1601 N. Tucson Blvd. Suite 9
Tucson, AZ 85716-3450
Phone: (800) 635-1196
Hotline: (800) 419-4777
Association of American Physicians and Surgeons, Inc.
A Voice for Private Physicians Since 1943
Omnia pro aegroto


Frequently Asked Questions: Covered v. Non-Covered Entities

These questions have been prepared in response to inquiries from physicians across the country. Based on these reports, most consultants, seminars, and lawyers are neglecting to advise physicians of the option of being a non-covered entity under HIPAA. In fact, many of you tell us that you have been told by hospital counsel and others that you can NOT be a non-covered entity and that compliance with HIPAA is mandatory for all.

These questions should help you make an informed decision whether being a covered or non-covered entity is right for you and your patients.

1. Why would I want to be a non-covered entity?
You will protect yourself from the possibility of prosecution if your compliance is imperfect. (Punishments of up to $250,000 fines and 10 years in prison.) Otherwise, you could be prosecuted for failing to meet the letter of the law - some 3,000 pages - even if no patient records are compromised.

You'll protect your patients from having their private records entered into a nation-wide computer data base, potentially accessible by thousands of private and public bureaucrats, law enforcement agencies, employers, and hackers.

You'll save up to tens of thousands of dollars in compliance efforts.

And finally, you keep the practice of medicine free from the straitjacket of working through a recipe book of 200,000 government-imposed codes.

2. How do we know that being non-covered is a real possibility?
Government attorneys themselves said so in the Motion to Dismiss the AAPS challenge to the "Privacy Rule." Here's an excerpt: "It bears repeating that the Privacy Rule applies only to covered entities. The proverbial country doctor who deals only in paper, or who has a computer but conducts none of the transactions referred to in section 1173(a) electronically, would not be a covered entity and would not be subject to this legislation."
Karen Trudel, Director of HIPAA projects for CMS, also acknowledged this fact at the AAPS 2002 spring meeting. .

3. Why don't doctors hear about the possibility of being non-covered at the hospital meetings and HIPAA seminars that they attend?
HIPAA compliance is a whole new multi-million dollar industry for lawyers and consultants. Look at the prices on those compliance materials, updates, tapes, seminars, newsletters, and books. If you are not a covered entity, you are not a prospective customer of this industry.

4. The government claims that the Rules will eventually save lots of money. Why would I want to miss out on these savings?
Keep in mind that government cost estimates are always too low, and that there is no accountability for these incorrect estimates even when off by a factor of ten or more. But even if correct, the net savings accrue to the industry as a whole. The industry giants may save; small practices will lose.

The touted savings from withdrawing the requirement to get patients to sign consent forms, estimated to be $103 million over 10 years, is more than offset by the new notification requirement, which would add $184 million in costs over the same time period. The net savings comes primarily from simplifying rules for researchers. (See page 33 of the Modifications to the Proposed Rule from the Federal Register.) To get an idea of the accuracy of the government's cost estimates, HHS estimated the cost of obtaining a signature on a complicated form to be about $0.05 - the cost of printing the form alone.

5. Wouldn't I just be red flagging my practice for audit if I become a non-covered entity?
It may be just the opposite. Unlike opting out Medicare, for example, there are no affirmative steps or declarations necessary to become a non-covered entity.

By filing a request for extension or signing a contract agreeing to compliance as a covered entity, you have declared your intention to comply as well as the specifics of your compliance plan. Those statements could be used by a prosecutor as evidence if your compliance is imperfect.

6. What are the deadlines for compliance with HIPAA Administrative Simplification?
The two deadlines enacted are for transactions and privacy. The transactions deadline is Oct 16, 2002. If you file a request for an extension by that date that includes an outline of your compliance plans, you may qualify for the October 2003 extension. The deadline for compliance with the Privacy regulations is April 14, 2003. HHS has yet to announce the rules and deadlines for the Security provisions.

7. Do I have to use the transaction standards outlined under HIPAA?
No, according to the regulations, the use is optional unless you are a covered entity - and unless contractually required by an insurer.

