    |
| HIPAA Health Insurance Portability and Accountability Act |
|
|
The HIPAA Security Rule Online
Compliance Workbook: Common Questions Click here for frequently asked questions from APA members regarding The HIPAA Security Rule Online Compliance Workbook. The HIPAA Security Rule Deadline: April 20, 2005 See below for more information about the HIPAA Security Rule Online Compliance Workbook
The APA Practice Organization has developed The HIPAA Security Rule Online Compliance Workbook, a comprehensive, easy-to-use online compliance resource to help you comply with the HIPAA Security Rule. Deadline for compliance: April 20, 2005. The online workbook includes:
Plus, you can receive four hours of continuing education credits for passing the optional online exam. The cost for the online workbook is very competitive. APA members who pay the Practice Assessment can purchase the workbook for the discount price of $99. For other APA members the price is $139. Practitioners who do not belong to APA will be charged the full retail price of $159. To learn more or to purchase The HIPAA Security Rule Online Compliance Workbook visit www.apapractice.org.
Click below for more information:
HIPAA
Q&A From APA The Practice Organization has received many questions about what psychologists need to do to meet the April 14, 2003, deadline for complying with the HIPAA Privacy Rule (Privacy Rule). Below are answers to some of the most common questions. Others are answered in other resources available at www.APApractice.org. The most complete resource, however, is the HIPAA for Psychologists product that has been developed by the APA Practice Organization and APA Insurance Trust. You can learn more about the product and order it here at www.APApractice.org 1. Question: I send patient bills to insurance companies electronically. Does the HIPAA Privacy Rule apply to me? Answer: Yes, because the Privacy Rule applies to any psychologist who transmits protected health information (see Question 5) in electronic form in connection with a health care claim. 2. Question: Does the Privacy Rule apply only to the patient whose records are being sent electronically, or does it apply to all the patients in the practice? Answer: Once the rule is triggered (for example by a single electronic transaction as described in the previous answer), the psychologist's entire practice must come into compliance. 3. Question: Should I comply with the Privacy Rule if I do not submit any claims electronically? Answer: Because the Privacy Rule applies to the electronic transmission of health information, some psychologists who do not submit electronic claims or who don’t participate with third-party payment plans may not currently need to comply with the Privacy Rule. However, it is in your best interest to comply now, as any number of future actions may trigger the Privacy Rule (for example, participating in Medicare or another third-party payment plan in the increasingly electronic private market). Compliance may also be triggered by actions outside of your control, such as if you use a billing service that becomes entirely electronic. If one of these events suddenly triggers your Privacy Rule obligations after the April 2003 deadline, you will have no grace period for coming into compliance. Consequently, the APA Practice Organization and the APA Insurance Trust strongly recommend that you act now to get in compliance, so that you will be ready as the health care industry becomes increasingly dependent upon electronic transmission. 4. Question: Even though I do bill electronically, I have a solo practice -- basically, it's just me. Do I still have to comply with the Privacy Rule? Answer: Yes, the Privacy Rule applies to all health care providers -- from those in large multi-hospital systems to individual solo practitioners. The administrative requirements of the Privacy Rule are "scalable," meaning that a covered entity must take "reasonable" steps to meet the requirements according to its size and type of activities. In other words, the administrative burden on a psychologist who is a solo practitioner will be far less than that imposed on a hospital. For example, a hospital may be required to create a full-time staff position to serve as a privacy officer, while a psychologist in a solo practice may identify him or herself as the "privacy officer." 5. Question: What information about my patients must I keep protected under the HIPAA Privacy Rule? Answer: The Privacy Rule applies to, and provides specific protections for, protected health information (PHI). With certain exceptions, the Privacy Rule defines PHI as information that: (1) is created or used by health care professionals or entities; (2) is transmitted or maintained in any form or medium; (3) identifies or can be used to identify a particular patient; and (4) relates to one of the following: (a) the past, present, or future physical or mental health condition of a patient; (b) the provision of health care to a patient, or (c) the past, present, or future payment for providing health care to a patient. 