HIPAA PDF Print E-mail
Overview

HIPAA, the Health Insurance Portability and Accountability Act, was signed into law in 1996. Its primary purpose is to provide continuous insurance coverage for workers who change jobs so that health insurance is "portable" from one employer to the next.

Although there are many components to HIPAA, the "Accountability" section, also known as the Administraitve Simplification section of Title II, effects the day-to-day operations of audiology practices.

» View HIPAA Diagram Overview

 

Title II: Administrative Simplification Compliance Act (ASCA)

The Administrative Simplification rules were established to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care, resulting in reduced costs. The rules also protect and secure an individual’s identifiable personal and health related information.

Following the requirements of the Administrative Simplification Compliance Act, the United States Department of Health and Human Services established national standards in three areas: Privacy, Security and Electronic Data Interchange. In late 2008, the Office of Civil Rights (OCR) provided additional guidance on the Electronic Exchange of Protected Health Information and HIPAA.

» View HIPAA Privacy Rule and Health Information Technology (HIT)

 

Administrative Simplification Rules:

Transactions and Code Sets
This Rule creates standards involving the electronic transmission of health information and data and the codes that must be utilized to report healthcare services and goods to health plans, clearinghouses and providers.

Privacy
This Rule creates national standards to protect individuals' personal health information and gives patients increased access to and control over their medical records. It also defines how their information can be used for marketing and research purposes.

Security
This Rule creates standards to protect the confidentiality and integrity of electronically maintained and submitted identifiable health information.

Employer Identifier
This Rule mandates that the Employer Identification Number (EIN) provided to employers by the Internal Revenue Service be utilized as the Employer Identifier when electronically submitting claims to insurers.

Provider Identifier
This Rule, which goes into effect on May 27, 2007, mandates the use of the National Provider Identifier when submitting claims to all insurers, including, but not limited to, Medicare and Medicaid.

Impact of Rules on Audiology Practices

Privacy Rule
Under the new regulations, audiology practices will be required to notify patients of their privacy rights and policies before treatment. Patient consent will be necessary for the release of private health information for anything other than treatment, payment and operations. Audiology practices will need to create a specific authorization form for use in their office. This form should contain at least the following minimum information:

  • What personal health information is being used or disclosed.
  • Who is authorized to make the disclosure of information.
  • Who the information is authorized to be disclosed to.
  • A statement informing the patient that they may revoke authorization in writing and exceptions to the right to revoke.
  • A statement indicating that information that has already been disclosed may no longer be protected.
  • The patient's signature and date should be included along with authorization for use of the patient's private health information for business related purposes of marketing, release of information to insurance carriers and manufacturers, etc.
Providers may see patients who do not provide this written authorization, but only for purposes of treatment, payment, and operations. Audiologists must continue to be vigilant in obtaining written consent before releasing medical information to the patient, referring physician, school, etc. Patients may deny consent at any time in writing.

The following 18 items have been identified as Protected Health Information:

  1. Names
  2. All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death
  4. Telephone numbers
  5. Fax numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger and voice prints
  17. Full face photographic images and any comparable images
  18. Any unique identifying number, characteristic, or code.

Confidentiality
Providers will also have to continue to use their best judgment with regard to discussions about individual patients with other professionals and individuals. Discussions with other healthcare providers who are involved in the patient's care, teachers, parents, manufacturers, etc . will be protected under the Act. Also, the ASCA will not restrict providers from using sign-in sheets, keeping files in a bin on their desk until the patient arrives, or calling a patient's name when the audiologist is available.

Obtaining/Releasing Records
The Privacy portion of Administrative Simplification will prohibit the use of patient records and information for marketing purposes without the patient's written authorization or unless certain conditions are met. For example, if you want to send a hearing aid direct mail piece to your patient database, the piece must contain your address and/or phone number, it must indicate if the audiologist is being compensated for the piece, it must tell recipients how to not receive further marketing pieces, and it must explain why this particular patient is receiving the marketing piece and, how it relates to their condition, and how it may benefit them. If the piece does not contain this information, you need the patient's authorization to send them marketing materials.

