Home |  Products & Services | Risk Management | Claims | Events | Contact Us | For Participants Only

Our Risk Management Department is staffed by experienced professionals with legal and clinical backgrounds.

This combination provides our client with assistance from staff who have a thorough understanding of both the clinical situation and the legal issues and their implications. Our programs and services include:
 · Risk identification
 · Risk reduction
 · Loss prevention
 · Risk management education

We identify and implement sound risk management services to help you avoid potential incidents and lawsuits.


Top Ten HIPAA Myths About HIPAA's Privacy Rule
 by Donna L. Vanderpool, MBA, JD

Myth #1: HIPAA and the Privacy Rule are the same thing.

Truth: The Privacy Rule is only one portion of HIPAA. HIPAA is the Health Insurance Portability and Accountability Act of 1996, which is complex federal law covering many areas such as fraud and abuse, and portability of health insurance when workers change jobs. Under another section of this law, entitled Administrative Simplification, Congress addressed the electronic exchange of health information to reduce costs and increase the efficiency of processing insurance claims. Under the Administrative Simplification provisions of HIPAA, the Department of Health and Human Services (HHS) was required to promulgate regulations on:

- privacy standards, also known as the Privacy Rule
- transactions and code set standards
- unique identifier standards
- claims attachment standards
- security standards
- enforcement standards

The Privacy Rule, one of the regulations under the Administrative Simplification provisions of HIPAA, is the set of standards regulating the use and disclosure of protected health information.

Myth #2: The deadline for compliance with HIPAA is April 14, 2003.

Truth: Each regulation under HIPAA has a different compliance date. April 14, 2003 is the compliance date only for the Privacy Rule. The compliance date for the Transactions Rule is October 16, 2002 (unless a one-year extension has been obtained, as discussed in #5).

Myth #3: All physicians are covered by HIPAA.

Truth: Only those physicians who electronically transmit or receive (or have any other entity electronically transmit or receive on their behalf) any of the following eleven specified transactions are covered by HIPAA:

- health care claims or equivalent encounter information
- health care payment or remittance advice
- coordination of benefits
- health care claim status
- enrollment or disenrollment in a health plan
- eligibility for a health plan
- health plan premium payments
- referral certification and authorization
- first report of injury (once HHS adopts standards)
- health claims attachments (once HHS adopts standards)
- other transactions that the Secretary of HHS may prescribe by regulation

Myth #4: A billing service transmits claims electronically on my behalf, so I am covered by HIPAA, and will comply with the Privacy Rule, but I do not have to worry about any of the other regulations.

Truth: Since you are a "covered provider" under HIPAA, you are required to comply with all of the applicable regulations under Administrative Simplification - the Transactions Rule, the Security Rule, etc.

Myth #5: HIPAA requires all physicians to submit claims electronically.

Truth: Nothing in the HIPAA law requires electronic claims submission. However, you may be required to submit Medicare claims electronically under a separate law enacted in 2001 - the Administrative Simplification Compliance Act (ASCA). Under the ASCA, all Medicare claims must be submitted electronically by October 16, 2003; however, small providers (including physicians with less than 10 full-time equivalent employees) are excluded. Of course, once providers start submitting claims electronically to Medicare, they become covered providers under HIPAA and are subject to all of the Administrative Simplification regulations.

Under another provision of the ASCA, could have requested a one-year extension for compliance with the Transactions Rule - until October 16, 2003. To get this extension, providers must have - prior to October 16, 2002 - submitted to HHS a written plan indicating how compliance will be achieved by October 16, 2003.

Myth #6: Since I have less than 10 full-time equivalent employees, I am exempt from all Administrative Simplification regulations under HIPAA.

Truth: The only significance of a physician having less than 10 full-time equivalent employees is exemption from the requirement under the ASCA (see #5 above) that Medicare claims be electronically submitted by October 16, 2003. Physicians who electronically transmit or receive the transactions listed in #2 are covered by all of HIPAA's Administrative Simplification regulations, regardless of how many employees they have.

Myth #7: Since I filed for the extension, I have an extra year to comply with both the Transactions Rule and the Privacy Rule.

Truth: The extension only applies to compliance with the Transactions Rule. There is no extension available for compliance with the Privacy Rule - compliance is required by April 14, 2003, even if you have received an extension for compliance with the Transactions Rule until October 16, 2003.

Myth #8: Under the Privacy Rule, patients now have the right to demand that the psychiatrist amend their medical records.

Truth: The Privacy Rule only grants patients the right to request an amendment of their records. Psychiatrists may refuse to grant the amendment request if the record is reasonably accurate and complete. Note that patients may already have this right under many states' law. Amending the record has serious malpractice implications; accordingly, psychiatrists who agree to a patient's amendment request should contact Risk Management or their healthcare attorney for advice on how to properly amend the record.

Myth #9: Compliance with the Privacy Rule requires that I must turn over my patients' psychiatric records to law enforcement and national security personnel.

Truth: Under the Privacy Rule, there are only two mandatory disclosures - to the patient, and to HHS for enforcement. All other disclosures are permissive. You must continue to make decisions about releasing information based on other state and federal laws, as well as your ethical obligations.

Myth #10: I'm not covered by the Privacy Rule, so I don't need to worry about it.

Truth: The Privacy Rule, a new federal floor of confidentiality protections, will probably be viewed as the national standard of care, which must be met or exceeded by all physicians, whether technically covered or not. The Privacy Rule will also make it easier for patients to sue psychiatrists for breach of confidentiality under state law, or file an administrative complaint. And, states can (and Texas already has) enact state law expanding the definition of covered providers to include all physicians and requiring compliance with state law that mirrors provisions of the Privacy Rule.

Back to HIPAA Help menu