Author Topic: Via AHIMA - Released today  (Read 2693 times)


RichardP

  • Hero Member
  • *****
  • Posts: 688
Re: Via AHIMA - Released today
« Reply #1 on: January 18, 2013, 01:12:52 AM »
Here is the Final Rule.  It is quite a read.

https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf

Here is a definition of covered entities and business associates.  Some of these definitions are modified/clarified by the Final Rule.

http://privacyruleandresearch.nih.gov/pr_06.asp


PMRNC

  • Hero Member
  • *****
  • Posts: 4236
    • One Stop Resources & Networking for Medical Billers
Re: Via AHIMA - Released today
« Reply #2 on: January 18, 2013, 11:05:39 AM »
It's important to note that MUCH of this in the final rule is just modifications to the already existing regs from 2009.   We have an article coming out on the changes but they are very minor. Business Associates should have updated their BAA's by 1/1/2011,  to cover the HITECH notification of breach For BA and Covered Entities.

Also, over the years even from the beginning of HIPAA there has been a long standing debate on the structure of the "billing company".   I hesitate to bring this up, every billing company should consult their own attorney as to the actual structure of their business.   I treat my billing company as a covered entity, some have questioned this and I've long since stopped debating it and my attorney gets paid good money to protect my interests.    HERE is the definition of a covered entity with the areas highlighted that would suggest MOST/MANY billing companies are indeed "covered entities"   There has always been some grey area on the verbiage and no modifications have ever been made to change this though it's been mentioned it has been modified <chuckle>

Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.

Again, I'm not posting this to debate how my company is setup, just an FYI that you should have your own attorney take a look at your operations and give you a good opinion, and one they would stand by with you.
Linda Walker
Practice Managers Resource & Networking Community
One Stop Resources, Education and Networking for Medical Billers
www.billerswebsite.com

RichardP

  • Hero Member
  • *****
  • Posts: 688
Re: Via AHIMA - Released today
« Reply #3 on: January 18, 2013, 12:51:49 PM »
[Edit]  The definition of Health Care Clearinghouse provided by Linda above is language used by HHS / CMS.  An example of this language can be found at this link:

http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/source1.html

This language is a paraphrase of the language actually used in the Code of Federal Regulations at this link:

http://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/xml/CFR-2011-title45-vol1-sec160-103.xml

There are lots of numbers and letters at the above link.  Ignore that, because this is a list of words being defined.  Look at the words in italics that start at the left margin (begins with Act, ANSI, Business Associate, CMS, etc.)  Scroll down to Health care clearinghouse.

Finally, the Final Rule just disclosed has the following to say at the bottom of Page 447 of this link.

https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf

Health care clearinghouses function almost exclusively as business associates with respect to the protected health information they maintain and process, and therefore have no NPP requirements.

I engaged Linda in a discussion in this post because I did not know where her quote came from.    The quote above is what provided my motivation to question the source of Linda's quote - because this most recent quote from yesterday seems at odds with Linda's quote - it at least muddies the waters.  Linda told me/us in her response below.  Now that I know that her quote is from HHS / CMS, my comments in this particular post are irrelevant and so I have deleted most of them, but have left the following.  As I state below, I agree with Linda that each billing company needs to seek its own legal counsel when deciding whether they are a Covered Entity or a Business Associate.  [End Edit]

... Note that a doctor who submits paper claims (those are still permitted) and does no electronic prescribing or other electronic transmission of PHI is not considered a covered entity.

... Most billing companies do not process non-standard information into standard data elements (an ANSI-5010-compliant format) as clearinghouses actually do, and I think that distinction is the key to determining whether billing companies are considered a covered entity (but what about those billing companies that submit electronic claims directly to Medicare or Blue Cross?).  But I agree that the phrase or facilitate the processing could be interpreted to mean almost anything and be applied to many entities.

I suggest that those who are interested in this subject read through the definition of Business Associate at this link (provided above also).  http://privacyruleandresearch.nih.gov/pr_06.asp  Almost anyone involved in the electronic claims process between doctor and insurance carrier could be said to be facilitating the processing, and could therefore be called a covered entity, if we use facilitating the processing as the criteria.  But employing this definition to the extreme will leave no one left to be called a business associate.
« Last Edit: January 18, 2013, 08:15:05 PM by RichardP »

PMRNC

  • Hero Member
  • *****
  • Posts: 4236
    • One Stop Resources & Networking for Medical Billers
Re: Via AHIMA - Released today
« Reply #4 on: January 18, 2013, 01:17:01 PM »
I really only posted this as an FYI. That's why I posted the final rule and verbiage on what HHS considers a Clearinghouse as published: 

Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.