6. Question: What is the difference between "Consent" under the Privacy Rule and "Informed Consent to Treatment"? Answer: "Consent," as it was used in the Privacy Rule, refers to advance permission, typically given by the patient at the start of treatment, for various disclosures of patient information to third parties. Consent is no longer required by the Privacy Rule after the August 2002 revisions. However, in many states this type of consent will still be required for routine disclosures, such as for treatment and payment purposes (these more protective state laws are not preempted by the Privacy Rule). "Informed consent to treatment" is not a concept found in the Privacy Rule. It refers to a client's decision to allow a health care provider to perform a particular treatment or intervention. State laws and ethical codes on informed consent require that the psychologist provide understandable information about the risks and benefits so that a patient can make a knowledgeable, informed decision about treatment. 7. Question: What are psychotherapy notes under the Privacy Rule? Answer: HIPAA defines psychotherapy notes as notes recorded in any medium by a health care provider who is a mental health professional, documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session. To meet the definition, these notes must also be kept separate from the rest of the individual's medical record. The Privacy Rule specifically excludes from the definition information pertaining to counseling session start and stop times, the modalities and frequencies of treatment furnished, results of clinical tests, medication prescription and monitoring, and any summary of the following items: diagnosis, functional status, the treatment plan, symptoms, prognosis, and progress to date. (Psychotherapy notes are similar to, but generally not the same as, "personal notes" as defined by a few states.) 8. Question: Is there any special protection for psychotherapy notes under the Privacy Rule? Answer: Yes, the Privacy Rule provides a higher level of protection for psychotherapy notes than for other types of patient information. For example, in most situations you cannot release psychotherapy notes without the patient signing a detailed authorization form specifically for the release of psychotherapy notes. By contrast, in most states you could release the patient's other records for most treatment and payment purposes without consent, or with just the patient's signature on a simpler general consent form. 9. Question: Can my patient's insurance company have access to the psychotherapy notes concerning my patients? Can the insurance company refuse reimbursement if my patient does not authorize their release? Answer: An insurance company cannot obtain psychotherapy notes without the patient's authorization. And the insurance company is not permitted to condition reimbursement on receipt of the patient's authorization for disclosure of psychotherapy notes. 10. Question: Am I required to keep psychotherapy notes? Answer: No, the Privacy Rule does not require that you keep psychotherapy notes. It simply specifies heightened protection for psychotherapy notes in the event that a psychologist maintains them. Because of that protection, however, it may be advisable to keep psychotherapy notes and use them to protect sensitive information that is not specifically excluded from the psychotherapy notes definition (see Question 8, above). 11. Question: Do I have to get my patient's permission before I consult with another doctor about my patient? Answer: In certain circumstances, the Privacy Rule permits use and disclosure of protected health information without the patient's permission. For example, the Privacy Rule permits consultations between psychologists and other health care professionals without permission, because such consultations fall under the Rule's "treatment" exception. However, many states require that before releasing patient information for a consultation, a psychologist must have obtained the patient's generalized consent at the start of treatment. (Such state laws are not preempted by the Privacy Rule because they are more protective of privacy.) How the Privacy Rule interacts with your state's consent or authorization rules is an important issue covered in the HIPAA for Psychologists product. 12. Question: I have heard the term "business associate" used in connection with the Privacy Rule. Who is considered a business associate, and what do I need to know about dealing with one? Answer: For purposes of the Privacy Rule, business associates include organizations or persons other than a member of the psychologist's office staff who receive protected health information (see Question 5, above) from the psychologist to provide service to, or on behalf of, the psychologist. Examples of "business associates" are billing services, accountants, and attorneys. The Privacy Rule requires that psychologists have a "business associate contract" with any business associates with whom they share PHI. This contract assures that the business associate (who is not directly regulated by the Privacy Rule) will safeguard privacy. HIPAA for Psychologists contains a model business associate contract that you can use in your practice. 