8. How much will it cost to become HIPAA compliant?
In court documents, AAPS states that it estimates that the hard costs of compliance would total between about $16,000 and $23,000 for the first year alone, and substantially more if an additional employee or consultant is necessary to manage the new software.

The computer system alone could cost between $10,000 and $20,000. Continuing education and monthly regulatory updates cost thousands - and all of them recommend expert consultants and lawyers, who will probably be in great demand and charging top dollar. Many of the audio conferences addressing a single element of HIPAA, such as duties of the privacy officer, cost $200 per person. Some "industry players" have estimated the cost to be so high that they asked whether it wouldn't be cheaper just to pay the fines as a cost of doing business. PriceWaterhouseCoopers found that, for covered entities, the answer is NO.

9. What additional expenses will I incur to remain a non-covered entity?
The costs should be minimal. Even if you have additional paper processing costs, they may be offset by the time saved by not fulfilling compliance requirements.

10. What are the penalties for non-compliance if I am a covered entity?
Up to $25,000 per year for each provision violated (up to $1.4 million or more, depending on how HHS counts the provisions). Then there are criminal penalties up to 10 years in prison.

11. What are the penalties for "misuse" of patient information as a covered entity?
The government can levy fines up to $250,000 per offense and/or up to 10 years in prison.

12. What are the penalties for non-compliance with HIPAA if I am a non-covered entity?
None. Compliance with HIPAA is voluntary if you do not meet the definition of a covered entity.

13. What is the difference between a HIPAA compliance program and a Medicare compliance program?
The big difference it that the elements of a Medicare compliance program are recommended, while the elements of the HIPAA program are mandated by law for covered entities.

14. But if I don't do anything wrong and protect my patients' information, I can't get in trouble, right?
Wrong. Even if you believe that you adequately protect the privacy of patient information, you could be found in non-compliance for not meeting the administrative requirements of HIPAA. It would be a violation even if no improper disclosure of information takes place, but the required procedural safeguards are not in place. In other words, you can be prosecuted even if no harm occurs.

15. I have a small practice. Does the size of my practice change what regulations apply to me under HIPAA?
No. The only exception is that the deadline for enforcement of transaction regulations is delayed a year for small practices. But the rules are still the same.

According to a PriceWaterhouseCoopers report prepared for Blue Cross and Blue Shield Association, one of the myths about HIPAA is that "HIPAA compliance will be much simpler for small providers." In fact, the only basis for this argument is the ability of small providers to revert to paper/ manual transactions. The TCS requirements are not scalable to reduce the impact on small organizations. An entity will either be able to submit and receive compliant transactions, or not.

The only place small practices get some regulatory relief is that those with fewer than 10 employees are exempt from the electronic filing requirement that Medicare will begin in October 2003.

16. Do I have to file electronic claims?
No. These regulations make no requirements for filing electronically; they only concern the rules that apply if you do choose to file electronically. But if you do file ANY electronic claims after April 14, 2003, you relinquish your opportunity to be a non-covered entity.

You may have signed a contract requiring electronic claims submission to a private entity. Medicare claims will have to be filed electronically after October 16, 2003, IF you have ten or more full-time employee equivalents UNLESS you have no means to file in this way.

17. What constitutes an electronic transmittal that makes you a HIPAA-covered entity? E-mail? Phone? Fax?
The regulations do not actually list methods that constitute an electronic transmittal, and there is some disagreement among legal experts and HHS managers.

Sending computer information within your own network is NOT a covered "electronic transmittal." Telephone calls are NOT considered an "electronic transmittal."

One prominent attorney said that faxes are defined as an "electronic transmittal," but an HHS authority disagreed. Simply sending a fax does not make you a covered entity; sending an electronic claim does.

As best we can tell, patient communication is not addressed by HIPAA, so e-mails between you and a patient should NOT be subject to HIPAA rules.

17A. So then faxes and paper records are not subject to HIPAA compliance rules, even if I'm a covered entity, right?
Wrong. If you are a covered entity as a result of other electronic transmittals, then your fax transmissions of PHI will be subject to HIPAA compliance regulations as well. According to "How to `HIPAA' - Top Ten Tips" by the AMA, "The Rule does not prohibit faxing of individually identifiable health information. Covered entities [our emphasis] must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of PHI."

