To the Editor:
After reading “What You Need to Know About HIPAA Now” [March 2001, page 43], I was a little confused by some of the details of the new transactions and privacy and security regulations. Although the regulations protect information in any form, the definition of the covered entity is “any provider that transmits electronically,” thus implying that those who don’t transmit electronically are not covered entities.
What is electronic transmission? Does it include faxing and/or calling the ER for information about last night’s patient visit? If the new regulations apply to oral communications, does this potentially make life more difficult for the doctor? If physicians don’t use any form of electronic transmission, do only the old standards apply?
The first drafts of the privacy and security rules seemed to apply only to personal health information in electronic form. However, the standards’ framers and the many people who commented felt this might encourage some entities to try to avoid HIPAA by “going paper.” The final drafts made the standards more consistent with the basic principle, which is protection against unwanted disclosure of a person’s health information, regardless of its form.
A physician or practice becomes subject to all HIPAA rules by dint of transmitting health information electronically using any one or more of the “covered transactions” (i.e., the basic claims and eligibility forms used for third-party payment). However, the rules also state that health care providers who do not transmit patient data electronically “become covered by this rule when other entities, such as a billing service or hospital, transmit standard electronic transactions on their behalf.” For all practical purposes, this means all physicians and practices are covered by HIPAA.
Covered entities must abide by the HIPAA rules, which protect personal health information in your practice in any form. This includes faxes, paper documents and even oral communications. (Need I point out that the great majority of privacy breaches take the form of gossip?) In my opinion, there aren’t any loopholes.
You are correct in suggesting that complying with the rules will make life somewhat more difficult for most physicians’ practices, at least in the short term. However, putting basic security measures in place will dramatically reduce your risk of accidental disclosures of confidential patient information and allow you and your patients to sleep better at night!