Click here to download this episode
This episode is an interview of Nancy Beckley of Nancy Beckley and Associates, a rehab compliance consulting firm. We get into the nitty-gritty of HIPAA (and also Medicare) as it relates to a cash-based practice. She fields my questions for over an hour and absolutely fills us with the info we need to protect ourselves and our practices.
More specifically, we discuss these cash-based practice topics:
- What exactly is HIPAA and why does it exist
- How to determine if your practice is a “Covered Entity” and must comply with all the laws and regulations of HIPAA
- If you are a covered entity, and want to use an eFax, some important considerations for finding the right HIPAA-compliant system.
- HIPAA-compliant texting software, and when something like this is necessary if you are texting/emailing about patients with other providers.
- The HIPAA Omnibus changes and how they may have opened the door (in some scenarios) to provide covered services to a Medicare Beneficiary on a cash-pay basis.
- The Jimmo vs Sebelius case on “Medical Necessity” and how it affects our ability to see Medicare Beneficiaries on a cash-pay basis for certain types of services.
Resources and Links mentioned in this episode:
- Aaron Lebauer’s Guest post at this site on HIPAA and determining your Practice’s Covered Entity Status
- Attorney (and PT) Specializing in HIPAA: Paul Welk Esq., PT
- PT specializing in HIPAA Policies and Procedures: Angie Phillips, PT
- My article on the HIPAA law changes and seeing Medicare Beneficiaries on a Cash-Pay Basis.
- Connect with Nancy at her website: www.nancybeckley.com and at Twitter: @NancyBeckley
Interested in the cash-based private practice model?
Click Here to learn how to start your own Cash-Based Practice
.
Let us know if you enjoyed the show:
[Click to Tweet] Thank you @NancyBeckley for being an awesome guest on the Cash-Based Practice Podcast w/ @DrJarodCarter
Some parting notes:
Definitely have a look at the HHS Info Sheet. As I re-listened to this podcast and reviewed that info sheet, I came across a few things that I wanted to point out or re-highlight:
- Determining if your practice is a HIPAA Covered Entity comes down to whether or not you transmit any “covered transactions” “in electronic form”
- “covered transactions” are defined in detail on pages 7 – 9 at the above info sheet. Take a very careful look at all the different things that could be considered covered transactions. It does NOT ONLY include transactions/transmissions of payment/billing-related information. Although I don’t directly bill any third-party payers for my services, there are still “covered transactions” that I do occasionally transmit. I therefore have to make sure that I only transmit such things in non-electric format.
- “In Electric Form” is defined on page 9 of the above info sheet. Essentially, Fax is NOT considered “electronic format” so I, and practices like mine that want to avoid being a “covered entity,” need to make sure that the sending of any information is only done by fax.
I’m guessing many of you may have questions for Nancy. Please type them in the comments below, and make sure to give as much detail as possible on all factors and components surrounding your question so she has the best possibility to give a clear answer.
Nancy,
Thank you again for taking the time to be a guest on the podcast and for all the great information.
As I went back through our conversation and did some further research online, I realized I’m still not completely clear on something … is the fact that I use an EFax system (in which I scan or generate any documents that will be sent, and attach them to an email) rather than the old-school fax machine an issue? I know we discussed this a little in the podcast episode, but my concern comes from the following statement in the definition of “electronic form” at HHS: “Certain transmissions, including of paper, via facsimile, and of voice, via telephone, are not considered to be transmissions via electronic media, because the information being exchanged did not exist in electronic form before the transmission.”
I can see how this is the case with a traditional fax machine in which I would simply be running papers through and not generating a PDF or electronic document of some sort. However, with EFax systems, we are creating an electronic document in order to carry out the transmission.
Hoping you can shed some defining light on this issue.
Jarod. Your question regarding uploading to an electronic fax system (which creates a PDF) is the first thing on my list for my next update with HIPAA experts. I will be looking into that. Generally speaking the intent of transmitting data electronically was construed to mean billing with the HIPAA transactions and data sets.
Hey Nancy, awesome information here. Did you ever get clarity on wether the electronic fax system is “just a fax” or considered an “electronic transmission?”
