CanYou Be a Non-Covered Entity?
Discussionprepared by M. Dunlap for Pragmatics of HIPAA 2-28-03- updated 11-2008
Thereality is that most mental health professionals now (11/98) meet the HIPAAdefinition of "covered entity."
Onlya small proportion of us were engaged in electronic transactions when the regulations came into effect.
However,the conflicting reality was that most insurers were already indicating thatthey expected professionals to be HIPAA compliant ... that is to havethe written Policies and Procedures, and Privacy Practices Notices,to have HIPAA compliant Consent forms, Authorization forms, BusinessAssociate Agreements ... in order to contract with and/or be reimbursed fortheir services.
Thereis a difference between being "non-covered" and being"non-compliant."
Ifyou have a contract to be compliant or agree to become compliant you must followthe HIPAA Privacy and Security rules.
TheTransaction rules apply to the actual electronic billing process, for"covered entities"
Asa "covered entity" a professional must follow all three sets ofstandards set by HIPAA: Privacy, Security and Transaction.
AfterOctober 16, 2003 .. when the insurance companies must comply with TransactionsStandards, professionals who bill insurance, even on paper, will be required touse ICD Transaction codes.
Further,if you send a FAX to an insurance or managed care company you have no controlover whether it will be received into a computer, and thereby become anelectronic transaction, causing you to become a "covered entity"
Unlessyou maintain an entirely self-pay practice, it makes sense to re-workyour office practices to be HIPAA compliant.
Youmight use "HIPAA compliance" status to assert you will provideonly the minimum necessary information about clients to third partypayers.
Youcan jointhe American Mental Health Alliance and work with other mental healthprofessionals to create simple, non-invasive treatmentsystems.
Does HIPAA apply to your practice? See the document at this link for CMS standards effective 11/28/2008: http://www.cms.hhs.gov/HIPAAGenInfo/Downloads/CoveredEntitycharts.pdf
Thefollowing document can also be found at:http://www.aapsonline.org
Association of American Physicians and Surgeons, Inc.
HIPAA ADMINISTRATIVE SIMPLIFICATION
Frequently Asked Questions: Coveredv. Non-Covered Entities
Thesequestions have been prepared in response to inquiries from physicians across thecountry.
Based on these reports, most consultants, seminars, and lawyers areneglecting to advise physicians of the option of being a non-covered entityunder HIPAA. In fact, many of you tell us that you have been told by hospitalcounsel and others that you can NOT be a non-covered entity and that compliancewith HIPAA is mandatory for all.
Thesequestions should help you make an informed decision whether being a covered ornon-covered entity is right for you and your patients.
1.Why would I want to be a non-covered entity?
You'llprotect your patients from having their private records entered into anation-wide computer data base, potentially accessible by thousands of privateand public bureaucrats, law enforcement agencies, employers, and hackers.
You'llsave up to tens of thousands of dollars in compliance efforts.
Andfinally, you keep the practice of medicine free from the straitjacket of workingthrough a recipe book of 200,000 government-imposed codes.
2.How do we know that being non-covered is a real possibility?
3.Why don't doctors hear about the possibility of being non-covered at thehospital meetings and HIPAA seminars that they attend?
4.The government claims that the Rules will eventually save lots of money. Whywould I want to miss out on these savings?
Thetouted savings from withdrawing the requirement to get patients to sign consentforms, estimated to be $103 million over 10 years, is more than offset by thenew notification requirement, which would add $184 million in costs over thesame time period. The net savings comes primarily from simplifying rules forresearchers. (See page 33 of theModifications to the Proposed Rule from the Federal Register .) Toget an idea of the accuracy of the government's cost estimates, HHS estimatedthe cost of obtaining a signature on a complicated form to be about $0.05 - thecost of printing the form alone.
5.Wouldn't I just be red flagging my practice for audit if I become a non-coveredentity?
Byfiling a request for extension or signing a contract agreeing to compliance as acovered entity, you have declared your intention to comply as well as thespecifics of your compliance plan. Those statements could be used by aprosecutor as evidence if your compliance is imperfect.
6.What are the deadlines for compliance with HIPAA Administrative Simplification?
