Frequently asked questions
Click a link to jump to that category of questions and answers, or
scroll down to view the entire list.
Q: What are the HIPAA deadlines?
A: HIPAA privacy rules have been in effect since April 14, 2003. HIPAA electronic transactions regulations
became effective October 16, 2003.
Q: Does HIPAA treat mental health differently?
Every provider must follow all of the HIPAA regulations. HIPAA
does not treat mental health care providers any differently, except to
define what a psychotherapy note can be, what you can exclude, and what
separate authorizations you need. As far as the codes, there are no
special provisions for mental health care providers. Mental health care
providers are subject to HIPAA standard procedure codes--ICD-9.
What are the penalties for failing to meet the security portion
There are no final regulations for the security standards, so
there are currently no set-in-stone penalties for security violations.
Like privacy and transaction standards, we expect the force of law to be
behind the security regulations. The security officer will probably be
Are doctors required to give out contact lens prescriptions?
No. Doctors can if they wish, but Arkansas law does not require
Does HIPAA prevent you from asking for a driver’s license
Be careful when you hear rumors like this. We advise you to read
the rule yourself before accepting a statement as gospel. Go to www.cms.gov/hipaa
(especially the Frequently Asked Questions section) or read the actual
regulations at http://aspe.os.dhhs.gov/admnsimp/.
HIPAA is not specific in many areas. HIPAA tells you what requirements
must be met, but HIPAA does not always specify how to meet them.
What if certain state laws are different from HIPAA?
If a state law is more restrictive than HIPAA, then the state law
prevails. Otherwise, if state law contradicts HIPAA, you must follow
Where can I read the HIPAA regulation for myself?
Go to the HHS site at http://aspe.os.dhhs.gov/admnsimp/.
You can download the regulation in an Adobe PDF format, or you can view
an HTML version. If you have Adobe Reader on your computer, you search
through the regulation by keyword.
How should I train our staff about HIPAA? Should I hire someone?
You are not required to educate your employees about HIPAA
regulations. You are required to educate your employees on what your
policies are. You are probably the most qualified to train your own
employees about what your own policies are. You need to write your own
privacy practices, and then train your employees on what those are and
what must be done to meet them. Nothing in HIPAA requires training from an
To help you in your own training, you can download handouts (www.hipaa.state.ar.us).
Q: Have Arkansas Medicaid manuals been updated?
Yes. HIPAA-compliant provider manuals can be downloaded free from the
Arkansas Medicaid web site: www.medicaid.state.ar.us,
How do I submit claims to Medicaid under HIPAA?
There are several options for submitting claims:
You can use paper if you want. You can submit claims through the Arkansas
Medicaid web site.
You can use Provider Electronic Solutions (PES)
software. Or you can use a vendor or a clearinghouse.
Q: Can I still use my Emerald or Omni device?
No. Emerald and Omni devices are not compatible with HIPAA
standards. Providers must use PES, a HIPAA-compliant vendor system, or the
web application (Online services) to file claims
Under HIPAA, can I still submit paper claims to Arkansas Medicaid?
Yes. HIPAA transaction standards apply only to electronic
transactions. You can file paper claims, but they will continue to be
subject to the normal 30-day waiting period.
Are the paper claim forms going to change?
HHS has not yet changed these forms. The assumption is that the
current format of the 1500s and the UB-92s will change, but it’s still
being finalized. Any changes to the paper format probably will add data
fields that are included in HIPAA-compliant electronic claims. HIPAA
transaction code sets apply to electronic claims but not to paper
How do I get a copy of the PES software?
You can download the software from the Arkansas Medicaid web site
in the Provider Information section under “Free software.” The latest
version is always available on the web site.
Q: Has the PES software changed?
Yes. PES has been updated to be HIPAA-compliant. The interface is similar, but more fields
have been added to each screen. PES still
allows interactive, real-time verification of a patient’s Medicaid
eligibility. All other transactions, including claim submission, are now batch.
Will the new version of PES accept attachments?
Under HIPAA, a transaction standard was proposed for attachments but has not yet been finalized by
HHS. How attachments will work with the HIPAA-compliant
version of PES has not yet been determined.
Am I required to use PES?
