Today’s post comes from Aaron LeBauer PT, DPT, LMBT, who has been ever-so-kind to tackle the enormous topic of HIPAA as it relates to cash-based physical therapy practices. He has a successful cash-based practice and recently started a website for those interested in the private pay business model. It has been really nice to have him and a few others now putting great content out there, and hopefully as a team we can educate even more of our colleagues on this business model.
There are quite a few questions regarding compliance when discussing the cash-based physical therapy practice model including; Medicare, HIPAA, Documentation, Direct Access, multiple services etc. In general, it would seem like these issues should apply to a cash-based practice in the same manner as a traditional insurance-based practice, but the details might surprise you.
My brother, who is in private practice as a social worker counseling individuals and couples, first brought the HIPAA compliance issue to my attention. He forwarded to me a copy of email correspondence written by a lawyer, who is an advisor to another therapist in my brother’s mental health therapist network. I have not been in personal contact with this lawyer, but the email I received stated that his opinion is “anyone who does NOT do electronic billing remove the HIPAA forms from their intake packets. If you include HIPAA forms you are subject to HIPAA rules and regulations and if you violate any of those you can be strictly fined.”
This really got me thinking and asking myself questions. I was told I needed to have my patients sign a HIPAA policy form, but am I jeopardizing my practice unnecessarily? This deserved some more investigation and I found a few hits on Google, but not all the answers.
What is HIPAA?
HIPAA is the Health Insurance Portability and Accountability Act of 1996 and it was primarily aimed at providing workers with easier ways to continue their healthcare insurance coverage whenever they changed jobs. An area of special consideration was the transfer or portability of patient records. The easiest way to make data transfers is electronically and the most common is via email. Unfortunately, email is not a secure form of communication. Legislators added appropriate language to ensure the confidentiality of patient information when stored or sent electronically, which became the first legislation to address email confidentiality. HIPAA is about patient confidentiality in electronic format.
What is a “covered entity?”
The first question to ask your self is “Is my practice a covered entity?”
The CMS website has an excellent flow sheet to help you answer this question and determine if you are a covered entity: https://www.cms.gov/Regulations-and-Guidance/HIPAA-Administrative-Simplification/HIPAAGenInfo/AreYouaCoveredEntity.html
The Administrative Simplification standards adopted by Health and Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is:
– a health care provider that conducts certain standard transactions in electronic form (called here a “covered health care provider”).
– a health care clearinghouse.
– a health plan.
An entity that is one or more of these types of entities is referred to as a “covered entity” in the Administrative Simplification regulations.
What are the “certain standard transactions?”
Transactions are electronic exchanges involving the transfer of information between two parties for specific purposes. For example, a health care provider will send a claim to a health plan to request payment for medical services. In the HIPAA regulations, the Secretary of Health and Human Services (HHS) adopted certain standard transactions for Electronic Data Interchange (EDI) of health care data. These transactions are:
- claims and encounter information
- payment and remittance advice
- claims status
- enrollment and disenrollment
- requests to obtain referral certifications and authorizations
- coordination of benefits
- premium payment
Under HIPAA, if a covered entity conducts one of the adopted transactions electronically, they must use the adopted standard.
What information is protected?
The privacy rule protects all “individually identifiable health information” stored or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI). This includes common demographic information such as name, street address, telephone number, date of birth, social security number, etc. PHI also includes past, present or future information about the individuals physical or mental health condition, payment status and provision of health care.
What about Faxes and Emails?
Transactions of paper via facsimiles, and voice via telephone are not electronic transactions because the information did not exist in digital format prior to the transmission.
However, data sent by email and through the internet, even if scanned into a pdf file, is an electronic transmission.
Certain Standard Transactions include Protected Health Information and if you send or transmit any of these transactions electronically you are a Covered Entity.
- If you are transmitting a patient’s protected health information, but are not participating in a “certain standard transaction,” you are not a covered entity. An example of this would be consulting with or referring a patient to a physician by sending a patients name and health problem via email.
- If you are a physical therapist in private practice and only accept payment by cash, check, debit or credit cards, these forms of billing/collection do not make you a covered entity.
- If you sometimes submit a handwritten HCFA 1500 form, this does not make you a covered entity.
- If you are a physical therapist in private practice, you live in a state with limited Direct Access and Fax your patient’s physician the plan of care to sign, then you are not participating in a “certain standard transaction,” and doing so would not make you a covered entity.
- If you, or someone on your behalf, like a clearinghouse, submit your patient’s protected health information electronically to receive reimbursement you are a covered entity.
- If you are a Medicare provider and submit claims electronically but accept cash, check or credit cards from everyone else, you are still a covered entity and should have all of your patients sign HIPAA privacy forms.
Even if your answer to the title question is “no” and you are not a “covered entity,” you still have to conform to the standards of practice and privacy ethics as outlined in your state’s practice act.
How do I maintain my patient’s privacy?
My practice, which is a cash-based physical therapy practice, does not fit the definition of a covered entity, so HIPAA consent forms are no longer something I have my patients sign. I have my patients sign a consent form that includes the following statement:
“I understand that LeBauer Physical Therapy, LLC will maintain my privacy to the highest standards and may use or disclose my personal health information for the purposes of carrying out treatment, obtaining payment, evaluating the quality of services provided and any administrative operations related to treatment or payment.”
Likewise, just as my documentation is the same as if I owned a traditional insurance-based practice, I protect my patients’ privacy when in public, in my office and on social media.
Also, whether or not a provider uses an electronic medical record or electronic health record is irrelevant to determining covered entity status. If you, or someone on your behalf, transmit one or more of the standard transactions in electronic format then you will be a “covered entity.”
I am not a lawyer, and this may be a topic that needs further vetting with your advisory board or lawyer, but if you keep it simple, and do not transmit any health information in connection with a covered standard transaction then you are likely not a “covered entity.”
If you have any questions or any thoughts to add, I would appreciate your comments below.
Aaron LeBauer PT, DPT, LMBT
Interested in the cash-based private practice model?
Trust me, success in this practice model goes way beyond the HIPAA topic. If you would like to quickly learn the 8 Non-Negotiable Keys to Cash-Practice Success, Click Here to register for this free 2-hour master class that has been the springboard for multiple cash-practice owners.