HIPAA

Sharp Teeth: For good reason, the Health Insurance

Portability and Accountability Act of 1996—aka

HIPAA—strikes fear into the hearts of medical

professionals. HIPAA is a vast and rapidly mutating

law with very sharp teeth. Since 2003, when the law was

implemented, the U.S. Department of Health and Human

Services, which administers HIPAA, has investigated almost

100,000 complaints, most of which involved improper

disclosure or failure to properly safeguard patient

information. Almost one-quarter of these violations resulted

in enforcement actions, and over 500 cases have been referred to the

Department of Justice for criminal prosecution. Big institutions such as hospitals

and state health departments have been fined millions of dollars, and a handful of people have been sentenced to federal prison for HIPAA violations as trivial as the unauthorized browsing of the medical records of Hollywood celebrities.

Do I Need to Worry? Probably not, at least not yet* (take note of the asterisk!). The definition, in gov-speak, of a "covered entity" (covered by HIPAA) is any "health care provider" (which you are) who submits insurance claims electronically, either on your own or through a billing service. If you submit your insurance claims on paper, either on your own or through a billing service such as Psychoanalyst Services, you are not a covered entity, so far as we can tell. Of course, that does not mean you can violate your patients' privacy at will, which you already well know, but it does mean that you do not have to tackle the onerous task of a HIPAA implementation, which includes doing a risk assessment of your own business and then developing policies, procedures, training, tracking systems, and technology (mostly data encryption) to ensure that you don't violate the three big HIPAA rules on Privacy, Security, and Transactions.

* disclaimer: we're not a health care lawyer, so take our opinions on HIPAA with a grain of salt. If you are worried, consult a

lawyer. Another helpful resource you may want to consider is The HIPAA Compliance Kit from the Zur Institute, a $98 174-page

PDF document that provides a plain-language introductory guide to HIPAA and how to become HIPAA-compliant (link below).

The Future: For now, if you stay with paper claims, you can fly under HIPAA's radar. But paper in health care, like paper everywhere else, is an endangered species. By 2015, physicians and certain other medical professionals handling Medicare and Medicaid will start paying an escalating penalty if they do not move to "electronic health record" (EHR) software that is compatible with nationwide standards and can exchange an extensive range of data with national systems. The government is also offering financial incentives of up to $63,750 to these "eligible professionals" to help them transition to EHR. But the only mental health providers who are eligible for the incentives and also subject to the penalties are psychiatrists. The American Psychological Association is lobbying to get psychologists included but so far has been unsuccessful. Eventually—in 5 years? 10 years?—all paper claims will disappear.

We're HIPAA-Compliant: Even though it may not matter to you, Psychoanalyst Services is HIPAA-compliant. What this means is that we have implemented policies to ensure that our staff (of one, at the moment) is trained on and understands HIPAA standards, and our equipment is set up to make it as difficult as possible for "PHI" (protected health information) to be pilfered or shared. Specifically, as per expert recommendations:

our paper files are kept in locked cabinets when not in use
our electronic business files are stored on encrypted disk drives
the same files are backed up on HIPAA-compliant cloud storage
we send patient information to HIPAA clients as encrypted PDF files
our email service for HIPAA clients is encrypted
our computers have firewalls, virus protection, and are password-protected
discarded documents with patient information are shredded
we can provide you with a Business Associate Agreement (BAA), as required when any HIPAA "covered entity" shares patient data with an outside vendor.

Going Electronic: Psychoanalyst Services can file your claims electronically today, and do so in compliance with HIPAA. There are advantages to electronic filing, in particular more rapid claim processing and payment and better claim tracking. But, so we understand, if you file your claims electronically, either on your own or through Psychoanalyst Services, you must be HIPAA-compliant. This may be reason enough for you to choose paper as your claim medium. But you should keep in mind that you won't be able to file paper claims forever: paper in the healthcare industry, like paper everywhere else, is an endangered species. The U.S. Department of Health and Human Services has already announced that Medicare will eventually stop accepting paper claims, though it has not disclosed when that will happen. This means that, sooner or later, you too will have to be HIPAA-compliant.