HIPAA Consult

April 8, 2005

Exemption from HIPAA; using Internet-based messaging service pagers; compliance officer obligations

A: That depends. If you file or receive payments for claims electronically, or if you conduct any of the other HIPAA-designated administrative and financial transactions electronically (request authorizations for services, run checks on insurance eligibility, etc.), you're covered by HIPAA's privacy regulations, regardless of the number of people you employ. Similarly, if you conduct any HIPAA-designated transactions electronically, you're subject to HIPAA's security regulations, which take effect this month.

But you are, indeed, exempt from HIPAA if you neither transmit medical information electronically nor conduct any of the HIPAA transactions electronically, regardless of your size. And if you have fewer than 10 full-time employees or FTEs, you aren't required to submit Medicare claims in an electronic HIPAA format, which larger practices have been required to do since Oct. 16, 2003.

A: Yes. And because they are, you must develop and implement policies and procedures that restrict access to, protect the integrity of, and prohibit the unauthorized use of electronic protected health information sent over these pagers. Also consider whether the information you send over the Internet should be encrypted. (Under the security rule, you have to address this question, but you don't necessarily have to implement encryption.) Document why you chose the particular solution you did, especially if you decide that encryption isn't necessary to safeguard the information you send electronically.

Compliance officer obligations Q: Our practice's HIPAA compliance officer has inappropriately gained access to protected health information about two of her friends. I have removed her as compliance officer and restricted her access to protected medical information. Does the law require any other specific punishment for violating HIPAA?

A: Any person who knowingly obtains or discloses protected health information is subject to criminal and monetary fines under HIPAA. (Fines begin at $50,000 and prison terms at one year, depending on circumstances.) Criminal sanctions are enforced by the US Department of Justice. As covered entities, physician practices must have appropriate sanctions in place-and be ready to apply those sanctions-whenever a staff member violates either a practice's privacy policies and procedures or the privacy rule itself.

Margaret M. Davino (mdavino@kbrny.com
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice.

Please submit questions via e-mail to mehipaa@advanstar.com, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we’ll address it in an upcoming issue. Your name will not be used.