Compliance Staff and Program Implementation
Audiologists will need to establish policies and procedures for their office. They will also need to establish a privacy officer in their practice to govern and maintain this program. It could be the practice owner themselves, a staff audiologist, office manager, etc. This person would be responsible for training each staff member on the office's privacy program and ensure that all of the procedures are followed and documented. Request signed statements from all office staff as documentation for completion of HIPAA training.

Security Rule
Each audiology practice must have secure computer and e-mail access. For example, audiologists should enter initials and passwords to access NOAH rather than "ABC' and "123". Audiology practices must have policies and procedures which outline how information is electronically stored in their offices, who has access to this information, and how this access is policed. All office management software should have individual user names and passwords. Offices should ensure that they have secure systems and connections. They also must ensure that all data is backed up in the event of an emergency. Finally, create policies and procedures related to the appropriate storage and disposal of patient medical records and protected health information. HIPAA requires audiologists to keep patient medical records for six years following the last date of service. It is important to note that telephone exchanges, fax transmissions or paper medical records (i.e. charts) are not covered by this standard.

Transactions
The Transaction subsection of EDI covers the way claims are transmitted from one entity to another. All providers, insurance carriers and clearinghouses must be able to electronically send and receive claims and must use a standard form or mechanism (i.e. the red HCFA 1500 for Medicare and Medicaid or additional forms required by private insurers such as Blue Cross and Blue Shield) to transmit and process claims. In other words, audiologists will be required to submit claims electronically to Medicare and private insurance carriers. Failure to file electronically may result in exclusion from Medicare and Medicaid programs. Some smaller practices may be able to receive an exemption from Medicare or Medicaid with regard to electronic claims submission, but private insurance carriers, which audiologists contract with, may refuse to process paper claims submitted by providers. Audiologists would need to complete the extension form available from CMS to request an exemption from electronic claims submission. Ultimately, it is in the practitioner's best interest to move toward electronic claims submission, regardless of the size of their practice. This mode of transmission allows for confirmation of receipt of the claim, faster processing, minimizes human error, and thus, improved cash flow.

Coding
All providers, insurance carriers, and clearinghouses will be required to use the same set of codes to represent various services and procedures. This will be the easiest standard for audiologists to implement as most of us are typically already using the required code sets of the International Classification of Diseases, 9th Edition (ICD-9), Current Procedural Terminology (CPT) and the Healthcare Financing Administration Common Procedural Coding System (HCPCS). This will eliminate local codes typically used by Medicaid to represent audiology and hearing aid services. Medicaid is going to be required to use CPTs and HCPCS codes to represent these services and not a regional code created specifically for their state.

National Provider Identifier
This rule mandates the use of a single, ten digit National Provider Identifier (NPI) number to identify each provider when submitting claims to all insurance carriers, including Medicare and Medicaid. If an audiologist is a HIPAA covered provider or if he/she is a healthcare provider who submits claims to Medicare, he/she must obtain and utilize an NPI. The NPI replaces all other provider numbers currently being used to identify an audiologist when they submit a claim to an insurance carrier and it can move with a provider from employer to employer. An NPI is required if an audiologist wants to enroll with Medicare.

Each clinic or facility must also obtain a National Provider Identifier. Both the individual provider NPI and facility NPI must be on each claim submitted.

To locate the NPI of an individual, referring physician, consult the NPI registry.

National Employer Identifier
Every practice must have an Employer Identification Number (EIN), also known as a Federal Tax Identification Number, which is used to identify a business entity. You may apply for an EIN online from the Internal Revenue Service.

DISCLAIMER: The foregoing information is provided as a resource for our members. It is not intended and should not be construed as an endorsement of any of the vendors or their products or services; as such, ADA makes no warranty whatsoever, either express or implied, including the warranties of merchantability and fitness for a particular purpose regarding any of the products listed above and makes no recommendation as to the accuracy or suitability of the information for your particular situation. ADA members are encouraged to seek legal counsel to ensure compliance and are responsible for their own knowledge of both federal and state policies as it pertains to HIPAA. Neither ADA, nor any of its officers, directors, agents, employees, committee members or other representatives shall have any liability for any claim, whether founded or unfounded, of any kind whatsoever, including, but not limited to, any claim for costs and legal fees, arising from the use of these opinions.