HIPAA > HIPAA
Via AHIMA - Released today
Cmporter82:
http://journal.ahima.org/2013/01/17/hhs-releases-hipaa-privacy-and-security-update-final-rule/
RichardP:
Here is the Final Rule. It is quite a read.
https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf
Here is a definition of covered entities and business associates. Some of these definitions are modified/clarified by the Final Rule.
http://privacyruleandresearch.nih.gov/pr_06.asp
PMRNC:
It's important to note that MUCH of this in the final rule is just modifications to the already existing regs from 2009. We have an article coming out on the changes but they are very minor. Business Associates should have updated their BAA's by 1/1/2011, to cover the HITECH notification of breach For BA and Covered Entities.
Also, over the years even from the beginning of HIPAA there has been a long standing debate on the structure of the "billing company". I hesitate to bring this up, every billing company should consult their own attorney as to the actual structure of their business. I treat my billing company as a covered entity, some have questioned this and I've long since stopped debating it and my attorney gets paid good money to protect my interests. HERE is the definition of a covered entity with the areas highlighted that would suggest MOST/MANY billing companies are indeed "covered entities" There has always been some grey area on the verbiage and no modifications have ever been made to change this though it's been mentioned it has been modified <chuckle>
Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
Again, I'm not posting this to debate how my company is setup, just an FYI that you should have your own attorney take a look at your operations and give you a good opinion, and one they would stand by with you.
RichardP:
[Edit] The definition of Health Care Clearinghouse provided by Linda above is language used by HHS / CMS. An example of this language can be found at this link:
http://www.hhs.gov/ocr/privacy/hipaa/understanding/special/emergency/source1.html
This language is a paraphrase of the language actually used in the Code of Federal Regulations at this link:
http://www.gpo.gov/fdsys/pkg/CFR-2011-title45-vol1/xml/CFR-2011-title45-vol1-sec160-103.xml
There are lots of numbers and letters at the above link. Ignore that, because this is a list of words being defined. Look at the words in italics that start at the left margin (begins with Act, ANSI, Business Associate, CMS, etc.) Scroll down to Health care clearinghouse.
Finally, the Final Rule just disclosed has the following to say at the bottom of Page 447 of this link.
https://s3.amazonaws.com/public-inspection.federalregister.gov/2013-01073.pdf
Health care clearinghouses function almost exclusively as business associates with respect to the protected health information they maintain and process, and therefore have no NPP requirements.
I engaged Linda in a discussion in this post because I did not know where her quote came from. The quote above is what provided my motivation to question the source of Linda's quote - because this most recent quote from yesterday seems at odds with Linda's quote - it at least muddies the waters. Linda told me/us in her response below. Now that I know that her quote is from HHS / CMS, my comments in this particular post are irrelevant and so I have deleted most of them, but have left the following. As I state below, I agree with Linda that each billing company needs to seek its own legal counsel when deciding whether they are a Covered Entity or a Business Associate. [End Edit]
... Note that a doctor who submits paper claims (those are still permitted) and does no electronic prescribing or other electronic transmission of PHI is not considered a covered entity.
... Most billing companies do not process non-standard information into standard data elements (an ANSI-5010-compliant format) as clearinghouses actually do, and I think that distinction is the key to determining whether billing companies are considered a covered entity (but what about those billing companies that submit electronic claims directly to Medicare or Blue Cross?). But I agree that the phrase or facilitate the processing could be interpreted to mean almost anything and be applied to many entities.
I suggest that those who are interested in this subject read through the definition of Business Associate at this link (provided above also). http://privacyruleandresearch.nih.gov/pr_06.asp Almost anyone involved in the electronic claims process between doctor and insurance carrier could be said to be facilitating the processing, and could therefore be called a covered entity, if we use facilitating the processing as the criteria. But employing this definition to the extreme will leave no one left to be called a business associate.
PMRNC:
I really only posted this as an FYI. That's why I posted the final rule and verbiage on what HHS considers a Clearinghouse as published:
Health Care Clearinghouse – A public or private entity, including a billing service, repricing company, community health management information system or community health information system, and “value added” networks and switches that either process or facilitate the processing of health information received from another entity in a nonstandard format or containing nonstandard data content into standard data elements or a standard transaction, or receive a standard transaction from another entity and process or facilitate the processing of health information into a nonstandard format or nonstandard data content for the receiving entity.
Again, I posted this so that it can be taken to the attorney of yours or anyone's choice as that's who needs to interpret it the way that is in the best interest of your business. Although I do have some pre-law and healthcare law, I'm not an attorney nor do I want to play one on T.V.
Navigation
[0] Message Index
[#] Next page
Go to full version