up to 10 units of continue education credits available

approved by

California Acupuncture Board & NCCAOM

California CEP# 418 & NCCAOM ACHB# 184-001

HIPAA NEWS!

Aetna Mandates Electronic Claims Submission

Aethna is the first major private insurance carrier to mandate HIPAA compliance.

• Effective September 15, 2003, you will be required to send all Aetna claims electronically!

• To process their claims electronically, providers will need to use the new HIPAA X12N Standards. 

• Provider will soon be required to certify in writing that they are HIPAA compliant in order to receive reimbursement for their services.

The only real question left to be answered is to what extent doctors will be required to demonstrate their HIPAA compliancy.  Will the insurance company audit their provider to confirm the level of compliancy? 

HIPAA is short for "Health Insurance Portability and Accountability Act of 1996".  Final privacy regulations were issued by the US Department of Health and Human Services for the HIPAA on August 14, 2002. HIPAA is the law right now. On April 14, 2003 penalties will be imposed to enforce compliance with the law. 

update! The HIPAA laws affect ALL healthcare provider. No one is exempt from this law even if you have a pure cash practice (more details on the changes). For another word, HIPAA will forever change the way all health care providers do business.

HIPAA defines that the information in client files belongs to the client, not the practice and MUST be protected. HIPAA will cause sweeping changes in the way that information is handled and protected both manually and electronically.

Here are some of the rules that affect acupuncture profession:

1. The HIPAA Privacy Rules require certain specific methods of handling the protected health information (PHI) of clients. On April 14, 2003, these changes must be implemented. Fines, penalties and possible jail time can be imposed for non-compliance. 

HIPAA doesn't stop there. It also requires new procedures regarding patient access to their information.  And the practice must notify each patient of these rights with a "Notice of Privacy Practices." This notice must include the patient's rights, the practice's HIPAA policies and the address of where to complain.

And HIPAA laws do not override most restrictive state privacy laws. So your practice must be compliant with state AND federal privacy laws.

2. The HIPAA Security Rules require specific methods of handling Electronic transmission of data.   Meaning if your practice transmits any patient information to anyone else you fall under the HIPAA rules.  If your practice currently does not transfer information electronically, on October 16, 2003 you will have to.  On October 16, 2003 Medicaid and Medicare require all claims to be submitted electronically. Therefore, if you are not a cover entity now, by then you will be.

HIPAA will require changes to how an office operates. While it's very likely that you already have some privacy and security measures in place, HIPAA requires that you document those policies and procedures. And it requires that your employees be trained in the HIPAA law and the policies & procedures of your office.

3. Another group of businesses that have a direct impact from HIPAA are Business Associates of the covered entity.  Independent Contractors, Lawyers, Accountants, Consultants, Billing Companies, Collection Agents, Office / Practice Managers,  Medical Transcription Service are some of the examples of Business Associates.  HIPAA require all Business Associates to sign a Business Associate Agreement and follow the same rules as the cover entity.

Business Associates need to demonstrate "HIPAA Compliance" by going through the same processes that a covered entity must. This means setting up a manual for HIPAA policies & procedures and training employees (if any). 

Doing business with none HIPAA Compliance Business Associates will put your practice in violation of HIPAA and face the penalties for none compliance.

On April 14, 2003, the penalties will be imposed. The fines are large enough to put a practice out of business. For a simple violation, such as not documenting release of protected health information in every client file affected, the fine is $100 per standard violated, per client per year. The maximum fine per standard violated is $25,000 per year. For the misuse of patient data the fine could be $250,000 plus 10 years of jail time.

Suppose your practice had 3,000 patients and an employee neglected to put a copy of the transaction in half the files of your practice. The fine could be 1,500 patients times $100, or $150,000. And that is for ONE violation. What would the fine be for NOT being compliant at all?

To comply with this new law is easy. The costs of compliance are relatively low. To comply with the new law, the majority of changes will be in the procedure the physicians, their staffs, and the business associates handle, exchange, and store the patient information (i.e., it is all about behavior & procedure changes).

The practice must invest some time to train all their physicians & employee and document those trainings. There are a few additional forms for the first time and returning patients to sign. The total time require for a typical practice to comply with HIPAA is about a day -- the amount of time needed to train their employees -- and a few minutes to attached the additional forms for the new and returning patient to sign. 

HIPAA compliance is not an option. HIPAA is the law right now. All covered entities must be compliant by April 14, 2003 or face the penalties imposed. 

