Agencies | Online Services | Policies | Transparency.Arkansas.gov

Frequently asked questions
(updated 10/31/03)

Click a link to jump to that category of questions and answers, or scroll down to view the entire list.

General

Q: What are the HIPAA deadlines? 

A: HIPAA privacy rules have been in effect since April 14, 2003. HIPAA electronic transactions regulations became effective October 16,  2003. 

Q: Does HIPAA treat mental health differently? 

A: Every provider must follow all of the HIPAA regulations. HIPAA does not treat mental health care providers any differently, except to define what a psychotherapy note can be, what you can exclude, and what separate authorizations you need. As far as the codes, there are no special provisions for mental health care providers. Mental health care providers are subject to HIPAA standard procedure codes--ICD-9. 

Q: What are the penalties for failing to meet the security portion of HIPAA? 

A: There are no final regulations for the security standards, so there are currently no set-in-stone penalties for security violations. Like privacy and transaction standards, we expect the force of law to be behind the security regulations. The security officer will probably be held responsible. 

Q: Are doctors required to give out contact lens prescriptions? 

A: No. Doctors can if they wish, but Arkansas law does not require it. 

Q: Does HIPAA prevent you from asking for a driver’s license number? 

A: Be careful when you hear rumors like this. We advise you to read the rule yourself before accepting a statement as gospel. Go to www.cms.gov/hipaa (especially the Frequently Asked Questions section) or read the actual regulations at http://aspe.os.dhhs.gov/admnsimp/. HIPAA is not specific in many areas. HIPAA tells you what requirements must be met, but HIPAA does not always specify how to meet them. 

Q: What if certain state laws are different from HIPAA? 

A: If a state law is more restrictive than HIPAA, then the state law prevails. Otherwise, if state law contradicts HIPAA, you must follow HIPAA. 

Q: Where can I read the HIPAA regulation for myself? 

A: Go to the HHS site at http://aspe.os.dhhs.gov/admnsimp/. You can download the regulation in an Adobe PDF format, or you can view an HTML version. If you have Adobe Reader on your computer, you search through the regulation by keyword.

Q: How should I train our staff about HIPAA? Should I hire someone? 

A: You are not required to educate your employees about HIPAA regulations. You are required to educate your employees on what your policies are. You are probably the most qualified to train your own employees about what your own policies are. You need to write your own privacy practices, and then train your employees on what those are and what must be done to meet them. Nothing in HIPAA requires training from an outside consultant. To help you in your own training, you can download handouts  (www.hipaa.state.ar.us). 

Arkansas Medicaid

Q: Have Arkansas Medicaid manuals been updated? 

A: Yes. HIPAA-compliant provider manuals can be downloaded free from the Arkansas Medicaid web site: www.medicaid.state.ar.us, click Provider

Q: How do I submit claims to Medicaid under HIPAA? 

A: There are several options for submitting claims: You can use paper if you want. You can submit claims through the Arkansas Medicaid web site. You can use Provider Electronic Solutions (PES) software. Or you can use a vendor or a clearinghouse. 

Q: Can I still use my Emerald or Omni device? 

A: No. Emerald and Omni devices are not compatible with HIPAA standards. Providers must use PES, a HIPAA-compliant vendor system, or the web application (Online services) to file claims electronically. 

Q: Under HIPAA, can I still submit paper claims to Arkansas Medicaid? 

A: Yes. HIPAA transaction standards apply only to electronic transactions. You can file paper claims, but they will continue to be subject to the normal 30-day waiting period. 

Q: Are the paper claim forms going to change? 

A: HHS has not yet changed these forms. The assumption is that the current format of the 1500s and the UB-92s will change, but it’s still being finalized. Any changes to the paper format probably will add data fields that are included in HIPAA-compliant electronic claims. HIPAA transaction code sets apply to electronic claims but not to paper claims. 

Q: How do I get a copy of the PES software? 