7.Do I have to use the transaction standards outlined under HIPAA?
8.How much will it cost to become HIPAA compliant?
Thecomputer system alone could cost between $10,000 and $20,000. Continuingeducation and monthly regulatory updates cost thousands - and all of themrecommend expert consultants and lawyers, who will probably be in great demandand charging top dollar. Many of the audio conferences addressing a singleelement of HIPAA, such as duties of the privacy officer, cost $200 per person.Some "industry players" have estimated the cost to be so high thatthey asked whether it wouldn't be cheaper just to pay the fines as a cost ofdoing business. PriceWaterhouseCoopers found that, for covered entities, theanswer is NO.
9.What additional expenses will I incur to remain a non-covered entity?
10.What are the penalties for non-compliance if I am a covered entity?
11.What are the penalties for "misuse" of patient information as acovered entity?
12.What are the penalties for non-compliance with HIPAA if I am a non-coveredentity?
13.What is the difference between a HIPAA compliance program and a Medicarecompliance program?
14.But if I don't do anything wrong and protect my patients' information, I can'tget in trouble, right?
15.I have a small practice. Does the size of my practice change what regulationsapply to me under HIPAA?
Accordingto a PriceWaterhouseCoopers reportprepared for Blue Cross and Blue Shield Association, one of the myths aboutHIPAA is that "HIPAA compliance will be much simpler for smallproviders." In fact, the only basis for this argument is the ability ofsmall providers to revert to paper/ manual transactions. The TCSrequirements are not scalable to reduce the impact on small organizations. Anentity will either be able to submit and receive compliant transactions, or not.
Theonly place small practices get some regulatory relief is that those with fewerthan 10 employees are exempt from the electronic filing requirement thatMedicare will begin in October 2003.
16.Do I have to file electronic claims?
Youmay have signed a contract requiring electronic claims submission to a privateentity. Medicare claims will have to be filed electronically after October 16,2003, IF you have ten or more full-time employee equivalents UNLESS you have nomeans to file in this way.
17.What constitutes an electronic transmittal that makes you a HIPAA-coveredentity? E-mail? Phone? Fax?
Sendingcomputer information within your own network is NOT a covered "electronictransmittal." Telephone calls are NOT considered an "electronictransmittal."
Oneprominent attorneysaid that faxes are defined as an "electronic transmittal," but an HHSauthority disagreed. Simply sending a fax does not make you a covered entity;sending an electronic claim does.
Asbest we can tell, patient communication is not addressed by HIPAA, so e-mailsbetween you and a patient should NOT be subject to HIPAA rules.
17A.So then faxes and paper records are not subject to HIPAA compliance rules, evenif I'm a covered entity, right?
Someconsultants suggest that covered entities need to unplug their fax at night toprevent the unauthorized viewing of protected health information.
Rememberthat if you are covered, then even your paper records are subject to HIPAAscrutiny, and not just electronic transmittals.
18.What electronic claims are subject to HIPAA?
19.Do I have to file any claims - electronic or paper - for my patients under HIPAA?
Underthe Administrative Simplification Compliance Act, you will be required to fileMedicare claims electronically after October 16, 2003, unless you have fewerthan 10 full-time employee equivalents. If you do file electronic Medicareclaims, that will make you a covered entity under HIPAA.
20.What if I file some paper claims, and some electronic claims - won't just theelectronic claims be subject to the HIPAA rules?
21.What if I don't file electronic claims for federal programs - will I benon-covered?
22.I don't think I have many business associates. Just what is a business associateas defined by HIPAA?
Aperson who, on behalf of a covered entity, performs or assists in theperformance of:
1)A function or activity involving the use of disclosure of individuallyidentifiable information, including activities such as claims processing oradministration, data analysis, administration, utilization review, qualityassurance, practice management, billing benefit management or repricing; or
2)Provides (other than in the capacity of a member of the workforce of suchcovered entity) legal, actuarial, accounting consulting, data aggregation,management, administrative, accreditation, or financial services to or for suchcovered entity.
23.How does HIPAA define the "minimum necessary" standard?
24.But who decides then what is the "minimum necessary"?
25.What are the permitted uses and disclosure of patient information under HIPAAwithout patient authorization?
