If you bought the first edition of the book, the one in a three-ring binder, copy and read BOTH updates.
If you bought the paperback version or the CD version, all the changes contained in Update 1 are already in your book, Just copy and read Update 2 which is about at the next HIPAA book cover.
HIPAA Update 1 - Oct. 2003 
What you have to do now (Oct, 2003)
Probably nothing. There have been no changes that affect small and solo practices. If you want to save time and all your HIPAA paperwork is implemented, do not bother to read further.
Forms from the book are now online. Click here.
All of the forms in the book are now on the website for easy downloading and modification for your practice. Since HIPAA offers no standard text or phrasings, all the wording in all the forms was written by me. HIPAA specifically suggests that your paperwork should be suitable to your practice and your clients so feel free to edit, rephrase, and tailor to your practice any of the materials.
Information about Medicare for professionals
If you or your staff need information on using Medicare, the federal Medicare Web Site has a series of educational materials of great relevance at this site. There are CDs, broadcasts, online training programs, publications, manuals, FAQs, etc. for providers such as the ICD-9-CM and other codes, HIPAA materials, drug information, and more. .
Information on HIPAA from CMS
The Center for Medicare and Medicaid Services (oddly abbreviated as CMS) has a HIPAA page here which seems opaque and you will have to do a little digging but there are riches here. Click on the second paragraph's "Administrative Simplification to get most of them. You will have read it carefully but everything from the feds is here.
The Consumer site about HIPAA at CMS also has information you might find valuable for your clients. Click here to access the site.
Key HIPAA documents available in Spanish
"The HIPAA Information Series for Providers, consisting of 10 papers, covers a number of important issues. These papers are now available for download in both English and Spanish."
Submitting Medicare claims
All Medicare claims were to be submitted electronically, using the Transaction Codes, by Oct. 16, 2003. Do not panic: paper will still be accepted. You can still use HCFA-1500s or the paper forms supplied by your payers. If you would like to use the transaction codes and formats for your Medicare billing, contact your regional or state Medicare intermediary. Many have software available at no cost to provides tailored to Medicare's needs and procedures.
Submitting non-Medicare insurance claims
While the feds can only control Medicare claims the whole medical insurance industry has adopted the transaction codes for all their procedures. However, considering the above you can keep using what you have been doing until your payers tell you that you must change. Over the next few years the big dogs, both billers and payers, will have the electronic transactions all running smoothly and will look around for other ways to save money by computerizing small providers (us).
If you want to go the electronic route now here are some possibilities.
a. Use a Transaction Code/Electronic billing program for Medicare and keep your current paper or electronic HCFA for all others.
b. Ask you current billing person/billing program/clearinghouse when they will be HIPAA compliant for the Transaction (not Privacy or Security) Rule. Since the clearinghouses are CEs they will have a Privacy Officer to answer your questions.
If they will be compliant in less than six months, stay with them.
The only problem with this "stand by your man" approach is that it may be quite expensive. I don't know how clearinghouses and billers will pass on their costs. The billing programs (E.g. Therapist Helper, Docutrac, SOS, etc.) in MH are very complex and the number of users (you) relatively small so costs of revisions and upgrades are high. Many of them will require you to buy an upgrade to their program and a module for Transaction Code billing and so cost $2,000-4000. (Please advise or correct this. I have not done a survey.)
c. If they won't be compliant ...
1. Ask them to recommend a clearinghouse with which their/your billing program is highly compatible.
2. Find and use a clearinghouse with is compliant NOW. You do not have to use your current biller for Medicare billing; you may use different methods for different bills (HIPAA allows this difference).
How to find one of these compliant clearinghouses? Your local/state/regional Medicare intermediary/carrier or state office which deals with Medicare is likely to have a list of these clearinghouses at their website. For example, I found ones for FL, CA, and PA easily.
There is another advantage of the above: Since using the Transaction Codes is very complex and therefore likely to be a mess for several months, going to a clearinghouse (which will guarantee doing a good job) for 6 months will be a safe harbor. Then, next year, you can redecide whether to stay with them or go to a revised and updated version of your billing program by which makes your life simpler.
For another way to proceed with a clearinghouse see 10 Questions for Successful Transactions Compliance by Ward Keever available here. This is a fine checklist to ask of a clearinghouse you are considering working with.
3. Most costly and not too simple - buy a whole new office information system. Billing, transaction codes, report generation, client data and records, etc. This may be a good investment.
