HIPAA PRIVACY RULE
Covered Entities

Health Insurance Portability and Accountability Act 

ARE YOU A COVERED ENTITY UNDER HIPAA?

Donald R. Moy

I. Are you a Covered Entity Under the HIPAA Electronic Transactions Standards?

According to the Department of Health and Human Services (DHHS) health care providers and health plans that conduct business electronically have used many different electronic formats. DHHS estimated, for example, that for electronic transmission of health claims, about 400 different formats have been used. This has resulted in increased costs to health care providers and to the health care system, according to DHHS.

The purpose of the HIPAA Electronic Transactions Standards is to reduce costs by establishing uniform national standards for certain administrative and financial electronic health care transactions ("Standard Transactions"). The following Standard Transactions are required under the Electronic Transactions Standards:

    1. Health claims and equivalent encounter information;
    2. Enrollment and disenrollment in a health plan;
    3. Eligibility for a health plan;
    4. Health care payment and remittance advice;
    5. Health plan premium payments;
    6. Health claim status;
    7. Referral certification and authorization;
    8. Coordination of benefits.

DHHS intends to adopt uniform standards for the first report of injury and claims attachments at a later date.

Who are the Covered Entities under the Electronic Transaction Standards?

Health Plans – All private sector health plans (including managed care organizations, and ERISA plans, but excluding certain small self-administered health plans) and government health plans (including Medicare, State Medicaid programs, the Military Health System for active duty and civilian personnel, the Veterans Health Administration, and Indian Health Service programs).

Health Care Clearinghouses – A clearinghouse in an entity that converts health information from non-standard formats into HIPAA standard formats, or vice versa. An example of a clearinghouse is a billing company.

Health Care Providers – A health care provider is a covered entity if the provider "chooses" to submit or receive transactions electronically that are covered under the Electronic Transactions Standards.

The Electronic Transactions Standards do not require a physician to transmit electronically, but if the physician does, the physician must use the Standard Transactions.

If a medical practice engages in any of the electronic transactions using its own software, it must make sure that its software is compliant with the Electronic Transactions Standards. If a medical practice uses a health care clearinghouse, such as a billing company, then the health care clearinghouse must comply with the Electronic Transactions Standards. The medical practice should require the healthcare clearinghouse to comply with the Standards, and should obtain assurance from the clearinghouse that it is in compliance.

The Compliance Date for the Electronic Transactions Standards is October 16, 2002 unless the health care provider applies for a one year extension by completing a compliance plan on or before October 15, 2002.

II. Are you a Covered Entity Under the HIPAA Privacy Standards?

The HIPAA Privacy Standards apply to (1) health plans, (2) health care clearinghouses and (3) health care providers who transmit health information in electronic form in connection with any transaction covered under the Electronic Transactions Standards.

Note, If a medical practice engages in any electronic transaction (even only one transaction) covered under the Electronic Transaction Standard, then the Privacy Standards in their entirety apply to the medical practice. Also, the HIPAA Privacy Regulations apply to individually identifiable health information in any form, including oral, written and electronic communications.

Also Note, A medical practice that uses another entity, such as a billing service or hospital, to transmit standard electronic transactions on its behalf also is covered under the HIPAA Privacy Standards.

Physicians and other health care providers are required to comply with the Privacy Regulations beginning on April 14, 2003.

While the HIPAA Electronic Transactions Standards do not require health claims to be submitted electronically, other laws may require electronic claims submission.

  • The Administrative Simplification Compliance Act (ASCA) on December 27, 2001, President Bush signed into law H.R. 3323, Public Law 107-105, also known as the ASCA. The ASCA is the law that provides for the one year extension of the date for complying with the HIPAA Electronic Transactions Standard (from October 16, 2002 to October 16, 2003) for any covered entity that submits a compliance plan to DHHS by October 15, 2002. The ASCA also includes a provision that requires all claims to Medicare be submitted electronically after October 16, 2003. An exception applies to "small providers", which the ASCA defines as a physician, practitioner, facility or supplier "with fewer than 10 full-time equivalent employees".
  • New York Public Health Law section 2807-e(4) requires the following types of health claims to third party payers to be submitted electronically: (a) inpatient hospital services provided by a general hospital, (b) ambulatory care services provided by a general hospital, diagnostic and treatment center or ambulatory surgery center or (c) physician services.

In the case of physician services, section 2807-e(4)(c) provides that claims submitted to third party payors must be submitted in electronic format on or after July 1, 1995.

Because of developments at the Federal level, the New York State Department of Health (NYSDOH) has not enforced section 2807-e(4), but will likely begin enforcing the law some time after health care providers are required to comply with the HIPAA regulations.

Public Health Law section 2807-e(4)(f) empowers the NYSDOH to delay or waive the electronic format requirements for physicians or practitioners with a "small volume" of services. MSSNY has requested to meet with the NYSDOH to propose "small volume" exceptions for physicians.


UPDATE:January 23, 2003
The Centers for Medicare and Medicaid Services ("CMS") publishes guidance on HIPAA for providers in the form of questions and answers on its website. See "Frequently Asked Questions" at: www.cms.hhs.gov/hipaa/hipaa2.

The CMS guidance provides many currently asked questions from providers regarding the implementation of the HIPAA regulations. On January 23, 2003 the following question and answer were posted:

  1. I’m a provider who bills electronically. Do I have to implement the HIPAA if I go back to submitting claims on paper?
  1. As a provider who bills electronically, you will be required to comply with the HIPAA requirements of the Privacy Rule by April 14, 2003, unless, before that date, you stop conducting any of the HIPAA transactions commonly used by providers include claims, eligibility queries, claim status queries, and referrals. It is important to note that you cannot avoid the HIPAA requirements by hiring another entity, such as billing service, to conduct these transactions electronically for you. While you and other health care providers could revert to conducting solely paper transactions, doing so would have many negative effects for most providers. The provider’s business processes would be disrupted by having to prepare paper claims and check eligibility and claim status by phone. Reverting to paper would cause particular problems for those providers who receive Medicare payments. First, these providers would experience delays in receiving payments, because Medicare by law cannot pay paper claims until 28 days after receipt (as opposed to 14 days for electronic claims). Second, effective October 16, 2003, Medicare is prohibited by law from paying paper claims except for those from small providers and under certain other limited circumstances. After that date, any provider that does not meet the "small provider" or other exception would have to return to electronic claims submission in order to continue to receive Medicare reimbursement. At that time, the provider would again be required to comply with the Privacy Rule requirements.

Please be advised that there may be circumstances where a medical practice may be required to engage in electronic healthcare transactions. For that reason, please review the September 13, 2002 article entitled, "Are You a Covered Entity Under HIPAA" above.