Again, I posted this so that it can be taken to the attorney of yours or anyone's choice as that's who needs to interpret it the way that is in the best interest of your business.   Although I do have some pre-law and healthcare law, I'm not an attorney nor do I want to play one on T.V.
Linda Walker
Practice Managers Resource & Networking Community
One Stop Resources, Education and Networking for Medical Billers
www.billerswebsite.com

RichardP

  • Hero Member
  • *****
  • Posts: 688
Re: Via AHIMA - Released today
« Reply #5 on: January 18, 2013, 01:42:00 PM »
Based on what you just posted, I assume you mean the definition of Health Care Clearinghouse you gave came from HHS.  I think you posted your comment before I had finished the last two paragraphs of my comment.  I agree that folks should consult an attorney.  I'm just pointing out above that the term "Health Care Clearinghouse" is constrained by the phrase processing ... nonstandard format ... into standard data elements.  That process involves following complex instructions regarding ANSI 5010, and it will be the rare billing company that does this.  However, ALL clearinghouses that accept data from billing software and send it on to the insurance carriers MUST do this.  That is the distinction upon which to focus.

Regardless of which label you wear, covered entity or business associate, the law calls both to the same standard of care regarding patient health information.  HIPAA and HITECH do not allow a business associate to do something with patient health information that a covered entity cannot.
« Last Edit: January 18, 2013, 02:06:45 PM by RichardP »

PMRNC

  • Hero Member
  • *****
  • Posts: 4236
    • One Stop Resources & Networking for Medical Billers
Re: Via AHIMA - Released today
« Reply #6 on: January 18, 2013, 02:10:05 PM »
Quote
Regardless of which label you wear, covered entity or business associate, the law calls both to the same standard of care regarding patient health information.  HIPAA and HITECH do not allow a business associate to do something with patient health information that a covered entity cannot.

Agree
Linda Walker
Practice Managers Resource & Networking Community
One Stop Resources, Education and Networking for Medical Billers
www.billerswebsite.com

RichardP

  • Hero Member
  • *****
  • Posts: 688
Re: Via AHIMA - Released today
« Reply #7 on: January 18, 2013, 08:28:09 PM »
Linda, you responded to my second post from the top of this thread.  I have seriously edited that post, in case you want to see how I changed it.  Thanks for telling me that your words came from HHS / CMS.  And I should have made it more clear that my original questions to you (since deleted) were triggered by language I had read the night before at the bottom of Page 447 of the Final Notice at this link:

https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf

Health care clearinghouses function almost exclusively as business associates with respect to the protected health information they maintain and process, and therefore have no NPP requirements.

This thread is a bit messy, but learning is sometimes messy.  And the new quote above doesn't help with the messiness of this subject either.  Bottom line restated:  Everyone should check with their own attorney.  However - regardless of which label one wears, covered entity or business associate, the law calls both to the same standard of care regarding patient health information.  HIPAA and HITECH do not allow a business associate to do something with patient health information that a covered entity cannot.

PMRNC

  • Hero Member
  • *****
  • Posts: 4236
    • One Stop Resources & Networking for Medical Billers
Re: Via AHIMA - Released today
« Reply #8 on: January 18, 2013, 08:42:47 PM »
Trust me, I have seen the final link.  I'm not GOING to debate MY status as a covered entity.   
Linda Walker
Practice Managers Resource & Networking Community
One Stop Resources, Education and Networking for Medical Billers
www.billerswebsite.com

RichardP

  • Hero Member
  • *****
  • Posts: 688
Re: Via AHIMA - Released today
« Reply #9 on: January 18, 2013, 09:08:00 PM »
I'm not trying to get you or any one else to discuss their status.  I was looking for pointers to where the language came from, and you provided that.  Thank you.

There is lots to digest, and I have no need to discuss this further, now.  But for those billing folks who would like to considered themselves a covered entity rather than a business associate, consider the requirement imposed at Page 265 at this link:

https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf

Good luck with this one.  Think all those newly-minted graduates of billing classes know enough about computer systems to comply with this rule??  Good night, and have a great weekend.

The final rule adopts the proposal to amend the Privacy Rule at §164.524(c)(2)(ii) to require that if an individual requests an electronic copy of protected health information that is maintained electronically in one or more designated record sets, the covered entity must provide the individual with access to the electronic information in the electronic form and format requested by the individual, if it is readily producible, or, if not, in a readable electronic form and format as agreed to by the covered entity and the individual. In such cases, to the extent possible, we expect covered entities to provide the individual with a machine readable copy of the individual’s protected health information.  The Department considers machine readable data to mean digital information stored in a standard format enabling the information to be processed and analyzed by computer.  For example, this would include providing the individual with an electronic copy of the protected health information in the format of MS Word or Excel, text, HTML, or textbased PDF, among other formats.
« Last Edit: January 18, 2013, 09:14:26 PM by RichardP »