I receive quite a few questions regarding compliance issues when discussing the cash based physical therapy practice model. These include; Medicare, HIPAA, patient privacy, documentation, direct access, multiple services etc. In general, it would seem like these issues should apply to a cash-based practice in the same manner as a traditional insurance-based practice, but the details might surprise you. There is a lot of misinformation and misunderstanding floating around, especially regarding HIPAA and putting it’s rules and regulations into practice, including the assumption that we are all “covered.”
My curiosity started when my brother, who is in private practice as a social worker counseling individuals and couples, first brought a HIPAA compliance issue to my attention. He forwarded to me a copy of an email correspondence written by a lawyer, who is an advisor to another therapist in my brother’s mental health therapist network. I have not been in personal contact with this lawyer, but the email I received stated that his opinion is “anyone who does NOT do electronic billing remove theHIPAAforms from their intake packets. If you includeHIPAA forms you are subject toHIPAArules and regulations and if you violate any of those you can be strictly fined.”
This really got me thinking and asking myself questions. When I set up my practice 6 years ago, I was told I needed to have my patients sign a HIPAA privacy release form. Upon hearing this new information I was now concerned that doing so mightunnecessarilyjeopardize or put my practice at risk. This deserved some more investigation and in researching this, I’ve learned quite a bit, though not all the answersandI want to share what I’ve learned.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 and it was primarily aimed at providing workers with easier ways to continue their healthcare insurance coverage whenever they changed jobs.
An area of special consideration was the transfer or portability of patient records. The easiest way to make data transfers is electronically and the most common is via email. Unfortunately, email is not a secure form of communication. Legislators added appropriate language to ensure the confidentiality of patient information when stored or sent electronically, which became the first legislation to address email confidentiality. HIPAA is about patient confidentiality in electronic format.
Click Here for the HIPAA Basics for Providers handout
What is a “covered entity?”
The first question to ask your self is “Is my practice a covered entity?”
The CMS website has an excellent flow sheet to help you answer this question and determine if you are a covered entity: Click Here For The CMS Flowsheet
The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is:
– a health care provider that conducts certain standard transactions in electronic form (called here a “covered health care provider”).
– a health care clearinghouse.
– a health plan.
An entity that is one or more of these types of entities is referred to as a “covered entity” in the Administrative Simplification regulations.
What are the “certain standard transactions?”
Transactions are electronic exchanges involving the transfer of information between two parties for specific purposes. For example, a health care provider will send a claim to a health plan to request payment for medical services. In the HIPAA regulations, the Secretary of Health and Human Services (HHS) adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. These transactions are:
- claims and encounter information
- payment and remittance advice
- claims status
- eligibility
- enrollment and disenrollment
- requests to obtain referral certifications and authorizations
- coordination of benefits
- premium payment
Under HIPAA, if a covered entity conducts one of the adopted transactions electronically, they must use the adopted standard.
What information is protected?
The privacy rule protects all“individually identifiable health information”stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI). This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc. PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care.
What about Faxes and Emails?
Transactions of paper via facsimiles and voice via telephone are specifically exempted from the HIPAA Security Rule. They are not ruled as electronic transactions because the information did not exist in digital format prior to the transmission.
However, data sent by email and through the Internet, even if scanned into a pdf file, is an electronic transmission. Another interpretation of this is that if the data or information originates on a computer (including a cell phone or tablet) it is an electronic transmission.
To summarize:
There are two aspects to determining if you are a “covered entity” or not, the purpose of the transaction and how it is delivered. Certain Standard Transactions include Protected Health Information and if you send or transmit any of these transactions electronically you are a Covered Entity.
- If you are transmitting a patient’s protected health information, but are not participating in a “certain standard transaction”, you are not a covered entity. An example of this would be consulting with or referring a patient to a physician by sending a patients name and health problem via email.
- The HIPAA privacy rule also allows health care providers to communicate with their patients electronically (via email) provided you establish reasonable safeguards when doing so.
- If you are a physical therapist in private practice and only accept payment by cash, check, debit or credit cards, these forms of billing/collection do not make you a covered entity.
- If you sometimes submit ahandwrittenHCFA 1500 form, this does not make you a covered entity.
- If you are a physical therapist in private practice, you live in a state with limited Direct Access and Fax your patient’s physician the plan of care to sign, then you are not participating in a “certain standard transaction,” and doing so would not make you a covered entity.
- If you, or someone on your behalf, like a clearing house, submit your patient’s protected health information electronically to receive reimbursem*nt you are a covered entity.
- If you are a Medicare provider and submit claims electronically but accept cash, check or credit cards from everyone else, you are still a covered entity and should have all of your patients sign HIPAA privacy forms.