You might also have a look at Psyquel which is a full service on-line billing/claims management business that was developed and is run by a psychologist. Check them out at www.psyquel.com
CMS has a four page, information packed publication called "5. Is your software vendor or billing service ready for HIPAA? - Communicate with your vendors, billing services and clearinghouses. Know what questions you should be asking them. (PDF, 160KB) | (Microsoft Word, 333KB)." It can't be read online but can be downloaded here. On the same page you will find "9. Final steps for compliance with electronic transactions and code sets - Take those final steps towards compliance and do not hesitate to get the help you need. (PDF, 153KB) | (Microsoft Word, 334KB)"
Use of ICD-9 vs. DSM-IV
The HIPAA Transaction Codes use the more universal ICD-9-CM numbers for diagnoses and do not use the DSM codes. If you are using a billing program, contact its developer to see how they have dealt with this issue. If you use paper forms, the ICD codes, which were developed by the World Health Organization are free (as opposed to the DSM codes which are proprietary to the American Psychiatric Association) and are available at many sites.
You can download the whole ICD here in .rtf versions. It is not available here in print. You want only volume one and its section V. Download the Read Me 04.txt first. You will want either of both DINDEX04.ZIP, the Index to Diseases or DTAB04.ZIP, the Tabular List of Diseases.
Ftp will not always work; I cannot help you with this.
A CD-ROM version is available as well. It can be purchased from the Government Printing Office, stock number 017-022-01544-7. A printed version is available from many sources - search at www.Amazon.com.
May I modestly suggest that you have a look at my Reference List of Psychiatric Diagnoses from ICD-9-CM by clicking on the ICD tab at the top of this page. It is really all that we clinicians need.
By the way, the next version of the DSM, DSM-V is at least five years away and so is not relevant now. The ICD-10 is available but all it codes are very different in appearance and format from the ICD-9 and so it too can be ignored for now.
Enforcement of the HIPAA standards
"CMS has been charged with responsibility for enforcing the Standards. CMS will focus on voluntary compliance and enforcement will be complaint-driven (necessitated in part by a fortuitous lack of resources). A covered entity will receive written notification of any complaint filed against it. The covered entity will then have an opportunity to:
a. Demonstrate that it is in compliance with the Standards,
b. Document its good faith efforts to comply with the Standards, and/or
c. Submit a corrective action plan.
As long as the compliance failure is based upon reasonable cause and is not due to willful neglect, HHS is not likely to impose a penalty "assuming the failure is corrected within 30 days or such longer period as CMS may authorize."
FERPA and HIPAA
>Hello Ed
>I work in a multidisciplinary practice (2 psychologists, 1 social worker,
>3 psychiatrists.) A question came up from one of the psychiatrists who
>does psychiatric evals for schools. The question is: Is the school therefore
>a Business Associate, since they are receiving PHI and do we need a BA
>contract?
>Thanks for you information. Your workshop was very helpful to me.
>Susan XXXXX, MS
>
Hi Susan,
It is not quite so simple.
- HIPAA is discipline blind and covers all of the clinicians but not school counselors, and some other newer disciplines. However, in my opinion all clinicians, even unlicensed ones should comply with HIPAA because they will be held to this standard.
- HIPAA specifically says it does not apply to info covered under FERPA. IF and this is a big IF, the school keeps the "clinical" (and thus HIPAA covered) materials separate from the FERPA (academic) information, then you must use HIPAA rules for that info. If they are not separate, the school must make a policy decision about how to handle its info.
- The school is not a BA of yours because they are not doing something for you with the info you give them like a billing company would. They are using it for their own purposes and so you need an Authorization from the client to release the PHI to the school.
You are not a BA of the school because they are not a CE.
Write more if this is not a terrific answer.
Ed
A total office operations resource (a break for a commercial)
If you add The Paper Office to HIPAAHelp you will be totally prepared to run your practice /update your practice to current expectations for legal and ethical concerns. The Paper Office has been available for ten years and the third edition was revised in January. It contains all the paperwork, forms, patient education handouts, practice brochures, and similar paperwork to assure fully informed consent, deal with all managed care issues, maintain confidentiality, etc. All the forms in the book are also on the included CD-ROM.
It is hard to describe the rich contents, the collection of advice from a thousand clinicians and hundreds of published professional papers, the guidelines for all aspects of practice from your proper letterhead information to how select malpractice insurance. Have a look at the contents on the publisher's website.
It has been a main and continuing selection of the Behavioral Sciences Book Service and I have received a professional award for it. It is great stuff and I honestly believe both that no other book offers half its contents, it is a giant bargain at $55, and it will provide you with both an education in how to run your practice ethically, legally, and profitably and serve as a "malpractice prevention kit in a book."