A: You can download the software from the Arkansas Medicaid web site at www.medicaid.state.ar.us in the Provider Information section under “Free software.” The latest version is always available on the web site. 

Q: Has the PES software changed? 

A: Yes. PES has been updated to be HIPAA-compliant. The interface is similar, but more fields have been added to each screen. PES still allows interactive, real-time verification of a patient’s Medicaid eligibility. All other transactions, including claim submission, are now batch. 

Q: Will the new version of PES accept attachments? 

A: Under HIPAA, a transaction standard was proposed for attachments but has not yet been finalized by HHS. How attachments will work with the HIPAA-compliant version of PES has not yet been determined. 

Q: Am I required to use PES? 

A: No. However, if you use software created for your operation, it must meet HIPAA requirements. 

Q: Can I still submit interactive claims with the new version of PES? 

A: Pharmacies still can submit interactive claims. All other PES claims can be submitted in batch mode only. 

Q: How will Arkansas Medicaid handle issuing refunds under HIPAA? 

A: Refunds probably still will be issued on paper because there is not yet a good way to issue them electronically. 

Q: Will adjustments stay the same? 

A:  Adjustments will most likely stay as they are today. However, we will send out more information about how this process will work once it is defined. 

Q: What happens if I performed a service before October 13, 2003, but I can’t submit the claim until on or after October 13, 2003? 

A: If your claim has a date of service before October 13, 2003, and you submit the claim on or after October 13, 2003, use the old codes and any modifiers that have been added. (See the Arkansas Medicaid web site, www.medicaid.state.ar.us, for the local codes crosswalk spreadsheet and new provider manuals.) However, you must submit the claim in the new HIPAA-compliant format. 

Q: If Medicaid is secondary insurance, does that have to be submitted electronically? 

A: No. Arkansas Medicaid will still accept paper crossovers. PES soon will be able to do electronic crossovers.

Business associate agreements

Q: Who do I need to have business associate agreements with? 

A: You must have business associate agreements with any entity that performs a business function for you and that you share PHI with. This can include software vendors, medical reviewers, lawyers, auditors, a clearinghouse, or payers. Any of these would be considered business associates. 

Q: How can I tell if I’m somebody’s business associate or if they’re mine? 

A: If you send data that identifies patients to another company, then that company is a business associate of yours. If you receive data from somebody else, you are their business associate. 

Q: Currently, whenever I plan to install a pacemaker in a patient, I have a representative from the pacemaker company there. Is this still allowed under HIPAA? 

A: That representative would be a business associate. You need a business associate agreement with the company represented. The business associate agreement is with the entity, not an individual person. 

Q: Do I need a business associate agreement with our state auditors or the county’s attorneys since they have access to our records? 

A: No. You are required to release information to them by state law. 

Q: If I write a prescription for a patient’s eyeglasses, do I need to have a business associate agreement with the lab that processes that order? Or does this fall under TPO? 

A: Both. If you share any protected health information with a third party that performs a business function for you, you must have a business associate agreement with that entity. In this situation, you do not need authorization to send the prescription to the lab, because that’s TPO. If that lab wanted to send coupons to all your patients who bought glasses made at their lab, then you need an authorization to share that information. 

Q: My hardware provider comes in and works on my computer. Do I need to have a business agreement with them? 

A: Yes. Your hardware provider has access to your patient’s PHI.

Consent and authorization

Q: What information should I include on an authorization to release medical information? 

A: Check out the sample authorization form at the AMA website, http://www.ama-assn.org/ama/pub/category/6900.html. This authorization form is not current, but is a good place to start. Also, frequently check the Arkansas HIPAA website, www.hipaa.state.ar.us

Q: Are consents still required? 

A: No. On August 12, 2002, HHS changed the consent rule. You once needed consent to share patient information for any TPO, but this is now optional. 

Q: Though consent is no longer required under HIPAA, does Arkansas law require providers to have a consent form signed by the patient for TPO?

