To escape the HIPAA Un-Privacy Rule, you must act now
Reprinted from Sombrero 35(12):20-21, the journal of the Pima County Medical Society.
by Jane Orient, M.D.
The deadline for the biggest change in medicine in history-the HIPAA monster-is certainly looming. Doctors are not ready. Moreover, they are uninformed about the most important fact: all of the impossible regulations apply only to "covered entities." Many physicians can, and should, remain or become noncovered entities.
Don't believe it? Go to the CMS website, www.cms.hhs.gov/hipaa. Click on "HIPAA Administrative Simplification." Scroll down to "Health and Human Services HIPAA-related Links." Click on "Covered Entity Decision Tools" (at the moment, the first one on the list). If you do not engage in any covered transactions, which the site defines for you, then it says "STOP": you are NOT a covered entity.
If you do engage in those transactions, then read the regulations and reflect on whether it wouldn't be easier to stop doing those transactions.
If you have ten or more full-time employees (CMS doesn't yet know the precise definition of "FTE"), then you'll have to start filing electronic claims with Medicare in October, 2003, and thus be covered. Or you could opt out of Medicare and continue to serve Medicare-eligible beneficiaries at the market rate, or for free, or however you like, without worrying about being the target of $720 million worth of HIPAA-funded fraud-finding operations.
Some insurers may also try to force you to do electronic transactions. That might be the final straw to get you to disengage from onerous, soul-destroying, nonremunerative managed-care schemes. (Most doctors who do that wonder why they didn't sign off five years earlier.)
If you didn't know about the possibility of being noncovered, you're not alone. In a nonscientific survey, more than 400 physicians returned a card enclosed with a mailing on the "country doctor exception" to HIPAA sent by the Association of American Physicians and Surgeons. Only 17% said they were previously aware of the exception, and only 13% said they would be ready in time to meet the HIPAA deadlines.
As Ms. Chase points out, wistful hoping will not make the rules go away. For that to happen, Organized Medicine would have to arouse itself from its torpor and profound denial-to start filing lawsuits and deploying lobbyists, instead of trying to profit from hawking "compliance" materials. Or enough doctors as individuals would just have to forgo electronic transactions until the industrial interests that got this disaster enacted worked to get it repealed.
The first thing to do is to proclaim loudly that the so-called Privacy Rule means the utter destruction of confidentiality. HIPAA gives regulatory permission for the government or any authorized agencies or contractors to access all medical records ever created by a covered entity, in whatever form they exist, under some pretext called "health care operations." HIPAA enables and facilitates a national database of medical information-technically impossible to protect and highly desired by blackmailers as well as entities with the power to find people uninsurable, unemployable, or unworthy of resource expenditure.
Modern technology could make it possible for patients to have absolute control over access to their records, but only if they hold the encryption keys and the records are encrypted as entered. That would, of course, violate HIPAA.
Compliance with HIPAA is primarily a question of conscience, in my opinion. If you believe you are bound by a sacred oath to preserve your patients' confidences-unless they give consent to disclosures-then you must become a noncovered entity. In that case, protect the information as you always have, releasing it only with patient consent (or valid subpoena or court order). If you believe that privacy is a meaningless concept these days, or is something to be set aside whenever a government functionary finds it to be outweighed by some vague societal "need," then start revamping your entire mode of operation to comply with HIPAA. Remember, it's the process, not the actual effect on privacy, that counts.
You probably receive two or three promotions every single week for compliance books, seminars, tapes, CD-ROMs, or conference calls. I'll buy lunch for anyone who can show me one that does not have some disclaimer about hiring a lawyer or reading the regulations (and the updates and the guidance and the interpretations) yourself.
The best place to start is with the CMS website; nothing can be more authoritative than that. It will even tell you how to submit questions (though I wouldn't count on answers) or to sign up for future conference calls.
Make no mistake: HIPAA compliance is what the vendors call a major cultural change. Every communication you or any member of your staff makes-whether oral, handwritten, FAXed, or computerized-is subject to federal rules carrying heavy penalties. And while it is not expected that CMS will come in with guns ablazing, at least at first, enforcement, it assures us, will occur.
Some of the comments doctors sent AAPS describing their opinion of the rules were unprintable; many were passionately negative ("inane, insane, and way beyond absurd"); almost all were negative. (See www.aapsonline.org to read some of your colleagues' reactions; click on "country doctor exception.")
CMS received requests for an extension for compliance with the transaction code sets from only 550,000 of the estimated 2 million covered entities. It is doubtful that the others are already compliant; even CMS itself is not, as it anticipates further changes. CMS is revising its estimate downward; maybe, officials say, there are a lot of small practices that are going to stick with paper claims.
The only source I know of that emphasizes information about being noncovered is AAPS. (Please let me know of others.) Four pages of Frequently Asked Questions are available by mail or FAX from my office on request (tel. 520-325-2689). Anyone can participate in the exchanges on the AAPS forum, aaps.forums.commentary.net, or click on "forums" under "departments" at www.aapsonline.org.
Doctors dare not ignore HIPAA. But they do have a choice about whether or not to accept that regime-not necessarily an easy choice.
At some point before it is too late, doctors just might say: "We're mad as hell, and we're not going to take it any more."
This could be it.