13. Question: Does the Privacy Rule apply to Industrial/Organizational psychologists doing employment selection assessment for business, even though some I/O psychologists do not involve themselves in psychotherapy or payment for healthcare? Answer: An I/O psychologist simply performing assessment for an employer for an employer's use typically would not need to comply with the Privacy Rules. However, an I/O psychologist or other psychologist performing services for an employer for which insurance reimbursement is sought, or which the employer (acting as a self-insurer) pays for, would have to make sure that the employer is complying with the Privacy Rule. 14. Question: Does the Privacy Rule apply to psychologists in the military? Answer: Military, veterans' affairs and CHAMPUS programs all fall under the definition of "health plan" in the rule. Therefore, the rule applies to the health services provided by these programs. The Secretaries of Veterans' Affairs and Defense are charged with working with the Department of Health and Human Services to apply the Privacy Rule requirements to their respective health programs. Psychologists in these programs should look to their central offices for guidance. 15. Question: What is the Security Rule and has the final Security Rule been released yet? Answer: The Security Rule is one of three rules issued under HIPAA. (The others being the Privacy Rule, which is the primary focus of these FAQs, and the Transaction Rule, which requires standardized formatting of all electronic health care transactions in the health care system. The Security Rule focuses on the physical and technical means of ensuring the privacy of patient information, e.g., locks on file drawers and computer and Internet security systems. The Security Rule became effective on April 20, 2003 but compliance is not required until April 20, 2005 for large entities and April 20, 2006 for small entities. Information about the Security Rule and its status can be found on the HHS web site: http://aspe.os.dhhs.gov/admnsimp/nprm/seclist.htm. You can also check here and at www.APApractice.org where we will provide updates about the Security Rule. 16. Question: How can I find out more about the Privacy Rule and how to comply with it? Answer: The APA Practice Organization and the APA Insurance Trust have developed comprehensive resources for psychologists that will facilitate compliance with the Privacy Rule. The product, HIPAA for Psychologists, is competitively priced and is now available on the Portal. HIPAA for Psychologists includes:
17. Question: New twist on an old HIPAA question: should raw test data be treated the same as psychotherapy notes, and formal test results treated according to state law or HIPAA rules in the “other” part of the record? (Lucy Homans - Director of Professional Affairs [DPA] Listserv - 5/28/03 ) Additionally, when psychologists do tests as part of a forensic exam requested by an attorney, but as part of a court process only (the psychologist is brought in only to do the testing), are the results covered by HIPAA rules? Answer: The issues regarding the treatment of test data and test materials can get quite complicated, especially in light of HIPAA. There are many unanswered questions about how to handle various situations concerning the release of test information. Forensic services are generally not considered health care services and would be exempt from the Privacy Rule, although court-ordered therapy could be considered as health care which would fall under the Privacy Rule (see a good review by Connell & Koocher, in the American Psychology Law Society News, Vol. 13, issue 2, 2003, pages 16-19). So, it would appear that a psychologist who fell under HIPAA’s requirements and who conducted court-ordered therapy would be prudent to consider the therapy as covered by HIPAA. In response to your question about test data, I recognize that HIPAA does not discuss test data or test materials, specifically, in detail. However, these issues get fairly complicated. In general, I have found that some of the best sources on this topic are from Dr. Celia Fisher (Decoding the Ethics Code: A Practical Guide for Psychologists, Thousand Oaks: Sage; and “Test data standard most notable change in new APA Ethics Code,” which was published in the January/February issue of the National Psychologist). Another good source is “Release of Test Data and APA’s New Ethics Code” by Steve Behnke which appeared in the July/August 2003 edition of the APA Monitor. (Source: Sam Knapp - DPA Listserv - 5/03) 18. Question: When psychologists do tests as part of a forensic exam requested by an attorney, but as part of a court process only (the psychologist is brought in only to do the testing) are the results covered by HIPAA rules? (Lucy Homans - DPA Listserv - 5/28/03 ) Answer: Forensic examinations are not health care and HIPAA does not apply to them. (Source: Sam Knapp - DPA Listserv - 5/28/03) More information on the product, pricing and ordering can be found at www.APApractice.org. HIPAA for Psychologists is available for purchase there as well.
|
|
