HIPAA: Frequently Asked Questions - Feb 2004

Q. What do the ACA's ethical guidelines say about disclosure of personal health information? Are they consistent with HIPAA?

A. Yes, the ACA Code of Ethics is consistent with HIPAA. It states the following:

A (5) Doctors of chiropractic should comply with a patient's authorization to provide records, or copies of such records, to those whom the patient designates as authorized to inspect or receive all or part of such records. A reasonable charge may be made for the cost of duplicating records.

A (6) Subject to the foregoing Section A (5), doctors of chiropractic should preserve and protect the patient's confidences and records, except as the patient directs or consents or the law requires otherwise. They should not discuss a patient's history, symptoms, diagnosis, or treatment with any third party until they have received the written consent of the patient or the patient's personal representative. They should not exploit the trust and dependency of their patients.

Here's what the HIPAA regulations state on the subject:
Uses and Disclosures

Authorization. A covered entity must obtain the individual's written authorization for any use or disclosure of protected health information that is not for treatment, payment or health care operations or otherwise permitted or required by the Privacy Rule. A covered entity may not condition treatment, payment, enrollment, or benefits eligibility on an individual's granting an authorization, except in limited circumstances.

An authorization must be written in specific terms. It may allow use and disclosure of protected health information by the covered entity seeking the authorization or by a third party. Examples of disclosures that would require an individual's authorization include disclosures to a life insurer for coverage purposes, disclosures to an employer regarding the results of a pre-employment physical or lab test,

or disclosures to a pharmaceutical firm for its own marketing purposes. All authorizations must be in plain language and contain specific information regarding the information to be disclosed or used, the person(s) disclosing and receiving the information, expiration, right to revoke in writing, and other data. The Privacy Rule contains transition provisions applicable to authorizations and other express legal permissions obtained prior to April 14, 2003.

Q. Has HIPAA gone away or is it still hanging over everyone's heads?

A. No, HIPAA has not gone away! CMS has issued a contingency plan in order to give covered entities more time to become HIPAA compliant. Covered entities should be using this time to become HIPAA compliant since CMS can announce a new compliance date at anytime. Use this time wisely! Here's what CMS has said:

"HIPAA is the law. And deciding to ignore HIPAA requirements is a real gamble and it's one with high stakes because cash flow is the lifeblood of a health care provider and a health care claim is how that blood flows. If the flow of claims stops because of a non-compliance issue then the cash flow stops too. The only way to assure this does not happen is to implement compliant transactions and then to test them with the health plan to make sure the claims can be submitted and processed and that accurate payments can be made. The longer you wait, the harder it will be to arrange for testing. We expect a

crowd of testers at the last minute and it may be difficult to accommodate them all. Remember the long lines at the post office on income tax day? But don't stop there. Call the other plans you submit claims to and talk to them about testing also. If your vendor hasn't supplied you with a compliant version of its software yet, find out when it will and ask for help if you need it. Professional associations have a wealth of information available for their members and CMS also has free outreach materials available. But the bottom line is, don't underestimate the importance of this Contingency plan. Don't underestimate the work that's involved in becoming compliant. And prepare and plan ahead to assure that your cash flow remains steady."

Q. How long will CMS's contingency plan be in effect?

A. CMS officials did not set a new compliance deadline but said they will "regularly reassess the readiness" of providers to determine when providers must come into full compliance with the HIPAA regulations.

The contingency plan was put into effect for the benefit of providers. It allows CMS to continue to process claims for providers who were not able to meet the deadline. Had the contingency plan not been put into place, many providers would not have been able to get their Medicare claims processed, which could have disrupted their practices.

Q. Is a copy, facsimile, or electronically transmitted version of a signed authorization valid under the Privacy Rule?

A. Yes. Under the Privacy Rule, a covered entity may use or disclose protected health information pursuant to receiving a copy of a valid and signed authorization, including a copy that is received by facsimile or electronically transmitted.

Q. Does the HIPAA Privacy Rule require that covered entities provide patients with access to oral information?

A. No. The Privacy Rule requires covered entities to provide individuals with access to protected health information about themselves that is contained in their "designated record sets." The term "record" in the term "designated record set" does not include oral information; rather, it connotes information that has been recorded in some manner.

The rule does not require covered entities to tape or digitally record oral communications, nor retain digitally or tape-recorded information after transcription. But if such records are maintained and used to make decisions about the individual, they may meet the definition of "designated record set." For example, a health plan is not required to provide a member access to tapes of a telephone "advice line" interaction if the tape is maintained only for customer service review and not to make decisions about the member.