- If you use an “electronic fax” service and participate in “certain standard transactions” you are a “covered entity.” You need to be sure ad choose a HIPAA compliant fax service and sign a BAA.
Even if your answer to the title question is “no” and you are not a “covered entity,” you still have to conform to the standards of practice and privacy ethics as outlined in your state’s practice act and/or your professional association.
How do I maintain my patient’s privacy?
My practice, which is a cash-based physical therapy practice, does not fit the definition of a covered entity. HIPAA consent forms are no longer something I have my patients sign. I have my patients sign an informed consent form that includes the following statement:
“I understand that LeBauer Physical Therapy, LLC will maintain my privacy to the highest standards and may use or disclose my personal health information for the purposes of carrying out treatment, obtaining payment, evaluating the quality of services provided and any administrative operations related to treatment or payment.”
Likewise, just as my documentation is the same as if I owned a traditional insurance-based practice, I protect my patients’ privacy when in public, in my office and on social media. I also keep a standard landline and use a traditional fax machine the 2-3 times a year I am requested to send patient information. Another alternative to a electronic fax, especially if you don’t have a landline and use an EMR is to print the patient record and put it in the mail. Conversely you can request to have patient’s information and records mailed to you.
Also, whether or not a provider uses an electronic medical record or electronic health record is irrelevant to determining covered entity status. If you, or someone on your behalf, transmit one or more of the standard transactions in electronic format then you will be a “covered entity.”
Final Thoughts on HIPAA:
I am not a lawyer, and this may be a topic that needs further vetting with your advisory board, healthcare compliance authority or healthcare attorney, but if you keep it simple, and do not transmit any health information in connection with a covered standard transaction then you are likely not a “covered entity.” This means that you would not need to follow the guidelines and regulation set out in the HIPAA rules and regulations including: having your patients sign a HIPAA privacy release, creating a HIPAA policies & procedures manual, obtain an NPI (national provider identifier standard), signing a BAA or Business Associates Agreement. Finally there is the benefit that you would not potentially put yourself and your practice at risk for violating a HIPAA rule or paying a fine when it doesn’t apply in the 1st place.
If you have a 100% cash-based practice, you are likely not participating in any of the “certain standard transactions” anyway. If you want to maintain a simple and low key existence and you want to avoid being a HIPAA covered entity, or even the gray areas and uncertainty in the middle, be sure you communicate via phone, snail mail or standard fax. Remember if you hire someone else to do this for you, or on your behalf, be sure they do the same and insist that health plans and insurance companies communicate with you only via phone, snail mail or standard fax.
Is yourpracticea “covered entity” or not? What steps and measures you are taking to keepit that way and why is thisbeneficial to you?
Update 1-7-17
Just to be clear, this is really best left for youand your healthcare attorney to decide based on your unique practice. A few years ago when I looked at HIPAA, and wrote this article, I discovered that I was not a covered entity and did notsign a BAA with anyone. Recently I’ve talked with my healthcare attorney, who is falls on theless conservative side of a few important issues.After going back and forth quite a few times, she pointed out that there are two HIPAA rules, the Security Rule and the Privacy Rule. She said the ‘non-covered entity’ status I mention in this articleapplies to the security rule, andthat everyone is bound to the privacy rule. Her advice to me was to be sure and sign a BAA with Google since I use G Suitefor my EMR, IntakeQ and anyone else I’m using to store my patient information. However, I’m also still using an analog fax and not sending patient notes to the insurance companies when they request it. I send them directly to the patient. Also, she recommended that I have patients to sign a HIPAA notice of privacy practices. That way I’m complying with the privacy rule and still not bound by the security rule. This just shows how complex these issues are and why it’s best to have a great lawyer (or two) on your team.
This article has been updated from the original version that appeared on drjarodcarter.com
Plus, whenever you’re ready… here are 3 ways I can help you grow your physical therapy business:
- Grab a free copy of my book
It’s the road map to launch, grow & scale your physical therapy business. -> Click Here!
- Join our CashPT Blueprint Program and be a Case Study.
I’m putting together a new case study group this month and if you’d like to work with me to launch your cash practice… just send me a message at m.me/AaronLeBauer with the words “Blueprint”.
- Work with me and my team privately
If you’d like to work directly with me and my team to take you to 6 or 7 figures… just send me a message at m.me/AaronLeBauer with the words “Private”… tell me a little about your business and what you’d like to work on together, and I’ll get you all the details! ?
More from my blog
- Building a Mobile Physical Therapy Studio with J.T. Dulkerian
- Successfully Scaling a Cash Practice to Multiple Locations with Ian Kornbluth
- Be a YES! for Something Big in Your Life with Raef Granger
- Physical Therapy Travel Job Secrets with Jess Jenney