No. However, if you use software created for your operation, it must meet
Q: Can I still submit interactive claims with the new
version of PES?
A: Pharmacies still can submit interactive claims. All other PES claims
can be submitted in batch mode only.
How will Arkansas Medicaid handle issuing refunds under HIPAA?
A: Refunds probably still will be issued on paper because there is not yet
a good way to issue them electronically.
Will adjustments stay the same?
Adjustments will most likely stay as they are today. However, we
will send out more information about how this process will work once it is
What happens if I performed a service before October 13, 2003, but I
can’t submit the claim until on or after October 13, 2003?
If your claim has a date of service before October 13, 2003, and
you submit the claim on or after October 13, 2003, use the old
codes and any modifiers that have been added. (See the Arkansas Medicaid
web site, www.medicaid.state.ar.us,
for the local codes crosswalk spreadsheet and new provider manuals.) However, you must submit the claim in the new
If Medicaid is secondary insurance, does that have to be submitted
No. Arkansas Medicaid will still accept paper crossovers. PES soon will
be able to do electronic crossovers.
Who do I need to have business associate agreements with?
You must have business associate agreements with any entity that
performs a business function for you and that you share PHI with. This can
include software vendors, medical reviewers, lawyers, auditors, a
clearinghouse, or payers. Any of these would be considered business
Q: How can I tell if I’m somebody’s business associate or if
If you send data that identifies patients to another company, then
that company is a business associate of yours. If you receive data from
somebody else, you are their business associate.
Q: Currently, whenever I plan to install a pacemaker in a patient, I
have a representative from the pacemaker company there. Is this still
allowed under HIPAA?
That representative would be a business associate. You need a
business associate agreement with the company represented. The business
associate agreement is with the entity, not an individual person.
Do I need a business associate agreement with our state auditors or
the county’s attorneys since they have access to our records?
No. You are required to release information to them by state law.
If I write a prescription for a patient’s eyeglasses, do I need
to have a business associate agreement with the lab that processes that
order? Or does this fall under TPO?
Both. If you share any protected health information with a third
party that performs a business function for you, you must have a business
associate agreement with that entity. In this situation, you do not need authorization to send the prescription to the lab, because
that’s TPO. If that lab wanted to send coupons to all your patients who
bought glasses made at their lab, then you need an authorization to share
My hardware provider comes in and works on my computer. Do I need
to have a business agreement with them?
Yes. Your hardware provider has access to your patient’s PHI.
What information should I include on an authorization to release
Check out the sample authorization form at the AMA website, http://www.ama-assn.org/ama/pub/category/6900.html.
This authorization form is not current, but is a good place to start.
Also, frequently check the Arkansas HIPAA website, www.hipaa.state.ar.us.
Are consents still required?
No. On August 12, 2002, HHS changed the consent rule. You once
needed consent to share patient information for any TPO, but this is now
Q: Though consent is no longer required under HIPAA, does Arkansas law
require providers to have a consent form signed by the patient for TPO?
A: No. According to the Arkansas Attorney General's Office and the
Arkansas State Medical Board, Arkansas has no law or regulation that
requires providers to use consent forms for treatment, payment, or health
Can an authorization be faxed, or do I have to witness the
authorization being signed?
Authorizations can be faxed to you. To our knowledge, there is no
clause in HIPAA that says the signing of an authorization must be
witnessed. If an attorney sends you an authorization from a patient, the
authorization must meet all the requirements of HIPAA and show you as the
owner of the information to be disclosed.
How specific does the authorization form have to be? If I get a
request for “all medical records,” is that specific enough?
In certain instances, releasing a person’s entire medical record
is necessary for treatment. An example might be a baby born with some sort
of physical defect, who needs a heart transplant a few years later. It
would be reasonable for the doctor to request the entire medical record of
that child. A covered entity must limit the request to the minimum
necessary. If the person making the request is not a covered entity (such
as an attorney), use your professional judgment.
I deal with a government-subsidy housing program, where the amount
of medicine a person uses can be deducted from rent. The housing manager
needs to know how much medicine was purchased. Since this reduces their
rent, the tenants willingly release the information. This is done orally. Is an
oral okay enough, or do I need written documentation?