A: No. According to the Arkansas Attorney General's Office and the Arkansas State Medical Board, Arkansas has no law or regulation that requires providers to use consent forms for treatment, payment, or health care operations.

Q: Can an authorization be faxed, or do I have to witness the authorization being signed? 

A:  Authorizations can be faxed to you. To our knowledge, there is no clause in HIPAA that says the signing of an authorization must be witnessed. If an attorney sends you an authorization from a patient, the authorization must meet all the requirements of HIPAA and show you as the owner of the information to be disclosed. 

Q: How specific does the authorization form have to be? If I get a request for “all medical records,” is that specific enough? 

A: In certain instances, releasing a person’s entire medical record is necessary for treatment. An example might be a baby born with some sort of physical defect, who needs a heart transplant a few years later. It would be reasonable for the doctor to request the entire medical record of that child. A covered entity must limit the request to the minimum necessary. If the person making the request is not a covered entity (such as an attorney), use your professional judgment. 

Q: I deal with a government-subsidy housing program, where the amount of medicine a person uses can be deducted from rent. The housing manager needs to know how much medicine was purchased. Since this reduces their rent, the tenants willingly release the information. This is done orally. Is an oral okay enough, or do I need written documentation? 

A: In our opinion, you should somehow write down the authorization. It does not necessarily have to be a signed form. If the personally orally says okay, document it. 

Q: I work with elderly patients. Sometimes their daughters or sons call asking for information. Can I give out that information? 

A: As long as the patient is an adult, you cannot share any PHI without an authorization—even with their family members. However, if the patient has assigned someone as a personal representative or guardian, you can share PHI with that person. In some cases, you might have an authorization that allows you to speak to certain specific individuals. This is just like when your kids are at school and you give permission for some people to pick up your child. “Grandma can pick up my child. Daddy can pick up my child. Mom can pick up my child. Nobody else can pick up my child.” 

Q: What if the patients can’t speak for themselves? Can a guardian give authorization? 

A: If the patient has a guardian, you can get authorization from the guardian to disclose PHI for any reasons not related to TPO. 

Q: A man called me to the office and said, “My 21-year-old daughter just handed me a statement. What did she have?” Is disclosing her information allowed? 

A: Since the daughter is an adult, you need her authorization first. The authorization might be as simple as calling and asking her, “Can I tell your dad what you had done last week so he’ll pay your bill?” You will probably want to document that she gave you permission. Payment and the inappropriate releasing of information are two separate issues. Just because it deals with payment doesn’t mean you no longer have to follow HIPAA regulations. 

Q: Will the hospital’s consent or authorization form cover me? Or should my office get our own consent and authorization forms? 

A: Those forms would not cover you unless you were actual employees of the hospital and not just independent contractors on site. You need a business associate’s agreement with the hospital. If you are not sure about this, we suggest you talk to the hospital about your arrangement. 

Q: What if the patient dies? How long do I keep authorization forms, or any other HIPAA forms? 

A:  For six years after death, the individual's rights continue. This rule can apply to many things: releasing a report to the coroner on cause of death (which is considered treatment), requesting authorization, or releasing information to a drug company, employer, researcher, or underwriter. 

Q: I’m still confused about routine versus nonroutine disclosures. Do I need an authorization for any nonroutine disclosures? 

A: For each nonroutine disclosure outside of TPO, you need a separate authorization. For a routine disclosure outside of TPO, you need one authorization form that states how long the authorization period is valid. 

Q: At the end of the year, patients call my pharmacy to request the entire year's record for income tax purposes. What if the wife calls and requests her husband’s information? Will I need to get his authorization first? 

A: An individual has a right to request his or her own information. Use your professional judgment if someone’s spouse calls. To play it safe, call the husband and ask him if you can release the information. The privacy rule gives you requirements to follow, but it does not give specifics on how you have to get there. You do not have to implement an impossible administrative task to meet those requirements. Use reasonable, professional judgment. Be creative. 

