I realize it's unusual to write about the same topic for two months in a row, but the impending HIPAA regulations and their impact on the acupuncture profession are of great significance. I do not consider myself an expert on HIPAA, but I have studied the rules and regulations for some time now. As many of you know, I teach ethics and jurisprudence at a number of acupuncture and Oriental medicine schools throughout the country. Because of HIPAA and its ramifications, it is necessary to teach this information to students. This has been very helpful, as many acupuncturists have called me and are asking questions. Among the most frequently asked questions:
Q: I am a solo practitioner. Will HIPAA apply to me and my practice?
A: Yes. The privacy of every patient's protected health information is mandatory. When you maintain patient records; gather information from a patient; engage in oral communication; or transmit records (whether electronic or not), you are considered a "covered entity."
Q: I know my office policies and procedures in my head. Do they need to be in writing?
A: Yes. You should have written policies and procedures, and HIPAA compliance can be part of that manual.
Q: Will HIPAA change the way I market to my established patients?
A: Yes. Without written authorization, you cannot use patient information for marketing purposes. This could include birthday cards, fliers and newsletters. Patient authorization is not required when the marketing communication is face-to-face. The patient may choose not to receive marketing information from you and your office by sending a written notice to your office indicating that they want to be removed from the list.
Q: What happens if I think HIPAA does not apply to me, or if I ignore it?
A: The new laws provide for civil and criminal penalties for not complying with the rules. Violators can face a prison term for up to 10 years; fines from $100 to $250,000; and nonpayment from insurance companies.
HIPAA seems to be divided into four sections:
The background in your office will need to be analyzed. What are the existing conditions in your office? What are you doing to protect patient health information? Are you and your staff careful with the patient's protected health information? When you answer these questions and more, you will have established where you have a gap in your procedures as compared to the new HIPAA regulations. This process is called a "gap analysis."
The next area is that of privacy. Privacy involves information you have to keep private: consent forms, notice of privacy policies and authorization forms. You will have to learn some new vocabulary and terminology.
The third area is security. As of this writing (Jan. 31), the final regulations in this area have not been completed. Security is what you do to keep protected health information secure. This area includes your computer, along with any faxes and e-mail messages sent.
The last area is transaction code sets. This refers to the International Classification of Disease (ICD-9) codes and the Current Procedural Terminology (CPT) codes. Your office will be required to use the standardized forms and codes for billing.
If you are confused and this seems a daunting task, you are not alone. Many other providers are feeling the same stresses and pressures.
On a somewhat lighter note, I would like to take the time to thank Y.M. Chen, LAc, from Arizona for giving us a great "Year of the Sheep" welcoming party in Phoenix, Arizona. Over 200 licensed acupuncturists, family and friends gathered together to ring in the Chinese New Year. We met new colleagues, renewed old friendships, and enjoyed a great Chinese meal. Several people won beautiful vases and other great gifts (my number was not drawn), but a great time was had by all. Thanks, Y.M.!
Click here for more information about Marilyn Allen, Editor-at-Large.