In our opinion, you should somehow write down the authorization. It
does not necessarily have to be a signed form. If the personally orally says okay, document it.
I work with elderly patients. Sometimes their daughters or sons
call asking for information. Can I give out that information?
As long as the patient is an adult, you cannot share any PHI
without an authorization—even with their family members.
However, if the patient has assigned someone as a personal
representative or guardian, you can share PHI with that person. In some
cases, you might have an authorization that allows you to speak to certain
specific individuals. This is just like when your kids are at school and
you give permission for some people to pick up your child. “Grandma can
pick up my child. Daddy can pick up my child. Mom can pick up my child.
Nobody else can pick up my child.”
What if the patients can’t speak for themselves? Can a guardian
If the patient has a guardian, you can get authorization from the
guardian to disclose PHI for any reasons not related to TPO.
A man called me to the office and said, “My 21-year-old daughter
just handed me a statement. What did she have?” Is disclosing her
Since the daughter is an adult, you need her authorization first.
The authorization might be as simple as calling and asking her, “Can I
tell your dad what you had done last week so he’ll pay your bill?” You
will probably want to document that she gave you permission. Payment and
the inappropriate releasing of information are two separate issues. Just
because it deals with payment doesn’t mean you no longer have to follow
Will the hospital’s consent or authorization form cover me? Or
should my office get our own consent and authorization forms?
Those forms would not cover you unless you were actual employees of
the hospital and not just independent contractors on site. You need a
business associate’s agreement with the hospital. If you are not sure
about this, we suggest you talk to the hospital about your arrangement.
What if the patient dies? How long do I keep authorization forms,
or any other HIPAA forms?
A: For six years after death, the individual's rights continue. This
rule can apply to many things: releasing a report to the
coroner on cause of death (which is considered treatment), requesting authorization, or releasing information to a drug company, employer,
researcher, or underwriter.
I’m still confused about routine versus nonroutine disclosures.
Do I need an authorization for any nonroutine disclosures?
For each nonroutine disclosure outside of TPO, you need a separate
authorization. For a routine disclosure outside of TPO, you need one
authorization form that states how long the authorization period is valid.
At the end of the year, patients call my pharmacy to request the
entire year's record for income tax purposes. What if the wife calls and requests
her husband’s information? Will I need to get his authorization first?
An individual has a right to request his or her own information. Use your professional judgment if someone’s spouse calls.
To play it safe, call the husband and ask him if you can release the
The privacy rule gives you requirements to
follow, but it does not give specifics on how you have to get there. You
do not have to implement an impossible administrative task to meet those
requirements. Use reasonable, professional judgment. Be creative.
In my specialty, I sometimes get patients who claim to have a
referral from a PCP but actually don’t.
Do I need an authorization to verify that were referred to me?
No. You are not disclosing information about the patient’s
health. You are not talking about a specific condition. You are calling
for verification only.
I see elderly patients with different PCPs. Sometimes, it’s
difficult to get an authorization form because the patient is not coherent or
does not understand what I’m asking. How should I get an
authorization in this case?
A: There is no need for the patient to get an
authorization from the PCP. Authorizations are not required for TPO.
What if I get a call from the patient’s attorney requesting
information? Can the attorney send me an authorization?
A: An authorization must somehow come from the patient. An attorney
cannot give authorization on behalf of the patient. If an attorney calls
for the information, the patient must somehow supply you with an
authorization. You are responsible for getting that authorization from the
correct person before you disclose any information.
The patient does not have to give you the
authorization in person. It can be mailed or faxed. If done over the
phone, you may have to verify identity.
An attorney can send you an authorization signed by
the patient, but you need to ensure the authorization meets all
requirements. Did it come from the patient? Does it specify what
information is needed? Does it have a set timeframe for disclosing
information to the attorney? A patients also can come to your office and request
a copy of his or her own records without an authorization. The patient can
later give the copy to an attorney.
The important thing to remember is that the attorney cannot authorize you to release the information. The patient must
Many attorneys request all of the patient’s medical records. Is
The attorney, who is not a covered entity, is not bound to request the minimum
necessary information. However, because you are a covered entity, you are required
to release only the minimum necessary. Use your professional judgment when
trying to determine whether the attorney’s request is reasonable. Sometimes
an entire medical record is the minimum necessary. If a 40-year-old woman is
suing because of pain and suffering from a back injury
in a car wreck, requesting her entire medical record is not reasonable.
