Revenue Cycle Management
COVID-19
Reimbursement
Diabetes Awareness Month
Risk Management
Patient Retention
Staffing
Medical Economics® 100th Anniversary
Coding and documentation
Business of Endocrinology
Telehealth
Physicians Financial News
Cybersecurity
Cardiovascular Clinical Consult
Locum Tenens, brought to you by LocumLife®
Weight Management
Business of Women's Health
Practice Efficiency
Finance and Wealth
EHRs
Remote Patient Monitoring
Sponsored Webinars
Medical Technology
Billing and collections
Acute Pain Management
Exclusive Content
Value-based Care
Business of Pediatrics
Concierge Medicine 2.0 by Castle Connolly Private Health Partners
Practice Growth
Concierge Medicine
Business of Cardiology
Implementing the Topcon Ocular Telehealth Platform
Malpractice
Influenza
Sexual Health
Chronic Conditions
Technology
Legal and Policy
Money
Opinion
Vaccines
Practice Management
Patient Relations
Careers

HIPAA Consult

April 8, 2005

Article

Exemption from HIPAA; using Internet-based messaging service pagers; compliance officer obligations

A: That depends. If you file or receive payments for claims electronically, or if you conduct any of the other HIPAA-designated administrative and financial transactions electronically (request authorizations for services, run checks on insurance eligibility, etc.), you're covered by HIPAA's privacy regulations, regardless of the number of people you employ. Similarly, if you conduct any HIPAA-designated transactions electronically, you're subject to HIPAA's security regulations, which take effect this month.

But you are, indeed, exempt from HIPAA if you neither transmit medical information electronically nor conduct any of the HIPAA transactions electronically, regardless of your size. And if you have fewer than 10 full-time employees or FTEs, you aren't required to submit Medicare claims in an electronic HIPAA format, which larger practices have been required to do since Oct. 16, 2003.

A: Yes. And because they are, you must develop and implement policies and procedures that restrict access to, protect the integrity of, and prohibit the unauthorized use of electronic protected health information sent over these pagers. Also consider whether the information you send over the Internet should be encrypted. (Under the security rule, you have to address this question, but you don't necessarily have to implement encryption.) Document why you chose the particular solution you did, especially if you decide that encryption isn't necessary to safeguard the information you send electronically.

Compliance officer obligations Q: Our practice's HIPAA compliance officer has inappropriately gained access to protected health information about two of her friends. I have removed her as compliance officer and restricted her access to protected medical information. Does the law require any other specific punishment for violating HIPAA?

A: Any person who knowingly obtains or discloses protected health information is subject to criminal and monetary fines under HIPAA. (Fines begin at $50,000 and prison terms at one year, depending on circumstances.) Criminal sanctions are enforced by the US Department of Justice. As covered entities, physician practices must have appropriate sanctions in place-and be ready to apply those sanctions-whenever a staff member violates either a practice's privacy policies and procedures or the privacy rule itself.

Margaret M. Davino (mdavino@kbrny.com
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice.

Please submit questions via e-mail to mehipaa@advanstar.com, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we’ll address it in an upcoming issue. Your name will not be used.