against the entity. CMS has indicated that they will deploy their contingency plan for Medicare fee-for-service. The press statement that CMS issued regarding this reads as follows: After careful analysis of Medicare provider, submitter and other trading partners in HIPAA readiness, Medicare will continue to accept and send standard and non-standard versions and/or formats for any electronic transaction for a limited period beyond October 16, 2003. This is a temporary measure to maintain provider cash flow and minimize operational disruption while trading partners who are not compliant on October 16, 2003, work with Medicare to achieve full compliance. This contingency plan is only for a limited time. Providers who must continue to bill and receive non-compliant formats should test and move into production on HIPAA-required formats as soon as possible or risk possible cash flow problems. CMS has said that they do not know when the contingency period will end, but they will give ample advance notice before doing so. Blue Cross/Blue Shield Association has also announced that all of the Blue plans will implement a contingency plan for a short period of time also. Contractor Compliance Information regarding specific contractor HIPAA testing is available at: www.cms.hhs.gov/providers/edi CMS has stated that a plan that is not able to conduct a transaction in a HIPAA format as of October 16 is technically out of compliance and that a provider is within its rights to file a complaint, but CMS would encourage providers and plans to try to work things out between them. If there seems to be progress in working it out, then CMS would not take any action. ELECTRONIC MEDICARE BILLING Medicare Waivers The following is considered an exhaustive list of situations where billing Medicare electronically will be waived.
Providers should self-assess their organizations to determine whether or not they meet the waiver requirements. Medicare will NOT issue waiver certificates or maintain a database of waived providers. Provider Identifier Final national provider identifier rules will be published by the end of the year. | |