HIPAA Blog

[ Monday, March 21, 2022 ]

 

 Not all providers aren't covered by HIPAA.

So, the always-prescient Noah Speck asked:

 Why is the question of whether a provider is billing or being paid electronically by insurers such an important factor in the covered entity determination?

 Good question.  Pull up a chair.

 3 types of entities meet the definition of covered entity: the shorthand is “plans, providers, and clearinghouses.”  But while all “health plans” and all “health care clearinghouses” are covered entities, the only type of provider that is a covered is: “A health care provider who transmits any health information in electronic form in connection with a transaction covered by this subchapter.”  That regulatory language (from 2000) tracks the language of the 1996 statute.

 One of the conceptual goals of HIPAA was to accelerate the adoption of electronic data interchange in healthcare.  One of the methods to do so was to make certain common transactions between health industry participants easy to do electronically, by standardizing the format and content of the transactions into specific digital formats.  Everyone used similar paper billing methods (based on the formats used by Medicare), but every payor had a slightly different form; getting all those forms standardized in electronic format would encourage providers and payors to go digital, there would be fewer errors, payments would occur faster, time would be saved, the sun would shine brighter, and we’d all have a spring in our step.  The cold war was over, the President was a cool dude who played the sax, it was a happy, hopeful time.

 9 different transactions were standardized: 2 between plans and employers, the other 7 between plans and providers.  The provider’s submission of a bill to the plan, and the plan’s payment back to the provider for services, are both transactions that were standardized.  If you engage in one of those transactions electronically, you have to do so in the HIPAA-standardized format.

 One of the justifications for the security rule was that the effect of pushing standard transactions would be a dramatic increase in the volume of digital health data, as well as an increase in the amount of digital data being transmitted electronically.  Electronic data is more useful to legitimate industry participants, but it’s also a lot more useful to “bad guys.”  It’s a lot easier to “steal” electronic data than paper records, not to mention easier to use in a bad way (i.e., hack).  If HIPAA is going to push health industry players to use and transmit more electronic data (thus increasing the risk of bad things happening), it also has to push the same players to step up their game with regard to privacy and security.  Hence, the privacy rule and security rule were born.

 At the time, plenty of healthcare providers were exclusively paper-based, and didn’t want to change.  Doctors who were in the 50’s or 60’s in the late 1990’s had no intention of “going digital,” and certainly saw no need to invest in new technology or change the way they were doing things.  At the time, Medicare didn’t even require providers to bill electronically, and small medical practices were able to bill Medicare via paper for many years after HIPAA became effective.  When the legislation was passed in 1996, lawmakers didn’t want to force those doctors (likely voters) to have to upend their practices by instituting all the new requirements of the privacy and security rules.  So they effectively carved them out: if a doctor (or any healthcare provider) wanted to stay paper-only, they could, and avoid the shake-up of their practice that all the digital providers had to do.  The defining line between “going digital” (and being HIPAA-covered) and not was whether the provider engaged in the HIPAA-covered transactions: if you engage in one of those 9 transactions electronically, you have to do it in HIPAA formats; and if you’re doing HIPAA formats, you should be doing the other privacy and security stuff as well.  Additionally, the definition of “health care provider” is itself pretty broad, and there are some business that fit within that broad definition (acupuncturists, massage therapists, personal trainers) that would have a difficult time becoming HIPAA compliant (and most people would not expect that level of care and diligence from them anyway).  Most of those businesses on the “fringe” of the definition don’t bill insurers, and thus don’t engage in HIPAA-regulated transactions, and therefore aren’t covered by HIPAA either.

 The distinction between billing and being paid is irrelevant.  Either billing an insurer electronically or getting paid by an insurer electronically would be a transaction regulated by HIPAA; billing or collecting on paper wouldn’t, because paper transactions aren’t required to be in the HIPAA formats.  Likewise, a simple credit card charge to the patient isn’t a type of electronic transaction regulated by HIPAA (only the interchange between the insurer and the provider has to conform to the HIPAA transaction and code sets rule), so it wouldn’t be required to be in a HIPAA-compliant format; therefore, billing a patient’s credit card, while electronic, wouldn’t turn the provider into  a covered entity.  The relevant question is whether a HIPAA-covered transaction has occurred, and for a health care provider, those are all the transactions between the provider and a “plan.”  That’s why it’s relevant to know if the provider bills or is paid by insurance electronically.

 So, billing insurance electronically is often the first domino to fall, making a provider a HIPAA covered entity when it wouldn’t otherwise be.  You may wonder why HIPAA is concerned with billing information, when you’d think it should be focusing on all PHI.  But that misses the point.  HIPAA is focused on all PHI, and once you’re in (as a covered entity), you’re bound to protect the PHI in all respects covered by HIPAA.  It’s not that the billing information is the key to HIPAA applicability; rather, the billing portion is just the starting gate.


Jeff [12:12 PM]

Comments: Post a Comment
http://www.blogger.com/template-edit.g?blogID=3380636 Blogger: HIPAA Blog - Edit your Template