For future Updates and HIPAA information
If you would like to receive information on updates, HIPAA, and other similar products from us (and only this kind of information) from us (and no one else) please click here to send me an email.
If you have not become HIPAA-compliant, it is never too late to gain the small benefits (added privacy in dealing with insurance companies, tightening up your staff with education in confidentiality, almost impregnable private notes, and not having to explain why you chose not to comply) at the cost of a few pieces of paper.
It has been almost two years since most clinicians made their practices “HIPAA-compliant” and so it is time for an update on new developments. First, the good news: None of the basics has changed nor is any major change contemplated because the implementation is continuing and lawsuits have not had enough time. If you are using an NPP (Notice of Privacy Practices) and “Consent” tailored to your practice, just keep it up. Similarly, if you added some HIPAA wordings to your state’s rules in your Authorization Form, it need not be modified. You can still keep HIPAA-legal Psychotherapy Notes and release only the basic information to insurance companies.
However, there are some developments you should be aware of and which have not been discussed widely. You will need an NPI, must comply with the Security Rule, might want to implement encryption, must use the ICD-9 codes, and there are a few other interesting ramifications.
NPIs
You, whom Managed Care changed from a therapist into a “provider,” and the HIPAA Privacy Rule turned into the even more anonymous CE (Covered Entity), will now be just a number. You will have to get a National Provider Identifier (NPI) number. Don’t panic; the earliest this will start is May 23, 2005 and you will have two full years to do it. If you are not now and don’t want to be a CE, ignore this. If you want one for some administrative purposes but are not a CE, you can get one. Employers who are CEs use their EINs (after July 30, 2004) and there will be additional NPIs for groups. Applications for NPIs will be on paper and via the internet (by the way, Wired magazine, the apparent authority, has decided that email no longer needs a hyphen nor internet a capital.) There will be accounts with user names and passwords, and telephone support but no fee. If you need more information, a number of sites are listed at the end of this article. Mike Feely, the savvy author, therapist, and aficionado of bureaucracy suggested VNPIs (Vanity National Provider Identifiers) for a small fee which could go to the National Coalition to fight HIPAA. Can someone look into this, please?
These sites will give you all the information available on the NPI.
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/identifiers/default.asp
http://www.hipaadvisory.com/regs/natstandardhcprovidid/implementnpi.htm
http://www.hipaadvisory.com/regs/finalp
http://www.cms.hhs.gov/hipaa/hipaa2/regulations/identifiers/default.asp
http://aspe.hhs.gov/admnsimp/faqnpi.htm
http://www.hipaadocs.com/action/display/faq_npi
http://www.hipaadvisory.com/regs/finalprovid/def.htm
For my free step-by-step guide, click the GET YOUR NPI TAB at the top of this page.
The HIPAA Security Rule is Important
The practice changes which most psychologists made in April of 2003 to become HIPAA-Compliant were required by the Privacy Rule, one of the three components of HIPAA. The first, the hugely complex Transactions Rule, has to do with electronic billing and is being implemented over several years. The third part, the Security Rule must be complied with by April 20, 2005. The good news is that in all but a few aspects, when psychologists implemented the Privacy Rule their new procedures also made them compliant with the Security Rule.
There are two points of interest here. The first is simply strange. The Privacy Rule applies to all forms of PHI (protected health information), whether electronic, written, or oral. In contrast, the Security Rule applies only to PHI in electronic form. Any PHI created, received, transmitted or stored in any electronic form is covered - the internet, computer drives, CDs and tapes, disks, etc. The Security Rule does not apply to PHI created, transmitted, received, or stored on paper or any oral communications. Some truly impressive reasoning has been used here. For example, if you typed up a page of notes on a typewriter (which did not store it electronically) and faxed it where it was again not stored but simply printed out and used and filed, it would not be covered by the Security Rule. However, a computer fax would be. Gotcha. In these circumstances, the best policy is likely to be to treat all PHI as if it were EPHI.
