Patient Information Privacy Basics ASHA recently hosted an online private-practice institute for audiologists and speech-language pathologists that focused on how to establish, manage, and grow a profitable private practice. Recorded lectures covered topics such as strategic business planning, fees and pricing, employment law basics, managing a fee-for-service practice, increasing referrals, using web-based and social ... Bottom Line
Free
Bottom Line  |   September 01, 2011
Patient Information Privacy Basics
Author Notes
  • Kate Romanow, JD, director of health care regulatory advocacy, can be reached at kromanow@asha.org.
    Kate Romanow, JD, director of health care regulatory advocacy, can be reached at kromanow@asha.org.×
Article Information
Practice Management / Regulatory, Legislative & Advocacy / Telepractice & Computer-Based Approaches / ASHA News & Member Stories / Bottom Line
Bottom Line   |   September 01, 2011
Patient Information Privacy Basics
The ASHA Leader, September 2011, Vol. 16, 3-46. doi:10.1044/leader.BML1.16092011.3
The ASHA Leader, September 2011, Vol. 16, 3-46. doi:10.1044/leader.BML1.16092011.3
ASHA recently hosted an online private-practice institute for audiologists and speech-language pathologists that focused on how to establish, manage, and grow a profitable private practice. Recorded lectures covered topics such as strategic business planning, fees and pricing, employment law basics, managing a fee-for-service practice, increasing referrals, using web-based and social media marketing, coding updates, Medicare billing, and claims and denials.
Many of the participants in one of the sessions, “Data Privacy, Security, and Enforcement: HIPAA and More,” raised several questions during and after the institute on the Health Insurance Portability and Accountability Act (HIPAA). This article clarifies points discussed during the institute to help other clinicians understand HIPAA policies.
The HIPAA privacy rule protects personal health information and outlines patients’ rights with respect to that information, while allowing disclosure of information needed for patient care. The HIPAA security rule specifies a series of administrative, physical, and technical safeguards that ensure the confidentiality, integrity, and availability of electronic protected health information. Electronic protected health information includes, for example, patient data stored on a computer hard drive, or data transmitted via a computer for billing purposes.
The following questions and answers outline basic HIPAA privacy and security regulations.
Q: Do the HIPAA regulations apply to me?
HIPAA compliance is required by all “covered entities,” defined as health plans, health care clearinghouses, and health care providers that transmit any health information in electronic form in connection with “transactions” covered under HIPAA.
If you are a provider who, for example, sends patient information electronically to a billing company, then you are a “covered entity” and must comply with HIPAA regulations.
Q: What transactions are covered under HIPAA?
HIPAA regulations define “transaction” as the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
  • Health care claims or equivalent encounter information.

  • Health care payment and remittance advice.

  • Coordination of benefits.

  • Health care claim status.

  • Enrollment and disenrollment in a health plan.

  • Eligibility for a health plan.

  • Health plan premium payments.

  • Referral certification and authorization.

  • First report of injury.

  • Health claims attachments.

Other transactions that the secretary of health and human services may prescribe by regulation (45 C.F.R. Section 160.103).
Q: What does “electronic form” mean?
HIPAA does not define “electronic form.” It does, however, define “electronic media” as the following:
  • Electronic storage media including memory devices in computers (hard drives) and any removable/transportable digital memory medium, such as magnetic tape or disk, optical disk, or digital memory card.

  • Transmission media used to exchange information already in electronic storage media. Transmission media include, for example, the Internet, extranet (using Internet technology to link a business with information accessible only to collaborating parties), dial-up lines, leased lines, private networks, and the physical movement of removable/transportable electronic storage media. Certain transmissions, including those by paper (facsimile) and by voice (telephone), are not considered e-transmissions via electronic media because the information did not exist in electronic form before the transmission (45 C.F.R. Section 160.103).

Q: If I am a covered entity, what do I need to do to comply with HIPAA?
For example, you must inform patients about the HIPAA privacy practices you observe and train employees about HIPAA requirements.
Q: Are there sample notices of privacy practices?
More information about HIPAA privacy notices is available at the Department of Health and Human Services website. ASHA includes a sample notice of privacy practices in its Practice Management Tools for SLPs available in the ASHA online store.
Q: Where I can get more information?
ASHA’s reimbursement web page includes an extensive section on HIPAA. An article in The ASHA Leader also outlines some basics.
The Office of Civil Rights, which enforces the privacy and security rule, has information on its website.
The Workgroup for Electronic Data Interchange [PDF] (of which ASHA is a member) has information to help small practices comply with HIPAA.
The full HIPAA regulations are available at the Department of Health and Human Services website. (Be aware, however, that the most current version may not be posted.)
0 Comments
Submit a Comment
Submit A Comment
Name
Comment Title
Comment


This feature is available to Subscribers Only
Sign In or Create an Account ×
FROM THIS ISSUE
September 2011
Volume 16, Issue 9