Q: What sorts of things fall outside of TPO and require authorization?
Marketing and research are just two examples. Try not to think
about what is outside TPO. Instead, ask yourself, what is TPO for our
practice? If you cannot justify it in those terms, then you
need authorization to release information.
At my pharmacy, I have a lot of university students who pick up
prescriptions for one another. How is that going to be affected by HIPAA?
A good idea is for you to call the patient and verify that it is
okay for someone else to pick up the prescription. HIPAA has no rules for
documenting who picks up the prescription, although we recommend you
document it somehow. Family members can still pick up prescriptions
without an authorization.
If someone comes in to pick up a prescription for someone else, can
I still explain how to use the medicine and for what reasons?
Yes. If the patient authorized someone else to pick up the
prescription, then that person has given authorization for the friend to
have complete knowledge about the prescription.
In my pediatric practice, I have multiple guardians bringing in
children at different times. Which of these people can I share information
It would be prudent to keep a list of some sort with the
names of the people with whom you are authorized to share information.
Can I combine our HIPAA authorizations with any other
authorizations, so I only have one form to deal with?
No. It is our understanding that HIPAA documents cannot be combined
with other authorization forms.
Can I charge patients for making copies of their medical records?
Yes, to an extent. HIPAA allows you to charge only “reasonable”
fees, such as the cost of photocopying. Arkansas law has set the maximum
you can charge for copies at 25 cents a page. Fees such as charging a
doctor’s hourly rate for taking the time out to make photocopies is not
Can I give a time limit or specify a day for patients to see or
copy their records?
Under HIPAA, the patient has the right to copy that information and
take it with them. You have to make reasonable accommodations to allow for
the copies to be made. You must provide a copy of the patient’s records
within 30 days. You can tell them to come back later in the week. That is
reasonable under HIPAA.
Do I have to give a patient a copy of his or her medical records if the
patient's bills haven't been paid?
Yes. You must provide a copy of medical records even to a patient with
unpaid bills. The payment issue and the releasing of
information inappropriately are two separate issues. You must still follow
HIPAA regulation s, even if there are problems with a patient’s bill.
Can a patient request a list of all disclosures of their PHI?
Yes. It is our understanding that individuals have the right to
request a list of the organizations and individuals to which their PHI has been disclosed. This
excludes any requests that have been authorized directly by the individual
and are for TPO. You can read more about this at http://www.hhs.gov/ocr/regtext.html,
Can patients or their attorneys request changes to medical
Yes. A patient can request a change to his or her medical records. That
does not mean you have to make the change if it is incorrect. You are
responsible for the accuracy of your records.
Any requests for changes to medical records should
be documented, even if you do not make the change. Document that you
researched the request and that your notes are as accurate as possible. If you were
to be reported for violating the privacy rule for not changing the information, you'll have
documentation of your
HIPAA emphasizes keeping records, so document
everything. If this goes further than from the patient to you, you can
show what was said, on what date, and what actions you took.
Can you be more specific about how I can comply with the
privacy portion of HIPAA?
No. Many providers are frustrated because we cannot be more
concrete. Some parts of the law are vague. Some of the
vague parts will be ironed out in future litigation; but for now,
HIPAA leaves it to individual providers.
HIPAA uses the term “reasonable,” as in
“reasonable” for your business. Everything under HIPAA is also
“scalable.” With privacy, if you are a large hospital, you might get
in trouble for doing something that a small provider could get by with. It
is not reasonable for that small provider to do some of the things a large
hospital is expected to do.
If a friend or family member calls about a patient, can I say whether the patient is there?
Yes. It is our understanding that you can release general
information. You cannot release information beyond, “Are they okay? Did
so-and-so do all right today?” You cannot give out detailed information,
such as the fact that the patient has a broken leg. The information should
remain high level. You can still find out what room a family member is in.
Any information beyond high-level disclosure requires an authorization.
Can I still have sign-in sheets in the waiting room?