Q: In my specialty, I sometimes get patients who claim to have a referral from a PCP but actually don’t. Do I need an authorization to verify that were referred to me? 

A: No. You are not disclosing information about the patient’s health. You are not talking about a specific condition. You are calling for verification only. 

Q: I see elderly patients with different PCPs. Sometimes, it’s difficult to get an authorization form because the patient is not coherent or does not understand what I’m asking. How should I get an authorization in this case? 

A: There is no need for the patient to get an authorization from the PCP. Authorizations are not required for TPO. 

Q: What if I get a call from the patient’s attorney requesting information? Can the attorney send me an authorization? 

A:  An authorization must somehow come from the patient. An attorney cannot give authorization on behalf of the patient. If an attorney calls for the information, the patient must somehow supply you with an authorization. You are responsible for getting that authorization from the correct person before you disclose any information. The patient does not have to give you the authorization in person. It can be mailed or faxed. If done over the phone, you may have to verify identity. An attorney can send you an authorization signed by the patient, but you need to ensure the authorization meets all requirements. Did it come from the patient? Does it specify what information is needed? Does it have a set timeframe for disclosing information to the attorney? A patients also can come to your office and request a copy of his or her own records without an authorization. The patient can later give the copy to an attorney. The important thing to remember is that the attorney cannot authorize you to release the information. The patient must be involved. 

Q: Many attorneys request all of the patient’s medical records. Is that allowed? 

A: The attorney, who is not a covered entity, is not bound to request the minimum necessary information. However, because you are a covered entity, you are required to release only the minimum necessary. Use your professional judgment when trying to determine whether the attorney’s request is reasonable. Sometimes an entire medical record is the minimum necessary. If a 40-year-old woman is suing because of pain and suffering from a back injury in a car wreck, requesting her entire medical record is not reasonable. 

Q: What sorts of things fall outside of TPO and require authorization? 

A:  Marketing and research are just two examples. Try not to think about what is outside TPO. Instead, ask yourself, what is TPO for our practice? If you cannot justify it in those terms, then you need authorization to release information. 

Q: At my pharmacy, I have a lot of university students who pick up prescriptions for one another. How is that going to be affected by HIPAA? 

A: A good idea is for you to call the patient and verify that it is okay for someone else to pick up the prescription. HIPAA has no rules for documenting who picks up the prescription, although we recommend you document it somehow. Family members can still pick up prescriptions without an authorization. 

Q: If someone comes in to pick up a prescription for someone else, can I still explain how to use the medicine and for what reasons? 

A: Yes. If the patient authorized someone else to pick up the prescription, then that person has given authorization for the friend to have complete knowledge about the prescription. 

Q: In my pediatric practice, I have multiple guardians bringing in children at different times. Which of these people can I share information with? 

A: It would be prudent to keep a list of some sort with the names of the people with whom you are authorized to share information. 

Q: Can I combine our HIPAA authorizations with any other authorizations, so I only have one form to deal with? 

A: No. It is our understanding that HIPAA documents cannot be combined with other authorization forms.

Patient rights

Q: Can I charge patients for making copies of their medical records? 

A: Yes, to an extent. HIPAA allows you to charge only “reasonable” fees, such as the cost of photocopying. Arkansas law has set the maximum you can charge for copies at 25 cents a page. Fees such as charging a doctor’s hourly rate for taking the time out to make photocopies is not considered “reasonable." 

Q: Can I give a time limit or specify a day for patients to see or copy their records? 

A: Under HIPAA, the patient has the right to copy that information and take it with them. You have to make reasonable accommodations to allow for the copies to be made. You must provide a copy of the patient’s records within 30 days. You can tell them to come back later in the week. That is reasonable under HIPAA. 

Q: Do I have to give a patient a copy of his or her medical records if the patient's bills haven't been paid? 