The second point is even more complex and I will explain it briefly because you might actually have to take some actions around some aspect or aspects of your practice in order to comply. The Security Rule lists a moderate number of physical, administrative, and technical “safeguards” designed to protect the privacy of PHI. Each safeguard has some detailed instructions, called “implementation specifications,” for how to carry out these safeguards. These implementation specifications come in two flavors. Some are “required” and must be met in the clinical practice by policy or procedures. The others implementation specifications are called “addressable” and require some thought. You, the CE have to consider whether, in your particular environment, each of these implementation specifications, is reasonable and appropriate to safeguarding your PHI and EPHI from reasonably anticipatable threats and hazards. To be concrete, you must decide, after considering your office’s location, building design, layout, and the location of your office computer whether a lock or two and a password are sufficient safeguards or whether you need a monitored premises security system, universal encryption, and off-site storage of backups to “address” the risks to your EPHI. You get some relief in this “risk analysis” in two ways. First, HIPAA fully recognizes that the security requirements are “scalable” which means small practices do not need anywhere near as much as large CEs must in terms of costs, training, new hardware and software, systems, etc. Second, these implementation specifications are to be “technologically neutral” and so do not require and particular technology, hardware, software, etc. More concretely, encryption of emails is not required but, as it becomes easier to do, will be a good decision on your part.(Until then, don't put any PHI in an email.) For more on this aspect of HIPAA see §164.306(d) and especially §164.306(d)(ii)(B)(2).
APA's Practice Organization has a perspective on the Security Rule worth our attention. They believe that if a complaint is made against you (for the unauthorized release of PHI) and the investigators from the Office of Civil Rights come to visit they will not ask to see all your files. They will want to see your HIPAA Policy and Procedures Manual to see if you have addressed all this issues in HIPAA. To further this, they have developed an online course that assists in the writing of this document. The cost is $100 for APA PO member or APAIT insureds. As of Dec. 12, 2005 the a document from OCR/CMS which would clarify what small practices have to do to comply with the Security Rule has not been published. I will update you on this as soon as I can.
Encryption
Ed’s Opinion: Every document on your computer should be encrypted, not just password protected. The procedures to encrypt email and other files have gotten simpler and are now not very burdensome. The most widely used set of programs is PGP (Pretty Good Privacy), which offers free versions you can download from their web site and use on all kinds of files. This and Verisign’s program for email which is smoother and costs $20 a year use a Public Key which requires adding your public key to a database on the internet and a few other arrangements but are entirely secure.
There are other email encryption programs which require you to provide the key or passphrase to the recipient of your email in some way other than the insecure internet. Zixmail costs $50 a year. Shyfile does not require the recipient to have the program. The recipient uses a browser and the passphrase you have given them or the Shyfile website to decrypt the email. Adhaero Transit allows you to send an executable file or email which the recipient decodes with the passphrase you have communicated to them. They don’t need to have the program. More info at <http://www.adhaero-transit.com-download.net/>.
For the paranoid and technically sophisticated the National Institute of Standards and Technology (NIST) believes that the Data Encryption Standard (DES), a popular encryption algorithm, is not secure enough. The algorithm, sometimes referred to as single DES, uses a 56-bit key to encrypt blocks of data, and can produce up to 72 trillion unique keys. Paul Kocher, president of Cryptography Research Inc. in San Francisco said. "It's gotten to the point where any government curious enough to break DES traffic could." Even malicious hackers in control of an army of virus-infected "zombie" computers could make short work of the single DES algorithm, he said. Either Triple DES or AES are "many trillions of times" stronger than DES and could take decades or centuries to break, even with the current rate of advancement in computer processing speed, Kocher said. Ed’s Opinion: most current programs use 128 bit or higher and are safe enough for our usual notes. If you treat those whose PHI exposure would be catastrophic, find a AES or Triple DES program.
E-mail privacy notices
E-mail is not secure (unless encrypted, see below) so you shouldn't send PHI or sensitive information. Even for other uses, you might place a version of the below paragraph as a "sig file" or signature at the bottom of all your transmissions. See also section 720 of HIPAAHelp.
Because of the heightened awareness of the threats to the privacy of PHI created by HIPAA, it is prudent to add a confidentiality notice to one's communications. Below is a sample confidentiality notice for your e-mails and faxes which can also be modified to use on faxes. You may construct your own version of course and it appears the essential elements are:
1. A notification that the material is sensitive.
2. An indication that its distribution and use are restricted by these laws..
3. A request that, if it was incorrectly sent or received, that
a. the sender be notified;
b. that it not be distributed or used, and
c. that it be destroyed or returned.
4. A message of gratitude for the recipient's cooperation.
Sample CONFIDENTIALITY NOTICE
This electronic message and its attachments may contain information from ______ that may be confidential, legally privileged, or otherwise protected from unauthorized disclosure by federal and/or state laws.
