Health Insurance Portability and Accountability Act (HIPAA)

FAQs About HIPAA

As part of the ASC Association's efforts to assist ASCs in complying with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the ASC Association HIPAA Task Force will periodically publish answers to some of the questions ASC Association members raise. Please email your questions to ASC@ascassociation.org - ASC Association MEMBERS ONLY! Look below to read past questions.

To access Health and Human Services Office of Civil Rights' FAQs database on the HIPAA Privacy Rule, click here.

To access the Centers for Medicare and Medicaid Services FAQs database on HIPAA, click here.

FAQs

Question #1: Although we try to ensure that our physicians, nurses and other staff discuss personal health information in private, sometimes discussions with the patient occur in the preoperative holding area within hearing distance of other patients and family members. Similarly, some non-employee surgeons speak to family members in the waiting room or step-down recovery area, again within hearing of other patients and those awaiting rides. What should we do about this?

Answer: Staff members and physicians must be able to talk with each other and with patients. All should be reminded that, whenever possible, the patient and family should be moved to a private area. Also, the importance of speaking quietly should be stressed. In facilities that have cubicle curtains and limited space, you might try soft music in the background to muffle conversations that can carry to another area. Everyone providing patient care and services in your facility should understand the facility policies and be expected to adhere to them. Medical staff bylaws or rules and regulations generally contain a requirement that the physicians must comply with facility policies. If a physician does not follow policy after being reminded, the matter should be referred to the medical director or another person within your facility responsible for enforcing physician compliance with policies. If problems continue, the governing body may need to take action.

Question #2: Implant manufacturers provide us with postcards to return to them following the use of an implant so that they can track use of their implants. How do we handle this in light of HIPAA privacy concerns?

Answer: Two possible HIPAA issues arise in this situation-accidental disclosure in the mailing process and disclosure of patient information to the manufacturer. With regard to the first concern, one possibility is to place the postcards in an envelope so that people processing the mail cannot read individual patient information. Contact the implant manufacturer to discuss what plans it has to adjust its reporting system to track implants. You should also complete a business associate agreement for each manufacturer so that you have documentation in your facility that the implant manufacturer understands its responsibility to protect patient information within its organization. Although it may not be required, the privacy policy presented to patients could include a statement that you send implant information to manufacturers. Providing information to implant manufacturers may be considered to be part of the treatment, payment and operations (now commonly abbreviated as TPO) functions that can be conducted without having the patient sign a consent or authorization because this type of transmission of information could be considered part of the patient safety and quality functions of the facility. Even so, a simple step would be to add to your current facility consent or authorization form a statement that the patient understands and agrees that, if the patient receives an implant, the manufacturer will be provided information. The HIPAA Workbook for ASCs contains detailed information about a patient privacy policy and the uses and disclosures permitted for TPO functions. The sample policies and forms are on diskette, so you can easily modify them to include statements about implants.

Question #3: When trying to reach a patient, we often need to leave a message on an answering machine or with a person other than the patient regarding insurance issues or times to arrive at the center. How can we handle this without violating HIPAA?

Answer: At the earliest opportunity, ask all patients to inform you and have them indicate in writing how you can leave messages or who can learn about their appointments and their care. Working this out with the referring physician's office, which will also have to consider these issues, might be your first action. Asking patients to call the ASC may work with some patients but not others. If a patient agrees that you can leave detailed messages on his or her recorder, you may do so. However, without this approval from the patient, you can leave just your name with a request for them to call "ABC Surgery Center." You should not leave additional information that tells the person listening to the recorded message that surgery is scheduled, the type of surgery planned, or the preoperative instructions. Note that you should not assume that the person in the waiting room who is transporting the patient to and from the ASC is the one who can receive postdischarge instructions. You will also need to evaluate how you complete postoperative follow-up phone calls.

Question #4: Most of our surgeons are independent contractors, not employees. How do we get them to comply with HIPAA policies?

Answer: Whomever you expect to comply with your ASC policies needs to be educated about what the policies are and why they have been established. HIPAA is no different. So, begin by educating your physicians. Whether you do special programs for them or can simply include them in your employee educational efforts depends on how your ASC typically works. Regardless of how you do it, you need to make sure that you don't skimp on this effort. Since HIPAA compliance is also required in their practice setting as well, you should find that it is easier to achieve compliance with HIPAA than with some other regulations. If you haven't already started, start as soon as possible. HIPAA requires that you make changes in your "culture" and in the way you accomplish your work. The sooner you begin the process of defining the new culture and establishing the requirements, the easier it will be to achieve compliance by everyone-your management, employees and physicians-even those who are independent contractors. If you handle the training correctly, that may be all you have to do. However, since you are responsible for HIPAA violations in your ASC you need to ensure compliance. If violations continue to occur after education, follow the advice in the answer to Question #1.

Question #5: Our billing clearinghouse is demanding that we provide the social security number for the guarantor of bills. Currently, we only collect the social security number of the patient. Does the HIPAA transaction standard require that we collect this information?

Answer: The HIPAA transaction and code set standard regulation is intended to simplify insurance transactions by requiring that they all be conducted using the same electronic fields. It is argued that this can save health care providers and insurance companies thousands of dollars. Whether or not you have to include a specific item depends on whether the field is mandatory or optional. In this case, it is not so simple. The field is part of what is called a "situational loop." This means under certain situations it is mandatory. Under the standard if the "responsible party" box shows a name other than the patient then all of the data in this "situational loop" including responsible party's social security number is required. ASCs should be careful of two things. Do not put "same" in the responsible party box as the program will activate the situational loop. Also, if the responsible party is different than the patient, get all other required information at the time of service. With optional fields, you are not required to provide the data.