Skip main navigation
Close Drawer MenuOpen Drawer Menu
APA Publishing Logo

The American Psychiatric Association (APA) has updated its Privacy Policy and Terms of Use, including with new information specifically addressed to individuals in the European Economic Area. As described in the Privacy Policy and Terms of Use, this website utilizes cookies, including for the purpose of offering an optimal online experience and services tailored to your preferences.

Please read the entire Privacy Policy and Terms of Use. By closing this message, browsing this website, continuing the navigation, or otherwise continuing to use the APA's websites, you confirm that you understand and accept the terms of the Privacy Policy and Terms of Use, including the utilization of cookies.

×
Back to table of contents
At Your ServiceFull Access

The Truth About HIPAA And the Privacy Rule

Published Online:3 Jan 2003https://doi.org/10.1176/pn.38.1.0034

Q. With the HIPAA privacy rule compliance deadline of April 14, 2003, fast approaching, I am concerned about being in compliance. Where can I obtain information on the basic requirements that I should know about this regulation?

A. The Psychiatrists’ Program’s risk-management staff has prepared extensive materials designed for psychiatrists about HIPAA’s privacy rule. For more information, visit the Psychiatrists’ Program’s Web site at www.psychprogram.com, which offers the following:

• HIPAA diagram

• Comprehensive article on HIPAA’s privacy rule

• News updates

• HIPAA seminar information

• Online HIPAA education (available only to Program participants)

HIPAA Help Resource Manual (available only to Program participants)

The Program has also developed the following list of the “Top 10 Myths About HIPAA’s Privacy Rule” to help psychiatrists better understand the regulation.

Myth #1: HIPAA and the privacy rule are the same thing.

Fact: HIPAA is the Health Insurance Portability and Accountability Act of 1996, which is a complex federal law covering many areas such as fraud and abuse and portability of health insurance when workers change jobs. Under another section of this law, titled “Administrative Simplification,” Congress addressed the electronic exchange of health information to reduce costs and increase the efficiency of processing insurance claims. Under the administrative-simplification provisions of HIPAA, the Department of Health and Human Services (HHS) was required to promulgate regulations on these topics:

• Privacy standards, also known as the privacy rule

• Transactions and code set standards

• Unique identifier standards

• Claims attachment standards

• Security standards

• Enforcement standards

The privacy rule, one of the regulations under the administrative-simplification provisions of HIPAA, is the set of standards regulating the use and disclosure of protected health information.

Myth #2: The deadline for compliance with HIPAA is April 14, 2003.

Fact: Each regulation has a different compliance date. April 14, 2003, is the compliance date only for the privacy rule. The compliance date for the transactions rule was October 16, 2002 (unless a one-year extension was obtained, as discussed in #5).

Myth #3: All physicians are covered by HIPAA.

Fact: Only those physicians who electronically transmit or receive (or has any other entity electronically transmit or receive on their behalf) any of the following 11 specified transactions are covered by HIPAA:

• Health care claims or equivalent encounter information

• Health care payment or remittance advice

• Coordination of benefits

• Health care claim status

• Enrollment or disenrollment in a health plan

• Eligibility for a health plan

• Health plan premium payments

• Referral certification and authorization

• First report of injury

• Health claims attachments

• Other transactions that the secretary of HHS may prescribe by regulation

Myth #4: A billing service transmits claims electronically on my behalf, so I am covered by HIPAA, and will comply with the privacy rule, but I do not have to worry about any of the other regulations.

Fact: Since you are a “covered provider” under HIPAA, you are required to comply with all of the applicable regulations under administrative simplification—the transactions rule, the security rule, and so on.

Myth #5: HIPAA requires all physicians to submit claims electronically.

Fact: Nothing in HIPAA requires electronic claims submission. However, you may be required to submit Medicare claims electronically under a separate law enacted in 2001—the Administrative Simplification Compliance Act (ASCA). Under the ASCA, all Medicare claims must be submitted electronically by October 16, 2003; however, small providers (including physicians with fewer than 10 full-time equivalent employees) are excluded. Of course, once providers start submitting claims electronically to Medicare, they become covered providers under HIPAA and are subject to all of the administrative simplification regulations.

Under another provision of the ASCA, covered providers could have requested a one-year extension for compliance with the transactions rule—until October 16, 2003. To get this extension, providers must have submitted prior to October 16 a written plan to HHS indicating how compliance will be achieved by October 16, 2003.

Myth #6: Since I have fewer than 10 full-time-equivalent employees, I am exempt from all administrative-simplification regulations under HIPAA.

Fact: The only significance of a physician’s having fewer than 10 full-time-equivalent employees is exemption from the requirement under ASCA (see #5 above) that Medicare claims be electronically submitted by October 16, 2003. Physicians who electronically transmit or receive the transactions listed in #2 are covered by all of HIPAA’s administrative-simplification regulations, regardless of how many employees they have.

Myth #7: I do not electronically transmit or receive claims, or any other transaction listed in #3, nor does anyone else do so on my behalf. Even though I’m not covered under HIPAA, I still needed to file for an extension.

Fact: Only those physicians covered by HIPAA needed to file for an extension for compliance with the transactions rule. However, if there is any doubt about whether you are covered, APA and the AMA advised you to file for an extension, so that in the event you are covered, you would benefit from that extra year to comply with the transactions rule.

Myth #8: Since I filed for the extension, I have an extra year to comply with both the transactions rule and the privacy rule.

Fact: The extension applies only to compliance with the transactions rule. There is no extension available for compliance with the privacy rule—compliance is required by April 14, 2003, even if you have received an extension for compliance with the transactions rule until October 16, 2003.

Myth #9: Compliance with the privacy rule requires that I must turn over my patients’ psychiatric records to law enforcement and national security personnel.

Fact: Under the privacy rule, there are only two mandatory disclosures—to the patient and to HHS for enforcement. All other disclosures are permissive. You must continue to make decisions about releasing information based on other state and federal laws, as well as your ethical obligations.

Myth #10: I’m not covered by the privacy rule, so I don’t need to worry about it.

Fact: The privacy rule, a new federal floor of confidentiality protections, will probably be viewed as the national standard of care, which must be met or exceeded by all physicians, whether technically covered or not. The privacy rule will also make it easier for patients to sue psychiatrists for breach of confidentiality under state law or to file an administrative complaint. And states can (and Texas already has) enact state law expanding the definition of covered providers to include all physicians and requiring compliance with state law that mirrors provisions of the privacy rule. ▪

This column is provided by PRMS, manager of the Psychiatrists’ Program, for the benefit of members.