HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > FAQs Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA FAQ: General Issues

Questions

  1. What is HIPAA? Where do we begin?!

  2. Who must comply with HIPAA?

  3. Since the regulations frequently refer to "electronic" communication, what media falls into that category?

  4. When do organizations have to comply with the standards?

  5. Is there any consideration for small plans for complying with the standard once it is adopted?

  6. How is a small plan defined?

  7. Does a Health Plan have to accept transactions?

  8. Can health plans delay payments for transactions submitted electronically according to the standard?

  9. I am an employer and I provide on site healthcare for my employees. Do these HIPAA standards apply to me?

  10. I am an employer and I do not provide on site healthcare for my employees. Do these HIPAA standards apply to me?

  11. Is HIPAA a way for the government to create one large database with everyone's health information?

  12. I am a physician. I do not own a computer. Do I have to buy a computer?

  13. Why all the HHS delays in publishing the final HIPAA regulations?

  14. How does one become a HIPAA accredited agency?

  15. If a payor does not comply with the Transaction and Code Set standards for all eight Transactions by October 2002, what is their penalty?
  16. Are small providers covered entities under HIPAA? (added June 23, 2003)
    1. Does your office conduct all of the following transactions on paper, by phone, or by FAX (from a dedicated fax machine, as opposed to faxing from a computer)?
    2. Do you bill Medicare and are you a small provider with fewer than 10 full-time equivalent employees?

Answers

What is HIPAA? Where do we begin?!

To learn more about HIPAA in plain English, read our HIPAA primer.

Once you have some understanding of what HIPAA is, you will then be ready to begin your journey on the road to compliance with our Action section. There you will learn how you and your organization should act on HIPAA planning, assessment, and implementation.

If you then have specific questions, read through these FAQs or perform a key word search on this site to find the answers. Chances are that they are answered in one of the over 1300 pages of HIPAA information we offer online.

Also consider subscribing free to our very busy e-mail discussion list, HIPAAlive, and posing your question there. The focus of HIPAAlive's 3700+ members is to consider and discuss new HIPAA questions every day. Once you join, you can search the list archives; your question may've already been addressed on the list. (You may want to initially receive the digest version of the list so that you can view the archives, but not be inundated with the large volume of daily messages.)

Go to TOP

Who must comply with HIPAA?

All healthcare providers, health plans, payers, clearinghouses, and other entities that process health data must comply.

Any healthcare provider that electronically sends one of the transactions covered in the Final Rules (Claims, remittances, claim status inquiries,
eligibility, certification) is covered by HIPAA. Any organization that electronically stores or transmits individually identified healthcare information must comply with the Security regulation. So, if the organization does any of the above (file a claim electronically or electronically store any healthcare info that can be tracked back to an individual) they must comply with the appropriate HIPAA regulation.

Go to TOP

Since the regulations frequently refer to "electronic" communication, what media falls into that category?

HIPAA applies to all communication that is stored or transmitted electronically, or that has been stored or transmitted electronically in the past. Media includes, but is not limited to, computer databases, tapes, disks, telecommunications, fax, Internet, networks.

Go to TOP

When do organizations have to comply with the standards?

Organizations have 24 months to comply with the Standard after the Standard is adopted.

Go to TOP

Is there any consideration for small plans for complying with the standard once it is adopted?

Yes. Small plans will have 36 months to comply after the standard is adopted.

Go to TOP

How is a small plan defined?

A small plan is one that meets the definition of a small business, under the Small Business Association's rules, annual receipts of less than $5 million.

Go to TOP

Does a Health Plan have to accept transactions?

Health Plans may not refuse to accept standard transactions that are submitted electronically.

Go to TOP

Can health plans delay payments for transactions submitted electronically according to the standard?

There will be no delay of payments by the health plans because the transactions are submitted electronically in compliance with the standards.

Go to TOP

I am an employer and I provide on site healthcare for my employees. Do these HIPAA standards apply to me?

Yes. When an employer acts in the role of a health plan or health care provider, the employer must comply with HIPAA standards.

Go to TOP

I am an employer and I do not provide on site healthcare for my employees. Do these HIPAA standards apply to me?

No. The HIPAA standards do not apply to you as an employer since you do not act in the role of a health plan or health care provider. Employers can voluntarily choose to use HIPAA standard transactions to expedite their health plan activities, such as enrollment.

Go to TOP

Is HIPAA a way for the government to create one large database with everyone's health information?

There is no provision in HIPAA law to create, or propose to create, such a database. HIPAA is designed to reduce cost and administrative burden. HIPAA recognized the significance of protecting personal health information. New security standards and more privacy legislation are intended to protect the confidentiality of health care information.

Go to TOP

I am a physician. I do not own a computer. Do I have to buy a computer?

There is no requirement under HIPAA that you must own a computer. However, you may want to use a computer when you submit and receive transactions. In the future, this is likely to become the standard means for managing healthcare business.

Go to TOP

Why all the HHS delays in publishing the final HIPAA regulations?