Yes. It is okay to have sign-in sheets. This issue has been
clarified in the regulations. A patient can sign in so long as he or she
have to write down anything that would disclose any medical condition or
procedure being performed or reason for being at the doctor’s office. If
you wish, you can have everyone take a number instead of having a sign-in
sheet, but this is not required.
Can I call patients by name when it’s their turn to see the
Yes. It is our understanding that you can call the patient by name, so long as you call out only the name and nothing specific to
Q: Does HIPAA prohibit hospital directories?
No. Hospital directories are still allowed. So long as you are
not releasing information that pertains to a patient’s health care, then
it should be okay. HIPAA will give the patient the right to opt out from a
Can I still send out appointment reminders on postcards?
Yes. You can still send out reminders. The postcards usually only
say, “Remember that you have an appointment next week.” You are not
revealing any health information.
Can I keep my medical records in alphabetical order, or do I need
to switch to a numerical system?
We have not heard anything that would require anyone to change the
filing system from alphabetical to numerical. A numerical system would keep you
only from seeing a person’s name. Just because you can see
someone’s name—as on a sign-in sheet—does not mean you know
anything about that person’s health.
What is important is where those files are located.
You must ensure that only those who need
access to the files are able to get them.
I have a wall of charts and patient files in the hallway for
everybody down the wing. Is that allowed under HIPAA?
In reply, our question to you is this: “If I walk in to see my
uncle, can I walk up there and just grab anybody’s chart that I want to
and start flipping through it?” If the answer to that question is yes,
then you probably have an issue. You must take appropriate, reasonable
steps to prevent someone from doing
that. We are not
saying you need to put the patient files behind a concrete wall. Maybe you
could move the files behind the nurses’ station, or maybe you could put
the files in a closet to which only authorized individuals have access.
Do I have to move patient records completely out of sight? What if
I keep the charts on the patient’s door or on the bedside?
It is our understanding that you can still have patient charts in
those locations. What somebody can see from that would probably be
incidental. You cannot keep patients' records out in a hallway or sitting on
a countertop. The records are too readily available to unauthorized access.
What if I keep the patient charts in the hallway, but I keep them
in holders in file cabinets? A chart has to be pulled out to see
whose it is. Do I need to keep those cabinets closed, or do I have to move
all the charts to another room?
This depends on the size of the provider. The charts are still
easily accessible. Small providers may be able to get away with more
than a large hospitals can. If you have a small place, and you only have
two doors, and a manager sits there and sees who’s walking by, you’re
probably going to be okay. If you’re in a big hospital, it will probably
not be okay.
In my office, the patient’s name is on the front of the chart. Is
That is probably not a problem, but if you can see more than the
name—for instance, the record is left open on the desk—then no, it is
The charts in my office have medical alerts on the front, such as
“Heart Alert” or “Premed Alert”? Do I need to put them inside the chart?
That goes back to the idea of what is “reasonable” under HIPAA
while still ensuring treatment. Our understanding is that having those
stickers on file folders probably is reasonable. The information on the
stickers is incidental.
In my practice, I get a lot of children who are brought in for
treatment by someone who is not the legal guardian, like a grandparent
or an aunt. Can I still give treatment? Can I release the child’s
information to these people?
HIPAA will not stop you from treating anyone who needs medical
attention. As for whether you can release any information, we advise you
to contact an attorney with this question. When treating the child, make
your best effort to get in touch with whoever is responsible. If that
not available, then we suggest you do what you think is necessary to treat
When it comes to disclosing information, does the coroner’s
office apply the same as police?
Deceased individuals are treated the same as living individuals for
a period of six to ten years. Unless you are releasing information
for a criminal investigation, the privacy regulation applies.
I work in a small office surrounded with large, glass windows.
People can walk up to any of the windows, and they can see my computer. Is
this a problem?
A: You have to prevent casual observers from reading PHI from your screen.
Turn the screen away from the windows. Or drape a cloth over the screen
leave your desk.
I work in a very small office, where everyone has
access to the same files. No one else can get to those files. Is that
HIPAA says that each employee can have access only to the information he
or she must have to perform the functions of the job. Basically, if somebody has
access to information that is not necessary to the job, then you have a
problem. You must do what is reasonable to ensure compliance. You do not
have to build a locking file room.