This information is intended only for the intended addressee or the employee or other agent responsible for delivering this communication to the intended recipient. If you are not the intended recipient, you are now notified know that any disclosure, copying, storage, or other use of this material is illegal and prohibited. Your receiving this message in error does not waive any attorney-client, physician-patient or other privilege. If you have received this communication in error we ask that you immediately contact the sender, by name at [landline telephone number or secure e-mail address] so that we may jointly decide on how to destroy or return this communication, at no cost to you.
We will be very grateful for your cooperation in correcting any error in our transmission of this message and assure you we will follow the above rules if we ever receive and mistaken communication from you.
Thank you.
[name]
ICD-9-CM
HIPAA requires the use of diagnoses from the International Classification of Diseases, 9th Edition, Clinical Modification, (ICD-9-CM) Chapter V (Mental Disorders) instead of DSM-IV-TR. Changes to the ICD implemented in October 2004 bring the two closer but there are still many differences, stemming from the European origins of ICD and its origination in 1980. DSM also has many more disorders and sub-classifications and the ICD has some categories from DSM-III. There is no book of just the mental disorders and no small version (except my own Reference List of ICD-9-CM Diagnoses but the whole ICD is available from the GPO on CD for $25 for Windows computers and a book version for $60 can be found at <www.Amazon.com>. An inexpensive and easy to use alternative can be found under the ICD-9 TAB at the top of this page.
Filing a complaint
There is now a specific address to file complaints about violations of one's privacy and you might add this to your NPP.
Privacy Complaints
P.O. Box 8050
U. S. Department of Health and Human Services
Centers for Medicare & Medicaid Services
7500 Security Boulevard
Baltimore, Maryland 21244-1850
An official NPP
Medicare's HIPAA web site now has a suggested and sample NPP for Medicare clients which you can see at www.medicare.gov/privacypractices.asp or click here.
It is about two pages and has a 9-10th grade reading level. If you intend to use it, you will need to add any variations imposed by more stringent laws in your state and adapt it to your office procedures.
Note that this form is for Medicare patients and the ones in the book, HIPAAHelp are applicable to both Medicare and other patients. See section 410 of HIPAAHelp.
See section 660 of HIPAAHelp.
Materials on HIPAA from the American Psychological Association's Practice Organization & APAIT
HIPAA Security Rule Online Compliance Workbook (2005) is a response to the Security Rule's requirement for a HIPAA Policy and Procedures Manual. It was developed by the APA Practice Organization. It explains the issues and offers questions for you to type in narrative responses. At the end the program collects these into a printable manual. When I took it the program offered minimal suggestions to guide responses. It is available for $139 to APA members, $99 to members of the PO, and $159 for others. The course is available to Practice Assessment payers and APAIT Insureds for $99, to APA Members at $139, and to Non-Members of APA at $159. See www.http://www.apapractice.org/apo/hipaa/secure.html# Accessed December 05, 2007.
The APA Practice Organization offers a similar course for the Privacy Rule, called the HIPAA Privacy Rule Online Compliance Course (2003). See www.http://www.apapractice.org/apo/hipaa/course.html# Accessed December 05, 2007. The course is available to Practice Assessment payers, Trust Insureds, and Dues Exempt members for $225, to APA Members at $375, and to Non-Members of APA at $600.
Other Points
If you use a Telecommunications Relay Services (TRS) programs to communicate with a patient who is deaf or any other reason, the Federal Communications Commission (FCC) decided that this does not violate the HIPAA Privacy Rule and you don’t need to have a Business Associate (BA) agreement with the TRS. Read more at <http://www.hipaadvisory.com/news/index.cfm#0709fcc>.
The Centers for Medicare & Medicaid Services (CMS) recently exempted benefit debit-card transactions from the HIPAA requirements or electronic data transfer. This specifically applied to the use of such cards to pay for services from a Flexible Spending Account (FSA) but is based on earlier decisions that credit and debit card payments to professionals or pharmacies are not subject to these security rules. Ed’s Opinion: Privacy Rules still apply and so I would put a notice in my Special Brochure for Special Cases brochure indicating that credit card payments and similar arrangements are more confidential than checks (with names on them) and are protected by business laws and security methods but both are discoverable.
CMS has not changed it approach to “unauthorized disclosures” of PHI. They are reactive (they will wait for complaints rather than seek out problems), prefer to educate rather than prosecute, offer little or no specific help (such as forms and wordings), will not issue advisory opinions for future guidance and, because they understaffed in enforcement, rely on voluntary compliance. I believe there has been only one settled case of a HIPAA prosecution and this was for a case primarily involving identity theft and credit misuse.
End
This page revised Dec. 11, 2007