HIPAA

The privacy regulation requires covered entities to protect PPI and grant individuals other rights as described, without creating obstacles to care and treatment. It applies to information that is transmitted electronically, orally or on paper.

Full text of regulation

HIPAA states that other federal and state laws that provide more personal privacy protection still apply. LifeWise must also consider:

• State Patients' Bills of Rights and other insurance laws
• State and federal public health laws for sensitive diagnoses, procedures and treatments
• State regulations implementing the federal Gramm-Leach-Bliley Act

Accounting of disclosures

A person has the right to request an accounting of disclosures made outside a covered entity's routine business functions. LifeWise's routine business functions include payment and healthcare operations, while providers' routine business functions would also include treatment.

Authorization

In most cases, a covered entity must obtain written authorization from the person before using or disclosing his or her PPI for other than routine business functions.

In most cases, our interactions with you will be business as usual. Generally, PPI can be shared between physicians, other providers and the health plan as we carry out "routine business functions" which include the following activities:

• Processing and paying claims
• Determining eligibility and benefit
• Conducting quality audits
• Providing care management and case management services

Business associates

In most instances, healthcare providers are not the business associates of the health plan, so there won't be changes to your contracts with LifeWise. LifeWise has developed its standard Business Associate Agreements and will be working with vendors and contractors over the next few months to implement them.

Complaints

Individuals have the right to complain to a covered entity and to the U.S. Department of Health and Human Services (DHHS) Secretary if they believe their privacy rights have been violated.

Confidential communications

Individuals have the right to request that a covered entity communicate with them at an alternate location if they believe that disclosing all or part of their health information could endanger them.

Inspection and amendment

A person has the right to request to review, obtain copies and amend their PPI.

Minimum necessary

When requesting or disclosing information, covered entities must ensure that they ask for or disclose the minimum amount of PPI needed to accomplish the intent of the disclosure. Covered entities must also ensure that the access employees have to PPIis limited to the minimum necessary to perform their jobs. However, one covered entity can rely on the request for PPI from another covered entity as being the minimum necessary as long as the requesting covered entity indicates that the PPI is related to treatment, payment or healthcare operations (TPO).

Parents and minors

In most situations, parents have control over the health information of their minor children. In certain situations, however, state laws give minors rights that take precedence over HIPAA privacy regulations. In some circumstances, state public health and insurance laws prohibit health plans from disclosing sensitive information such as PPI relating to chemical dependency, mental health, reproductive health, HIV/AIDS/STDs - unless the person's specifically authorizes us to do so.

Privacy notice

All covered entities must provide notice of a patient's privacy rights as well as their privacy practices.

Privacy official

A covered entity must designate a "Privacy Official" responsible for developing and implementing its privacy policies and procedures.

Research

Covered entities can use a single authorization form for using and disclosing PPI for research, as well as informed consent for the research.

Uses and disclosures for FDA regulated products

Covered entities can disclose PPI to the FDA for public health purposes relating to quality, safety or effectiveness of FDA-regulated products or activities. This includes reporting adverse events and defects or problems with FDA-regulated products.

HIPAA requires that covered entities choosing to exchange data electronically use the standard transactions, including code sets and unique identifiers.

Unique identifiers

Unique identifiers that HIPAA requires standardized:

National Provider Identifier (NPI)
The NPI is a unique identification number for healthcare providers to use with administrative and financial transactions.

National Employer Identifier (EIN)
The EIN is a unique identification number for employers and employer groups. The employer tax ID number (TIN) assigned by the IRS was adopted as the EIN.

National Health Plan Identifier (HPIN)
The HPIN is a unique identification number for health plans

For questions about HIPAA Transaction-related regulatory compliance (Transactions, Code Sets, National Identifiers, and Security) call the Centers for Medicare and Medicaid (CMS) at 410-786-4232 (local) or 866-282-0659.

Practice Management Systems (PMS)

If you intend to submit claims and conduct other HIPAA transactions electronically, you need to understand the costs involved in complying with standard formats. As you plan your HIPAA compliance strategy, we want to emphasize the importance of maintaining flexibility in your electronic transaction options - regardless of whether you intend to use a clearinghouse service, submit the transactions directly to a payer or some combination of both.

Background

First, you must understand your PMS vendor's approach to HIPAA compliance, which generally falls into two categories:

1. Selling an add-on module that creates compliant transactions at final bill, which allows direct submission to payers or to a clearinghouse you choose. While an add-on module requires an initial investment in software and configuration services, it provides you with substantial business flexibility. It also gives you more control over the ongoing costs of submitting claims and conducting other HIPAA transactions electronically.
2. Providing external mapping services via a clearinghouse, which is typically owned by the same vendor. These vendors are approaching their clients with "all-payer" HIPAA transaction solutions that require translation at the vendor's clearinghouse. In this arrangement, the provider gives control of the transaction to the vendor. Since the vendor must translate the transaction to become compliant, you forfeit the option of sending the transaction to another clearinghouse or directly to the payer, both of which may be less expensive options. In addition, such an exclusive relationship may put you at a disadvantage when negotiating the transaction fee structure with your PMS vendor.

Questions to ask PMS vendors

• Will I be in breach of my contract if I use another vendor's software to extract claims data from my system?
• Will I be able to submit HIPAA compliant transactions directly to payers if I choose to do so?
• Will I be able to use the clearinghouse service of my choice?
• When are you going to start the necessary software testing, and who will certify the test results?
• Will you be working directly with any insurers or clearinghouses to ease the transition to HIPAA standards and to test the messaging systems?
• Will you be notifying physician clients of your progress?
• Can you assure me that all transactions and data transmitted will be handled according to the HIPAA privacy and security regulations?
• Will the HIPAA software update include all the standard transactions and edits for the required data content (i.e. claim status, eligibility, electronic remittance)?

Connectivity options

If your PMS vendor will not provide the necessary transaction flexibility, there are alternatives that do not require switching to a new office management system. Several vendors offer software packages that will extract claims from practice management systems and:

• Perform the necessary ANSI translation and edits and route the claim directly to a payer
• Create an expanded national standard format, edit, and route the claim directly to the clearinghouse of your choice for translation.

Need a Trading Partner Agreement?

Contact the EDI team at 800-435-2715 or via email at edi@lifewisehealth.com.

Need an ASNI Implementation Guide?

You can find guides on the Washington Publishing website

Federal regulations

• Centers for Medicare & Medicaid Services (CMS)
• HIPAA Privacy Rule Summary
• Security
• DHHS Administrative Simplification
• DHHS Designated Standard Maintenance

Implementation guides

• Companion Documents from Washington Healthcare Forum  
• Washington Publishing Company ANSI X12N Guides

HIPAA implementation & advisory groups

• Strategic National Implementation Process (SNIP)
• Workgroup for Electronic Data Interchange (WEDI)

Data standards maintenance organizations

• American Dental Association (ADA)
• American Standards Committee (ASC) X12
• Health Level Seven (HL7)
• National Council for Prescription Drug Programs (NCPDP)
• National Uniform Billing Committee (NUBC)
• National Uniform Claim Committee (NUCC)

National healthcare accrediting bodies

• Electronic Healthcare Network Accreditation Commission (EHNAC)
• Joint Commission on Accreditation of Healthcare Organizations (JHACO)
• National Committee for Quality Assurance (NCQA)

Other HIPAA resources

• American Health Information Management Association
• American Medical Association (AMA)
• HealthLeaders
• Hill Physicians Medical Group Inc.
• HIPAA Summit/Conferences
• Noridian Administrative Services
• Washington State Dental Association
• Washington State Medical Association