A: Yes. You must provide a copy of medical records even to a patient with unpaid bills. The payment issue and the releasing of information inappropriately are two separate issues. You must still follow HIPAA regulation s, even if there are problems with a patient’s bill. 

Q: Can a patient request a list of all disclosures of their PHI? 

A: Yes. It is our understanding that individuals have the right to request a list of the organizations and individuals to which their PHI has been disclosed. This excludes any requests that have been authorized directly by the individual and are for TPO. You can read more about this at http://www.hhs.gov/ocr/regtext.html, Section 164.5. 

Q: Can patients or their attorneys request changes to medical records? 

A: Yes. A patient can request a change to his or her medical records. That does not mean you have to make the change if it is incorrect. You are responsible for the accuracy of your records. Any requests for changes to medical records should be documented, even if you do not make the change. Document that you researched the request and that your notes are as accurate as possible. If you were to be reported for violating the privacy rule for not changing the information, you'll have documentation of your reasons. HIPAA emphasizes keeping records, so document everything. If this goes further than from the patient to you, you can show what was said, on what date, and what actions you took.

Privacy

Q: Can you be more specific about how I can comply with the privacy portion of HIPAA? 

A: No. Many providers are frustrated because we cannot be more concrete. Some parts of the law are vague. Some of the vague parts will be ironed out in future litigation; but for now, HIPAA leaves it to individual providers. HIPAA uses the term “reasonable,” as in “reasonable” for your business. Everything under HIPAA is also “scalable.” With privacy, if you are a large hospital, you might get in trouble for doing something that a small provider could get by with. It is not reasonable for that small provider to do some of the things a large hospital is expected to do. 

Q: If a friend or family member calls about a patient, can I say whether the patient is there? 

A: Yes. It is our understanding that you can release general information. You cannot release information beyond, “Are they okay? Did so-and-so do all right today?” You cannot give out detailed information, such as the fact that the patient has a broken leg. The information should remain high level. You can still find out what room a family member is in. Any information beyond high-level disclosure requires an authorization. 

Q: Can I still have sign-in sheets in the waiting room? 

A: Yes. It is okay to have sign-in sheets. This issue has been clarified in the regulations. A patient can sign in so long as he or she does not have to write down anything that would disclose any medical condition or procedure being performed or reason for being at the doctor’s office. If you wish, you can have everyone take a number instead of having a sign-in sheet, but this is not required. 

Q: Can I call patients by name when it’s their turn to see the doctor? 

A: Yes. It is our understanding that you can call the patient by name, so long as you call out only the name and nothing specific to TPO. 

Q: Does HIPAA prohibit hospital directories? 

A: No. Hospital directories are still allowed. So long as you are not releasing information that pertains to a patient’s health care, then it should be okay. HIPAA will give the patient the right to opt out from a hospital directory. 

Q: Can I still send out appointment reminders on postcards? 

A: Yes. You can still send out reminders. The postcards usually only say, “Remember that you have an appointment next week.” You are not revealing any health information. 

Q: Can I keep my medical records in alphabetical order, or do I need to switch to a numerical system? 

A: We have not heard anything that would require anyone to change the filing system from alphabetical to numerical. A numerical system would keep you only from seeing a person’s name. Just because you can see someone’s name—as on a sign-in sheet—does not mean you know anything about that person’s health. What is important is where those files are located. You must ensure that only those who need access to the files are able to get them. 

Q: I have a wall of charts and patient files in the hallway for everybody down the wing. Is that allowed under HIPAA? 

A: In reply, our question to you is this: “If I walk in to see my uncle, can I walk up there and just grab anybody’s chart that I want to and start flipping through it?” If the answer to that question is yes, then you probably have an issue. You must take appropriate, reasonable steps to prevent someone from doing that. We are not saying you need to put the patient files behind a concrete wall. Maybe you could move the files behind the nurses’ station, or maybe you could put the files in a closet to which only authorized individuals have access. 

