by Wyn Staheli, Director of Research
January 23rd, 2017
It is a common misconception that every doctor’s office is (or must become) a HIPAA covered entity; however, the list of those who still qualify for exemption from HIPAA is rapidly shrinking. There are exceptions to the HIPAA requirements; if a practice sends or receives no transactions electronically, it is not a covered entity. Offices must be careful to ensure they truly are not performing electronic transactions. While a provider may not submit claims electronically, the provider’s staff could be using the internet to query patient information from a plan or payer source or a third party may submit payments electronically. Consequently, accessing this information electronically automatically makes the practice a covered entity.
If you employ more than ten full-time employees (or full-time equivalents), you are required to submit Medicare claims electronically; therefore, you automatically become a HIPAA Covered Entity. Considering all these situations, it is almost easier to become a covered entity than not to.
To be a HIPAA exempt entity, you must, at a minimum, meet all of the following conditions:
- Keep records in your office on paper. Information in computers must only be output to paper and then mailed. No Protected Health Information (PHI) may be transmitted electronically to or from your office.
- Do not use a billing service, clearinghouse or other third party to conduct electronic transactions such as submitting electronic claims for you.
- Do not use any internet applications, direct data entry, or point of service application containing PHI from your computer.
- Do not become a HIPAA covered entity by function, contract, agreement, or certification.
- Do not have any contracts or business agreements that require HIPAA compliance. Many health plans are now including a requirement for electronic claim submission in their agreements. Read your contract renewals carefully.
- Do not fax (or scan and email) PHI transactions from your computer (conventional, free-standing fax machines may be used).
- Your practice is not located in a state that requires all claims to be electronically submitted.
Alert — HIPAA is Only the Federal Minimum Standard: If you are one of the few practices that can be considered a HIPAA exempt office, you must still abide by any state regulations applicable to healthcare providers and all healthcare matters, including confidentiality of patient information. It is good business practice to always maintain policies and procedures aimed at protecting patient information.