June is here, and despite the hopes and wishes of some, it looks like HIPAA is here to stay. More than six weeks have passed since the mandatory date of compliance for HIPAA's privacy regulations, security standards and transaction code sets went into effect.

There was a great deal of media coverage pertaining to HIPAA on April 14 and for several days thereafter. As a result, the public is becoming aware of their rights as patients and the protection of their health and demographic information by health care providers throughout the United States.

HIPAA is having a greater impact on health information and privacy protection than any of us realize. Let me share some of the following real-life examples.

While conducting a seminar just recently, there was a discussion of HIPAA. One of the acupuncturists in the audience shared an experience she had at a local pharmacy. She was handed a copy of a "Notice of Privacy Policies" form and asked to sign her name on an electronic "box" on the counter similar to the signature machine you see in supermarkets and department stores. This was done to acknowledge that she had received the privacy notice form before the pharmacy would release her prescription.

One of my close friends has a sister who is employed by a school district. This district provides health benefits to its classified and certified employees. Each of the employees, or "workforce members," as they are called by the district, has been given a similar "Notice of Privacy Policies" form.

Some acupuncturists are still operating under the notion that they do not have to comply with HIPAA regulations because they do not bill insurance for reimbursement or do not send electronic bills. If this is the situation in your office then the transaction code set section of HIPAA does not apply to you. However, this is only one of the sections in the HIPAA regulations. The other three sections of HIPAA - background, privacy and security - do apply to acupuncturists. Just because you do not bill electronically, it doesn't your patients have any less rights to privacy and security of their protected health information from your office than they would from a provider who does bill electronically.

There are hundreds of pages of HIPAA information to read and digest. I have worked with the American Association of Oriental Medicine in conducting several seminars on both coasts, and have also discussed it with the members of the California Alliance of Acupuncture Medicine, aided by the help of an excellent interpreter. Along with the Council of Colleges of Acupuncture and Oriental Medicine (CCAOM) and their efforts to help the schools stay abreast with new laws and regulations, I helped to present the HIPAA information to the clinic directors of the acupuncture schools at the Council's semiannual meeting in Safety Harbor, Fla. this past May.

Even though these groups represent a cross-section of the profession, many of the same questions seem to arise:

1. Do acupuncturists have to do all this paperwork? The answer is YES. The privacy regulations require that each patient be given a Notice of Privacy Policies, in writing, and that they must sign a form indicating they have received this information.
   
2. What about the bank? When an acupuncturist deposits a check from a patient, the check will identify the name and address of the patient. This is true, but banks have been working with privacy and security of demographic information for a long time, and have procedures and policies in place to protect a person's identity.
   
3. I operate a cash practice. Does HIPAA apply to me? Yes. The privacy and security sections both apply. You must keep personal identifiable health information private.
   
4. Can an acupuncturist talk to another doctor about the care of a patient? Yes. Health care providers can discuss patient cases orally between themselves.
   
5. Can an acupuncturist talk to family members about the health of another family member? No, not without written authorization. This is one of the reasons HIPAA came into being. Sometimes family members do not want other family members to know anything about their condition(s).
   
6. Can I still have a sign-in sheet? Sing in sheets are acceptable provided they do not disclose any protected health information.

Thanks for all the questions and comments you have sent to us at Acupuncture Today. Several interesting situations have been most submitted to me, and I would like to share them with you.

An acupuncturist who receives referrals from a large HMO but is out-of-network, received a request from the HMO for a copy of all the paperwork that is being used in the acupuncturist's office of the Acupuncturist and is given to patients to show the acupuncturist is HIPAA-compliant. The HMO would not continue to send referrals unless the acupuncture clinic was HIPAA compliant. The acupuncturist was concerned because she believed that she was not a covered entity and did not have to comply.

A new patient came into the office of an acupuncturist for a first visit. The new patient was given the usual forms used in this particular office. The new patient stepped up to the front desk and asked, "Where are the privacy forms?" The acupuncturist replied that their office didn't have any forms for privacy because they bill electronically. The patient replied that he wanted his health information kept private, told the acupuncturist he did not want to be treated at their office and left the premises.

Even I have been caught up in HIPAA's regulations. Recently, I called a local hospital where I have been taking classes from acupuncture schools for lectures and tours for some time. Sadly, I was informed that this would no longer be possible because of HIPAA privacy regulations.

There are many variations on the wording of certain forms, but one thing is clear: acupuncturists are covered entities.

What You Can Do

1. Appoint a privacy officer. If you work alone, you are the privacy officer.
2. Present each patient with a "Notice of Privacy Policies" form.
3. Each new patient must sign a separate form indicating that they have received the Notice of Privacy Policies.
4. Each patient must sign a form giving their consent for treatment, payment and healthcare operations.
5. Each patient must sign an authorization for any and all releases of protected health care information.
6. Each patient has individual rights relating to authorization.
7. Prepare, document and maintain a compliance manual.
8. Put confidentiality notices on all faxes and e-mails.
9. Comply with security regulations for the computer.

---

Click here for more information about Marilyn Allen, Editor-at-Large.

Next Article in Issue

Previous Article in Issue