For instance, at the state, we worry about this issue
as well, because we work in cubes. We must ensure that someone from
Systems and Support—who has nothing to do with patients—is not sitting
next to someone who is talking about getting approval for a patient’s
therapy session. We have had to move staff around. We have instituted a clean-desk
policy—employees' desk must be clean at the end of the day. If it is not necessary for your job to have access to the
files, then you cannot have access to those files. That’s the bottom
What should I do if throw something away, like a pill bottle, and
it has protected health information on it?
We suggest that you take a piece of tape and block it out or rip
the label off. Another option is to give the pill bottle back to the
Can doctors leave medical records on their desks if no one outside
the practice can see them?
All records need to be in secure location. The way we understand
it, the records either have to be put away, or the door has to be locked
when the doctor leaves the office.
What does HIPAA say about faxes?
A: The fax machine must be in a secure area if incoming or outgoing
messages could contain PHI.
Faxes are not HIPAA transactions, so there is no standard for faxes. (There are
standards only for these electronic transactions: submitting claims
and getting your RAs, checking eligibility, checking claim status, and
requesting prior authorization.) However, faxes are written communication,
and HIPAA protects PHI in any medium. Develop appropriate physical safeguards
If you have faxes or anything similar that contains
PHI, set aside an area where only authorized personnel have access.
Q: My office is one of several related facilities. Do we need a separate
privacy official? Or can all the facilities share a privacy official?
You probably need a privacy official at each location who is in charge of
ensuring that you are complying with the privacy regulations. That person could be a
current employee already on site or an office manager. This is good
question for your legal department.
What about clinics with separate practices under one roof? Do I
need to separate files into different rooms? Can I have different cabinets
with different keys? Can all
the practices simply have a business associate agreement with one another?
It all falls back to what is reasonable. You should not have to
subdivide the room into four rooms and then lock each door. You have to
establish by the business associate agreements that staff members will look at
each other’s charts for TPO purposes only.
How does HIPAA affect first responders? I use the
radio to find out the patient’s name and address.
Our understanding is that sort of information will not be covered
under the privacy rule because it is a part of treatment. You need the information to
locate the patient and be able to start treatment as soon as you arrive. You
do not need consent or
authorization in that situation.
What about cell phones, for instance when I call the hospital to
discuss a patient? Cell phones aren’t always private.
A: The privacy regulation does not mention cell phones specifically;
however, oral communications are covered. You are sharing information
for treatment, which is a part of TPO.
What about overheard telephone conversations?
HIPAA acknowledges “incidental disclosure”—bits and pieces that people pick up. Any information that might be overheard would probably be
incidental. However, if people in the waiting room can hear every word you
say, maybe you should move the chairs in the waiting room a little
further away. Or maybe you could move the phone behind a curtain.
chart? Or can I substitute a copy of the sheet that the patients sign?
You probably need to keep the page that was signed; it
would be a good idea to have those on file. You do not have to keep the
organization stored in a folder?
A: Anyone who comes
saying, “Here are our policies. Look them over, because we’re going to ask
you to sign an acknowledgement.” If the patient signs, you have
made a good-faith effort. If the patient asks to see the whole policy,
you must give him or her a copy.
What is important is that you make your privacy
policy available and you inform your patients that you have one. We have
wall. The HIPAA legislation does not get that specific. You can be
creative in how you meet the requirements.
When the consent form was mandatory, you needed a
patient’s signature to use PHI for treatment; if the patient refused to
sign, you could refuse treatment. Now the consent form is optional. If the
patient does not sign, it is no longer an issue because you don't have to
have consent anyway. You are still required to get the patient's authorization for
any release of PHI other than for TPO.
consent, document that the patient refused to read or sign. This
documentation establishes that you have made a good-faith effort.
How long do I keep the signed paperwork showing that the patient
A: At least six years.
Q: Our database lists about 75,000 people. Do I need to send
No. It is not our understanding that you have to send the policy to
them. When patients come in requesting services, you must make a good faith effort to make them aware
of your privacy policies. Give all new patients copies of your policy
statement. Any time someone requests information, give that person a copy.