I am wondering if there is some kind of template that I can use in my clinic that incudes the updates to HIPPA, or maybe the precise wording is up to the entity? Really good podcast. Thank you for your effort helping small clinics to be up to date. I appreciate it.
Thanks Kris,
Unfortunately, since every practice is different I can’t put out a template that would fit all and be applicable to every practice that might download it.
Jarod
Kris – A lot of small therapy clinics 9as well as small physician offices) that are covered entities under HIPAA subscribe to services that provide and annual training for employees (usually a web-based course), as well as email update services. The huge HIPAA update was last September, however the Business Associate Agreement grandfathering clause ended this September. While HHS and the OCR have great information on the web, for non-experts it may sometimes be difficult to distinguish the older material from the most up-to-date material.
In the podcast I referenced attorney Paul Welk (also a PT) who has a HIPAA manual suitable for the small therapy practice. This manual can be purchased at http://www.physicaltherapist.com. I also referenced the HIPAA manual by Angie Phillips, PT, that is also specifically designed to be customized to the small practice. As with any P & P manual, there is a bit of customization to be completed to make it specific to your practice. The hitch with HIPAA is the requirement for a Privacy Risk Assessment & Security Risk Assessment.
As I start to move into starting my own cash-based practice, I guess I have a couple questions coming out of this podcast:
1) Why would I like to not be a “covered entity?” Is it primarily so I can avoid further regulation?
2) The HIPAA flowsheet refers to covered transactions. Maybe I’m missing something, but from what I read that looks to be referring primarily to transactions regarding payment/billing. Does that mean that clinical documentation is not a covered transaction? Meaning that I can use an EMR provider such as WebPT or Kareo without worrying about being a covered entity? Or is 45 C.F.R.162.1101:(b) referring to clinical documentation. Sorry, legal jargon goes over my head pretty easily.
Hi Bill, Thanks for your questions, my comments:
1)There are providers, particularly those that are in cash practices, that choose not to become a covered entity (CE) primarily to avoid the associated risks that are presented by regulatory compliance with HIPAA.
2)Clinical documentation is not a covered transaction by itself. However you mention WebPT and Kareo – an EMR solution that involves a billing component. Billing submitted via an EMR to a payer would be considered a covered transaction, regardless of who the claim is sent to (not just Medicare).
Indeed the legal jargon does get a bit hard to decipher, that is why the attendant risks of HIPAA requirements should not be taken lightly.
Jarod,
I recently lisened to your podcast from October 18, 2014. I just want to clarify ifI undestood Nancy correctly.
I have a totaly cash pay practice. I live in an affluent University city, where people are well educated as to their medical needs. I get people all the time who say, I don’t care if I can’t use Medicare, I’d be fine paying fee for service as I want to come to you. You were highly recommemded and since you do Manual Therapy, I don’t mind paying out of pocket. Sounds like I can actually see these peope without fear of being fined if they sign a document stating that on their own free will they choose to pay for that trearment. Is that correct? Have you composed a letter like that for patients to sign? Thank you in advance for your answer.
Brenda Shelton PT, CMP
Brenda Shelo PT, CMP
Yes, you are correct. But I don’t share my paperwork at this point because everyone’s scenario is slightly different and I feel like that type of paperwork should come directly from an attorney.
Good points on HIP’AA compliance and I would just add that physical therapy offices need to be sure they don’t ignore the numerous HIPAA compliance mandates, so it’s important to have documented policies, procedures, and related processes in place. Remember, growing HHS OCR audits are on the rise, so you never know when you can be picked for a dreaded audit, regardless of how small you think your practice is. Compliance is tough and challenging, but just be sure to put in place the required documentation and you should be good.
Heather – Thank you for your comments in support of HIPAA mandates. In addition to having HIPAA policies and procedures in place the requirements for Covered Entities (including Business Associates) require a Privacy Risk Assessment as well as a Security Risk Assessment. Without the underlying risk assessments, it is likely that the OCR, in the presence of either an audit or reported breach, would find that the appropriate safeguards were not put in place.
Some of the challenges for all providers include risk assessment associated with the use of smart devices, portable drives and laptops, and use of unencrypted data storage in the cloud. Thanks again for contributing to the discussion.