Q: Do I have to move patient records completely out of sight? What if I keep the charts on the patient’s door or on the bedside? 

A: It is our understanding that you can still have patient charts in those locations. What somebody can see from that would probably be incidental. You cannot keep patients' records out in a hallway or sitting on a countertop. The records are too readily available to unauthorized access. 

Q: What if I keep the patient charts in the hallway, but I keep them in holders in file cabinets? A chart has to be pulled out to see whose it is. Do I need to keep those cabinets closed, or do I have to move all the charts to another room? 

A: This depends on the size of the provider. The charts are still easily accessible. Small providers may be able to get away with more than a large hospitals can. If you have a small place, and you only have two doors, and a manager sits there and sees who’s walking by, you’re probably going to be okay. If you’re in a big hospital, it will probably not be okay. 

Q: In my office, the patient’s name is on the front of the chart. Is that allowed? 

A: That is probably not a problem, but if you can see more than the name—for instance, the record is left open on the desk—then no, it is not allowed. 

Q: The charts in my office have medical alerts on the front, such as “Heart Alert” or “Premed Alert”? Do I need to put them inside the chart? 

A: That goes back to the idea of what is “reasonable” under HIPAA while still ensuring treatment. Our understanding is that having those stickers on file folders probably is reasonable. The information on the stickers is incidental.

Q: In my practice, I get a lot of children who are brought in for treatment by someone who is not the legal guardian, like a grandparent or an aunt. Can I still give treatment? Can I release the child’s information to these people? 

A: HIPAA will not stop you from treating anyone who needs medical attention. As for whether you can release any information, we advise you to contact an attorney with this question. When treating the child, make your best effort to get in touch with whoever is responsible. If that person is not available, then we suggest you do what you think is necessary to treat the child. 

Q: When it comes to disclosing information, does the coroner’s office apply the same as police? 

A:  Deceased individuals are treated the same as living individuals for a period of six to ten years. Unless you are releasing information for a criminal investigation, the privacy regulation applies. 

Q: I work in a small office surrounded with large, glass windows. People can walk up to any of the windows, and they can see my computer. Is this a problem? 

A: You have to prevent casual observers from reading PHI from your screen. Turn the screen away from the windows. Or drape a cloth over the screen whenever you leave your desk. 

Q: I work in a very small office, where everyone has access to the same files. No one else can get to those files. Is that okay? 

A: HIPAA says that each employee can have access only to the information he or she must have to perform the functions of the job. Basically, if somebody has access to information that is not necessary to the job, then you have a problem. You must do what is reasonable to ensure compliance. You do not have to build a locking file room. For instance, at the state, we worry about this issue as well, because we work in cubes. We must ensure that someone from Systems and Support—who has nothing to do with patients—is not sitting next to someone who is talking about getting approval for a patient’s therapy session. We have had to move staff around. We have instituted a clean-desk policy—employees' desk must be clean at the end of the day. If it is not necessary for your job to have access to the files, then you cannot have access to those files. That’s the bottom line. 

Q: What should I do if throw something away, like a pill bottle, and it has protected health information on it? 

A: We suggest that you take a piece of tape and block it out or rip the label off. Another option is to give the pill bottle back to the patient. 

Q: Can doctors leave medical records on their desks if no one outside the practice can see them? 

A: All records need to be in secure location. The way we understand it, the records either have to be put away, or the door has to be locked when the doctor leaves the office. 

Q: What does HIPAA say about faxes? 

A: The fax machine must be in a secure area if incoming or outgoing messages could contain PHI. Faxes are not HIPAA transactions, so there is no standard for faxes. (There are standards only for these electronic transactions: submitting claims and getting your RAs, checking eligibility, checking claim status, and requesting prior authorization.) However, faxes are written communication, and HIPAA protects PHI in any medium. Develop appropriate physical safeguards for that information. If you have faxes or anything similar that contains PHI, set aside an area where only authorized personnel have access. 