1. My practice have less than 5 million dollars of gross income, I am exempt from complying.

2. I have less than 20 employees, I am exempt from complying.

3. I do not do electronic billing. Therefore, I am exempt from HIPAA.

4. I have a 100% cash practice. Therefore, I am exempt from HIPAA.

The first four items are some of the most often-quoted misconception. 
First, Those statements is partially true, and it is somewhat misleading. Yes! it is true you may be exempt from the electronic billing / electronic transaction section of HIPAA if you have a cash practice.  However, NO ONE IS EXEMPT from the PRIVACY RULE of HIPAA.  You can't escape your responsibility for the privacy portion of HIPAA, regardless the number of employees you hired and the amount of business you do.  Therefore, you still need to comply with HIPAA starting April 14, 2003.

Second, as has already been announced by Aetna, most health insurance organizations will be requiring their providers to file reimbursement claims electronically. Paper reimbursement claims will no longer be accepted. Aetna is the first major insurance carrier to announced that they will not accept paper claims after Sept. 15, 2003.  Although it is earlier than the expected date,  public and private insurance system is expect to make the same announcement with different complying date.  Therefore, if your practice currently does not transfer information electronically, starting October 16, 2003 you will have to.

On October 16, 2003 Medicaid and Medicare require all claims to be submitted electronically. Therefore, if you are not a cover entity now, by then you will be. If you do not want to submit claim electronically, you may not be able to get pay.

By October 2004, most insurance company (PI and workcomp included) will require all claims to be submitted electronically and if you are not HIPAA compliance, you may delay in receiving payments.

4. HIPAA compliance is only relevant to the doctor - Actually, HIPAA's passage was intended in large part to address the protection of patients' rights. The privacy and security components of HIPAA are not so much about how you practice, but how you protect your patients' rights to privacy and the security of their information

5. Other providers will refer to me even though I'm not HIPAA compliant - Once other health care providers learn you are not HIPAA compliant, they are prohibited from referring patients to you and discussing patients with you without specific written authorization.

6. I don't have to do anything to be HIPAA compliant; my office software vendor says I'm already HIPAA compliant because its software is - While having HIPAA-compliant office software is important, it doesn't make your office compliant. You are required to abide by all of the other HIPAA requirements noted in this article.

7. My state laws have no effect on my HIPAA compliancy - You are required to consider the HIPAA laws and your state privacy/security laws, and abide by whichever are stricter. You must be aware of both as you make your office HIPAA compliant.

8. My office doesn't need its own compliance manual - The HIPAA laws state clearly that your office is required to have "formal documented procedures" specific to your practice. These must include "core elements" of the HIPAA law, documented "required elements" and documented "implementation requirements," as they apply to your practice. Your practice needs to have a list of the HIPAA requirements and how your office procedures comply with those requirements. This information must be documented in your compliance manual.

9. My office doesn't have to have a privacy officer - Establishing a privacy office is not only required by HIPAA, but is necessary to ensure the privacy of your patients' health information.

10. All I need to do is use the right HIPAA forms to be HIPAA compliant - The right forms are important, especially when revealing private patient information to others (such as personal-injury attorneys). However, just having the right forms doesn't satisfy the other HIPAA requirements listed in this article, and it doesn't make your office HIPAA compliant.

11. My vendors don't have to provide my office with proof of HIPAA compliance - Besides other treating entities, every person and company you send or share patient health information with must sign a business associate agreement and possibly a "chain of trust" agreement that requires them to comply with the HIPAA privacy regulations. It is your responsibility to be certain they are implementing the HIPAA privacy standards before you share patient health information (PHI) with them.

12. I just need to know about HIPAA, I don't have to do anything else - This is one of the worst misconceptions about HIPAA, and the most likely to lead the doctor into situations that could result in disciplinary action. Knowing about HIPAA is not enough. The HIPAA privacy and security requirements must be implemented into the doctor's practice as part of standard procedures utilized in the care of patients.

13. No one will ever check to see if I am HIPAA compliant - Every vendor; payer; malpractice insurance company; personal-injury attorney; hospital; and health care provider is required to be HIPAA compliant, and most of them will require you to be as well. You will be asked to sign a "Business Associate Agreement" to demonstrate you are HIPAA compliant. Signing this agreement without being HIPAA compliant is fraud.

In addition, the Office of Civil Rights has been assigned to investigate violations of HIPAA requirements. They have already instituted an online complaint form and severe civil and criminal penalties, with fines as high as $250,000 per occurrence. Disgruntled former employees, embarrassed patients and attorneys are expected to file most of the complaints against providers.

Ever had an unhappy employee leave, or experience the anger of a dissatisfied patient?

One simple call or post card can bring any practice to the attention of the Health and Human Services' Office of Discrimination and put you under an audit