There is no rule saying that you cannot have a sign
posted in your waiting room saying, “These are our privacy policies. As
at the front desk if you want more details.” HIPAA sets the privacy
rules, but it doesn't tell you how to implement them. You can be creative in
meeting this requirement.
Does the HIPAA regulation require me to report other practitioners are in violation of
the privacy rule?
No. We have not seen anything in the regulation that requires you
to “rat” out other providers unless they are business associates of
What if I’m at a cocktail party, can I still talk with another
doctor about some of the cases I’m working on? What if someone
A: So long as you do not make the patients' identities plainly known, you
are not violating the privacy rules.
As an EMS provider, I sometimes get medical information from people
who are not the patient, such as family members or a doctor. Is that still
okay under HIPAA?
Picking up a patient or taking the patient to the hospital is considered treatment. You are in the clear
because any exchange of
information is for treatment. That is our understanding.
Does the privacy portion of HIPAA apply to me since I have only
You must comply with HIPAA if you do any transactions
electronically. The HHS website says that, if you do any transactions
electronically (checking eligibility, submitting claims, finding out claim
status) for any payer (Medicaid, Cigna, U.S. Health, or any government
plan), or if you bill electronically, all of HIPAA applies to all of your
What should I do if the health department requests information?
What information can I give them?
A public health entity has the right to request whatever
information it needs for official purposes. The public health entity is
required to limit the request to the minimum necessary. You can probably
rely on the department to make that determination. You are required to give the
requested information to them.
Q: For each of my nursing home patients, I need
name, birth date, Social Security number, and Medicare number to arrange
payment. I usually get this information from hospitals or other nursing
homes. Is this still allowed by HIPAA?
Yes. We cannot speak for Medicare, but what you are doing is for
payment purposes. This would be considered part of TPO, which is allowed
I called another provider the other day to get information to treat
a patient. I was told, “We’re under the new HIPAA regulations, and I
can’t give that to you.” Is that true?
No. HIPAA does not prevent any exchange of information for treatment
At my pharmacy, several customers may be standing in line while
I’m talking with another customer about a prescription. The customers
can overhear some of the conversation. Is this violating HIPAA?
disclosure,” which is probably your situation. The same situation occurs
when someone walks past the nursing station and can overhear nurses
talking about a patient. Whoever catches small pieces of such conversation
probably will not find out a whole lot about a patient’s health.
In a situation like yours, where you have several
customers standing in line when you need to give a consultation, maybe it
would be appropriate to have those people step back. Or maybe you can do
that consultation around the corner. Those might be good ideas to help
alleviate any problems.
I have a small office. It sounds like HIPAA is going to cost me a
fortune. I probably need to build a new office, because I don’t have a
way to secure access to my files. What is considered reasonable for a
small provider like me?
Small providers have more leeway than large organizations like
hospitals. When the Centers
for Medicare and Medicaid Services say “reasonable,” they truly mean
it. They are not here to put you out of business because you have building
and space issues. You might
have to do some creative rearranging—perhaps getting a file cabinet.
Locked drawers would be a great way to start. That is reasonable in
There is no rule against being creative.
You can buy some devices that cost about $20, such as a cover that
attaches to the computer screen with hook-and-loop tape that makes it impossible to read
information from the screen unless you’re sitting right in front of it.
You will probably not have to spend thousands, but
you might have to spend some money.
What is an X12 format?
X12 is an electronic computer format. It is not a paper form or
anything like that. If you use the PES software or go through the web, you
do not have to worry about X12 and what it means. If you use vendor
software, be sure the vendor is updating the software to meet HIPAA
Q: Did HIPAA change any nonmedical Z codes?
No. All medical Z codes are now compliant with HIPAA. Nonmedical Z codes
have not changed.
Suppose a provider fails to follow the transaction and code sets
standards—how is he penalized?
If a covered entity does not follow the HIPAA guidelines—which
probably will happen more with payers than with providers—or if the
payer cannot accept the standard transaction that is required under HIPAA,
the covered entity can be penalized.
For instance, if you send Arkansas Medicaid a HIPAA transaction and we cannot accept it, the penalties apply to us.
The penalty applies each time you try
to submit a transaction is not accepted. It is not just a
one-time penalty. Those penalties add up.