26.What makes me a covered entity?
27.How can I become a non-covered entity?
28.What paperwork do I have to file to become a non-covered entity?
29.What is the deadline to become a non-covered entity?
Youmust not transmit any "protected health information" electronicallyafter the April 14, 2003, deadline for compliance with the privacy regulationsif you are a non-covered entity. But to be safe, some attorneys recommend thatyou stop filing electronic claims before the October 2002 transaction standardscompliance deadline.
There'sone more reason to stop submitting by October 16, 2002. If you file anyelectronic claims after October 16, 2002, but do not comply with the transactionstandards or have not filed for an extension, you could be excluded fromMedicare.
30.What if I've already filed an extension for the October 2002 deadline with HHS?
31.What if my hospital asks me to sign a contract or a business associateagreement?
32.What if I've already signed a business associate contract with my hospital orany other agreement promising or requiring compliance? Can I rescind thatagreement?
33.Do I need a lawyer to help me become a non-covered entity?
Butas with any legal issues, it would be wise to consult with an attorney whospecializes in health care and HIPAA.
34.What if I transmit clinical data electronically for consults, etc. Under HIPAA,is that a covered transmission of data?
35.Can I still send e-mail to attorneys as a non-covered entity?
36.Can I use an outside billing company and be a non-covered entity?
HHSinsists that doctors are responsible for the activities of their outside billingservices.
37.How does being a "non-covered entity" affect certification under otheragencies and organizations?
However,extreme caution is in order if the statement implies or states that you are acovered entity. PriceWaterhouseCoopers warns about statements certifying HIPAAcompliance required by accreditation bodies such as NCQA and JCAHO, stateregulators and licensing agencies, or federal programs including Medicare,Medicaid, and the Federal Employee Health Benefit Program. If a falsecertification is discovered, all the draconian penalties of the False Claims Act(FCA) could also be triggered - even if the claim itself is perfectly accurate.(See pwchealth.com/articles.shtml).
38.Can I be a non-covered entity under HIPAA and still participate in Medicare?
Youmight want to consider opting out. On careful analysis, some physicians havefound that they are actually losing money on every Medicare patient that theysee. Even if this is not true in your practice, the HIPAA compliance costs thatyou might otherwise not incur could tip the balance toward opting out. A simple,step-by-step plan for opting out is available at www.aapsonline.org/medicare/optout.htm.
39.How will being a non-covered entity affect my patients?
40.How will being a non-covered entity affect my reimbursements?
41.Won't it cost me more to process all paper claims?
42.Can private plans charge me a processing fee for filing paper claims? What aboutmy Medicare carrier? Can I pass those surcharges along to my patients?
43.I use a handheld or laptop in the examining room to enter my notes. Can Icontinue to do so as a non-covered entity?
44.Will I have to restrict my use of online resources such as Medline?
45.If I'm a non-covered entity, am I forever stuck with snail mail, faxes, phonecalls, and stacks of paper?
Betterto suffer with horse-and-buggy technology for a few more years than to beforever stuck with a Yugo.
46.Do I need to advise my patients of my status and policies as a non-coveredentity?
However,you might want to consider giving your patients a statement about being anon-covered entity. Even though it is not required, it is an excellentopportunity to make a very positive statement to your patients that you aretheir advocate and that you have taken a big step to protect their privacy (seesample PatientProtection Advisory).
Theinformation above represents the analysis of the Association of AmericanPhysicians and Surgeons for public discussion and debate. This may not beconstrued as legal advice. Please consult an attorney for legal advice.
Resourcesutilized in preparation:
ThisFAQ utilizes in part statements by the following:
KarenTrudel, Director of HIPAA Projects,Centers for Medicare and Medicaid Serivces ;Andrew Schlafly, Esq.,AAPS General Counsel, New York, NY; Vicki Yates Brown,Esq.,Chair, Health & Insurance Practice Group
What the Rules Say
Transactionsfor which the Secretary has adopted standards; the standards are at 45 C.F.R.Part 162. If a health care provider uses another entity (such as aclearinghouse) to conduct covered transactions in electronic form on its behalf,the health care provider is considered to be conducting the transaction inelectronic form.