Once a proposed rule is approved by the government, the public is given the opportunity to comment on the proposal, and those comments must be considered in development of the final rules. Most of the proposed HIPAA regulations generated thousands of public comments, and the time required to review and consider them has slowed the publication of final rules.

Go to TOP

How does one become a HIPAA accredited agency?

There is really no such thing as becoming a HIPAA accredited agency. There is no agency at present, or, based on my knowledge, in the future, that will assume the role of accrediting an organization. On a side note, the healthcare industry at this point is very negative against any vendor who says they are HIPAA compliant. Their negative reaction is based on a number of reasons, 1) The majority of the rules are not yet final, 2) becoming HIPAA compliant requires a concerted effort from all parties, including the actual organization, its vendors, and its business associates.

Go to TOP

If a payor does not comply with the Transaction and Code Set standards for all eight Transactions by October 2002, what is their penalty?

The penalty for non-compliance with transactions and code sets is $100 per occurrence up to a maximum of $25,000 per standard per year. What most people get confused about is that the maximum is per standard, so that when you calculate how many transaction standards there are to possibly not comply with, the number can add up! Plus, the payers have a greater burden in that they must be ready to comply with all the transaction and code set standards, regardless of whether they are currently performing them electronically or via paper.

The Final Rule explains the penalty to be imposed "per violation on any person who fails to comply with a standard" and puts a cap on the amount imposed on any one person per year to be $25,000. Since a provider usually files more than one claim at a time, it would be easy to accumulate many violations with one single transmission. For instance, if a provider sends a batch of claims electronically directly to a payer but does not use the 837 format, the penalties would be $100 for each of the claims in that batch. Assuming the provider sends 100 claims per day, the possible penalty would be $10,000 ($100 X 100 claims). In 3 days the provider would amass the maximum amount of penalty that could be imposed.

What we don't know yet is how enforcement is going to be conducted, nor are we sure how the compliance provisions will be established. HHS has announced that it intends to publish an NPRM sometime early next year that will cover these issues. Since this NPRM will not establish a 'standard', it will not require the 2 year implementation timetable that the existing NPRM's require so it will be effective BEFORE the Final Rule for Transactions and Codes Sets. This NPRM (and subsequent Final Rule) is also expected to address some other outstanding issues such as certification

Go to TOP

Are small providers covered entities under HIPAA?

As a health care provider, you have probably heard about HIPAA – the Health Insurance Portability and Accountability Act of 1996. HIPAA mandates new standards and procedures that promote standardization and efficiency in the health care industry. Today’s health care industry relies more and more on advances in technology to help administer health care. Doctors, hospitals, clearinghouses, and health care vendors, such as billing services and software companies, use computers to conduct many of their health care transactions.

Congress passed HIPAA in response to the health care industry’s increasing reliance on electronic transmission of health care data. The law will help streamline the administration of health care by requiring basic standards for conducting several transactions in electronic form, including processing claims and payments. It also governs disclosure of electronic patient protected health information and provides the minimum safeguards required to ensure the security of electronic health care information.

This document responds to many questions CMS has received from small providers – especially, those small providers who currently do not conduct any of their health care transactions electronically. If you are a provider that conducts office operations manually, there are two important questions you should ask in order to determine if HIPAA applies to you.

a. Does your office conduct all of the following transactions on paper, by phone, or by FAX (from a dedicated fax machine, as opposed to faxing from a computer)?

  • Submitting claims or managed care encounter information
  • Checking claim status inquiry and response
  • Checking eligibility and receiving a response
  • Checking referral certifications and authorizations
  • Enrolling and disenrolling in a health plan
  • Receiving health care payments and remittance advice
  • Providing coordination of benefits

If your office does not conduct any of the above standard transactions electronically and you do not have someone else conduct them electronically on your behalf – such as a clearinghouse or billing service, you are not a covered entity and HIPAA does not apply to you.

If you conduct any of these transactions electronically, you are a covered entity and you must comply with all HIPAA requirements, regardless of the size of your practice.

b. Do you bill Medicare and are you a small provider with fewer than 10 full-time equivalent employees?

Effective October 16, 2003, Medicare may not pay claims submitted on paper, with certain exceptions. One of the major exceptions is for claims submitted by “a small provider of services or supplier.” The term “small provider of services or supplier” is defined to mean:

  • a provider of services with fewer than 25 full-time equivalent employees, and
  • a physician, practitioner, facility, or supplier (other than provider of services) with fewer than 10 full-time equivalent employees.

The term “provider of services” is defined for Medicare by § 1861(u) of the Social Security Act to include seven specific types of institutional or special purpose providers. This term generally describes hospitals, nursing facilities and other institutional providers that are paid through Medicare fiscal intermediaries. The terms found in the phrase “physician, practitioner, facility or supplier” are used to describe entities that furnish Medicare services described in § 1861(s) of the Act, and are generally paid through Medicare carriers.

If you do not meet the small provider exception, you will be required to submit your Medicare claims electronically effective October 16, 2003. Once you begin submitting your claims electronically to Medicare, your answer to question 1 above would be “no”, and you would become a covered entity under HIPAA.

Go to TOP