[ Monday, March 21, 2022 ]
Not all providers aren't covered by HIPAA.
So, the always-prescient Noah Speck asked:
Why is the question of whether a provider is billing or
being paid electronically by insurers such an important factor in the covered
entity determination?
Good question. Pull
up a chair.
3 types of entities meet the definition of covered entity:
the shorthand is “plans, providers, and clearinghouses.” But while all “health plans” and all “health
care clearinghouses” are covered entities, the only type of provider that is a
covered is: “A health care provider who transmits any health information in
electronic form in connection with a transaction covered by this
subchapter.” That regulatory language
(from 2000) tracks the language of the 1996 statute.
One of the conceptual goals of HIPAA was to accelerate the
adoption of electronic data interchange in healthcare. One of the methods to do so was to make
certain common transactions between health industry participants easy to do
electronically, by standardizing the format and content of the transactions
into specific digital formats. Everyone
used similar paper billing methods (based on the formats used by Medicare), but
every payor had a slightly different form; getting all those forms standardized
in electronic format would encourage providers and payors to go digital, there
would be fewer errors, payments would occur faster, time would be saved, the
sun would shine brighter, and we’d all have a spring in our step. The cold war was over, the President was a
cool dude who played the sax, it was a happy, hopeful time.
9 different transactions were standardized: 2 between plans
and employers, the other 7 between plans and providers. The provider’s submission of a bill to the
plan, and the plan’s payment back to the provider for services, are both
transactions that were standardized. If
you engage in one of those transactions electronically, you have to do so in
the HIPAA-standardized format.
One of the justifications for the security rule was that the
effect of pushing standard transactions would be a dramatic increase in the
volume of digital health data, as well as an increase in the amount of digital
data being transmitted electronically.
Electronic data is more useful to legitimate industry participants, but
it’s also a lot more useful to “bad guys.”
It’s a lot easier to “steal” electronic data than paper records, not to
mention easier to use in a bad way (i.e., hack). If HIPAA is going to push health industry
players to use and transmit more electronic data (thus increasing the risk of
bad things happening), it also has to push the same players to step up their
game with regard to privacy and security.
Hence, the privacy rule and security rule were born.
At the time, plenty of healthcare providers were exclusively
paper-based, and didn’t want to change.
Doctors who were in the 50’s or 60’s in the late 1990’s had no intention
of “going digital,” and certainly saw no need to invest in new technology or
change the way they were doing things.
At the time, Medicare didn’t even require providers to bill
electronically, and small medical practices were able to bill Medicare via
paper for many years after HIPAA became effective. When the legislation was passed in 1996,
lawmakers didn’t want to force those doctors (likely voters) to have to upend
their practices by instituting all the new requirements of the privacy and
security rules. So they effectively
carved them out: if a doctor (or any healthcare provider) wanted to stay
paper-only, they could, and avoid the shake-up of their practice that all the
digital providers had to do. The
defining line between “going digital” (and being HIPAA-covered) and not was
whether the provider engaged in the HIPAA-covered transactions: if you engage
in one of those 9 transactions electronically, you have to do it in HIPAA
formats; and if you’re doing HIPAA formats, you should be doing the other
privacy and security stuff as well.
Additionally, the definition of “health care provider” is itself pretty
broad, and there are some business that fit within that broad definition
(acupuncturists, massage therapists, personal trainers) that would have a
difficult time becoming HIPAA compliant (and most people would not expect that
level of care and diligence from them anyway).
Most of those businesses on the “fringe” of the definition don’t bill
insurers, and thus don’t engage in HIPAA-regulated transactions, and therefore
aren’t covered by HIPAA either.
The distinction between billing and being paid is
irrelevant. Either billing an insurer
electronically or getting paid by an insurer electronically would be a
transaction regulated by HIPAA; billing or collecting on paper wouldn’t,
because paper transactions aren’t required to be in the HIPAA formats. Likewise, a simple credit card charge to the
patient isn’t a type of electronic transaction regulated by HIPAA (only the
interchange between the insurer and the provider has to conform to the HIPAA
transaction and code sets rule), so it wouldn’t be required to be in a
HIPAA-compliant format; therefore, billing a patient’s credit card, while
electronic, wouldn’t turn the provider into
a covered entity. The relevant
question is whether a HIPAA-covered transaction has occurred, and for a health
care provider, those are all the transactions between the provider and a “plan.” That’s why it’s relevant to know if the
provider bills or is paid by insurance electronically.
So, billing insurance electronically is often the first
domino to fall, making a provider a HIPAA covered entity when it wouldn’t
otherwise be. You may wonder why HIPAA
is concerned with billing information, when you’d think it should be focusing
on all PHI. But that misses the
point. HIPAA is focused on all PHI, and
once you’re in (as a covered entity), you’re bound to protect the PHI in all
respects covered by HIPAA. It’s not that
the billing information is the key to HIPAA applicability; rather, the billing
portion is just the starting gate.
Jeff [12:12 PM]
http://www.blogger.com/template-edit.g?blogID=3380636
Blogger: HIPAA Blog - Edit your Template