Q: My office is one of several related facilities. Do we need a separate privacy official? Or can all the facilities share a privacy official? 

A: You probably need a privacy official at each location who is in charge of ensuring that you are complying with the privacy regulations. That person could be a current employee already on site or an office manager. This is good question for your legal department. 

Q: What about clinics with separate practices under one roof? Do I need to separate files into different rooms? Can I have different cabinets with different keys? Can all the practices simply have a business associate agreement with one another? 

A: It all falls back to what is reasonable. You should not have to subdivide the room into four rooms and then lock each door. You have to establish by the business associate agreements that staff members will look at each other’s charts for TPO purposes only.

Q: How does HIPAA affect first responders? I use the radio to find out the patient’s name and address. 

A: Our understanding is that sort of information will not be covered under the privacy rule because it is a part of treatment. You need the information to locate the patient and be able to start treatment as soon as you arrive. You do not need consent or authorization in that situation. 

Q: What about cell phones, for instance when I call the hospital to discuss a patient? Cell phones aren’t always private. 

A: The privacy regulation does not mention cell phones specifically; however, oral communications are covered. You are sharing information for treatment, which is a part of TPO. 

Q: What about overheard telephone conversations? 

A: HIPAA acknowledges “incidental disclosure”—bits and pieces that people pick up. Any information that might be overheard would probably be incidental. However, if people in the waiting room can hear every word you say, maybe you should move the chairs in the waiting room a little further away. Or maybe you could move the phone behind a curtain. 

Q: Do I have to keep a copy of our privacy policy in every patient’s chart? Or can I substitute a copy of the sheet that the patients sign? 

A: You probably need to keep the page that was signed; it would be a good idea to have those on file. You do not have to keep the entire privacy policy in the patient’s chart. 

Q: Can I keep the signed part of the privacy policy in the patient’s chart and keep one single copy of the entire privacy policy for the whole organization stored in a folder? 

A: Anyone who comes into your office must be able to access your privacy policy easily. You might have a sign by the front desk that is a condensed version of your privacy policy—perhaps saying, “Here are our policies. Look them over, because we’re going to ask you to sign an acknowledgement.” If the patient signs, you have made a good-faith effort. If the patient asks to see the whole policy, you must give him or her a copy. What is important is that you make your privacy policy available and you inform your patients that you have one. We have seen nothing that says you have to post your entire privacy policy on the wall. The HIPAA legislation does not get that specific. You can be creative in how you meet the requirements. 

Q: What if the patient refuses to sign the privacy policy? 

A: When the consent form was mandatory, you needed a patient’s signature to use PHI for treatment; if the patient refused to sign, you could refuse treatment. Now the consent form is optional. If the patient does not sign, it is no longer an issue because you don't have to have consent anyway. You are still required to get the patient's authorization for any release of PHI other than for TPO. Whether it is the privacy policy or the optional consent, document that the patient refused to read or sign. This documentation establishes that you have made a good-faith effort. 

Q: How long do I keep the signed paperwork showing that the patient read our privacy policy? 

A: At least six years. 

Q: Our database lists about 75,000 people. Do I need to send every patient a copy of our privacy policy? 

A: No. It is not our understanding that you have to send the policy to them. When patients come in requesting services, you must make a good faith effort to make them aware of your privacy policies. Give all new patients copies of your policy statement. Any time someone requests information, give that person a copy. There is no rule saying that you cannot have a sign posted in your waiting room saying, “These are our privacy policies. As at the front desk if you want more details.” HIPAA sets the privacy rules, but it doesn't tell you how to implement them. You can be creative in meeting this requirement. 

Q: Does the HIPAA regulation require me to report other practitioners are in violation of the privacy rule? 

A: No. We have not seen anything in the regulation that requires you to “rat” out other providers unless they are business associates of yours. 

Q: What if I’m at a cocktail party, can I still talk with another doctor about some of the cases I’m working on? What if someone overhears? 

A: So long as you do not make the patients' identities plainly known, you are not violating the privacy rules. 

Q: As an EMS provider, I sometimes get medical information from people who are not the patient, such as family members or a doctor. Is that still okay under HIPAA? 

A: Picking up a patient or taking the patient to the hospital is considered treatment. You are in the clear because any exchange of information is for treatment. That is our understanding. 

Q: Does the privacy portion of HIPAA apply to me since I have only paper files? 

A: You must comply with HIPAA if you do any transactions electronically. The HHS website says that, if you do any transactions electronically (checking eligibility, submitting claims, finding out claim status) for any payer (Medicaid, Cigna, U.S. Health, or any government plan), or if you bill electronically, all of HIPAA applies to all of your records. 

Q: What should I do if the health department requests information? What information can I give them? 

A: A public health entity has the right to request whatever information it needs for official purposes. The public health entity is required to limit the request to the minimum necessary. You can probably rely on the department to make that determination. You are required to give the requested information to them. 

Q: For each of my nursing home patients, I need name, birth date, Social Security number, and Medicare number to arrange payment. I usually get this information from hospitals or other nursing homes. Is this still allowed by HIPAA? 

A: Yes. We cannot speak for Medicare, but what you are doing is for payment purposes. This would be considered part of TPO, which is allowed under HIPAA. 

Q: I called another provider the other day to get information to treat a patient. I was told, “We’re under the new HIPAA regulations, and I can’t give that to you.” Is that true? 

A: No. HIPAA does not prevent any exchange of information for treatment purposes. 

Q: At my pharmacy, several customers may be standing in line while I’m talking with another customer about a prescription. The customers can overhear some of the conversation. Is this violating HIPAA? 

A: There is a clause in the privacy policy called “incidental disclosure,” which is probably your situation. The same situation occurs when someone walks past the nursing station and can overhear nurses talking about a patient. Whoever catches small pieces of such conversation probably will not find out a whole lot about a patient’s health. In a situation like yours, where you have several customers standing in line when you need to give a consultation, maybe it would be appropriate to have those people step back. Or maybe you can do that consultation around the corner. Those might be good ideas to help alleviate any problems. 

Q: I have a small office. It sounds like HIPAA is going to cost me a fortune. I probably need to build a new office, because I don’t have a way to secure access to my files. What is considered reasonable for a small provider like me? 

A: Small providers have more leeway than large organizations like hospitals. When the Centers for Medicare and Medicaid Services say “reasonable,” they truly mean it. They are not here to put you out of business because you have building and space issues. You might have to do some creative rearranging—perhaps getting a file cabinet. Locked drawers would be a great way to start. That is reasonable in your situation. There is no rule against being creative. You can buy some devices that cost about $20, such as a cover that attaches to the computer screen with hook-and-loop tape that makes it impossible to read information from the screen unless you’re sitting right in front of it. You will probably not have to spend thousands, but you might have to spend some money.

Transaction codes

Q: What is an X12 format? 

A: X12 is an electronic computer format. It is not a paper form or anything like that. If you use the PES software or go through the web, you do not have to worry about X12 and what it means. If you use vendor software, be sure the vendor is updating the software to meet HIPAA requirements. 

Q: Did HIPAA change any nonmedical Z codes? 

A: No. All medical Z codes are now compliant with HIPAA. Nonmedical Z codes have not changed. 

Q: Suppose a provider fails to follow the transaction and code sets standards—how is he penalized? 

A: If a covered entity does not follow the HIPAA guidelines—which probably will happen more with payers than with providers—or if the payer cannot accept the standard transaction that is required under HIPAA, the covered entity can be penalized. For instance, if you send Arkansas Medicaid a HIPAA transaction and we cannot accept it, the penalties apply to us. The penalty applies each time you try to submit a transaction is not accepted. It is not just a one-time penalty. Those penalties add up.