Some consultants suggest that covered entities need to unplug their fax at night to prevent the unauthorized viewing of protected health information.

Remember that if you are covered, then even your paper records are subject to HIPAA scrutiny, and not just electronic transmittals.

18. What electronic claims are subject to HIPAA?
All electronically submitted claims are subject to HIPAA regulations and compliance, whether private, state (such as Medicaid), federal, or FEHBP.

19. Do I have to file any claims - electronic or paper - for my patients under HIPAA?
HIPAA does not change your responsibilities, but the Medicare rules could change your standing as a non-covered entity under HIPAA. You do not have to file private claims unless you have a signed a contract agreeing to do so. If you are a participating physician, you must continue to file Medicare claims for your Medicare-eligible beneficiaries unless you have opted out of Medicare.

Under the Administrative Simplification Compliance Act, you will be required to file Medicare claims electronically after October 16, 2003, unless you have fewer than 10 full-time employee equivalents. If you do file electronic Medicare claims, that will make you a covered entity under HIPAA.

20. What if I file some paper claims, and some electronic claims - won't just the electronic claims be subject to the HIPAA rules?
No, the HHS guidance states that if you are a covered entity, even your paper records - and even your oral communications - are subject to HIPAA regulations and compliance.

21. What if I don't file electronic claims for federal programs - will I be non-covered?
No, that does not guarantee status as a non-covered entity. Remember, any electronic claims are subject to HIPAA regulations and compliance. If you file private or State claims electronically, you will waive your status as a non-covered entity.

22. I don't think I have many business associates. Just what is a business associate as defined by HIPAA?
Actually, we've been told some covered entities are facing execution of up to ten thousand business associate agreements to comply with HIPAA regulations. Here's the definition:

A person who, on behalf of a covered entity, performs or assists in the performance of:

1) A function or activity involving the use of disclosure of individually identifiable information, including activities such as claims processing or administration, data analysis, administration, utilization review, quality assurance, practice management, billing benefit management or repricing; or

2) Provides (other than in the capacity of a member of the workforce of such covered entity) legal, actuarial, accounting consulting, data aggregation, management, administrative, accreditation, or financial services to or for such covered entity.

23. How does HIPAA define the "minimum necessary" standard?
Under HIPAA, the minimum necessary standard requires that covered entities make all "reasonable" efforts to limit the protected health information to the minimum necessary to accomplish the purpose of use of disclosure. Treatment is excluded from the standard.

24. But who decides then what is the "minimum necessary"?
There's the catch. An insurance company or the government's idea what is the "minimum necessary" may be different from yours. Since the HHS rules are not clear, ultimately - as a covered entity - you are likely to be required to disclose more information than you would without the rule. See AAPS Testimony on Minimum Necessary Standard.

25. What are the permitted uses and disclosure of patient information under HIPAA without patient authorization?
In practice, anything the government says is okay, including, but not limited to: Public health activities, reporting abuse, health "oversight" activities, law enforcement, judicial and administrative proceedings, organ procurement, research, military and intelligence functions, workers compensation, coroners and medical examiners, and imminent threat to the individual's or public's health or safety.

26. What makes me a covered entity?
The regulations define a "covered entity" as anyone who utilizes transaction standards, and transmits data ("protected health information") electronically either though your own office, your hospital, or a billing agent.

Click here to read the complete rule in Section 1173(a)(1) of the Act

27. How can I become a non-covered entity?
You may be a non-covered entity now unless you voluntarily relinquish that status. You will become a covered entity if you choose to by doing the things that make you a covered entity.

28. What paperwork do I have to file to become a non-covered entity?
None. You do not need to file any forms with HHS or sign any legal documents.

29. What is the deadline to become a non-covered entity?
There is no deadline. Again, you can be a non-covered entity if you do not file electronic claims and do not sign any contracts or certification promising compliance.

You must not transmit any "protected health information" electronically after the April 14, 2003, deadline for compliance with the privacy regulations if you are a non-covered entity. But to be safe, some attorneys recommend that you stop filing electronic claims before the October 2002 transaction standards compliance deadline.

There's one more reason to stop submitting by October 16, 2002. If you file any electronic claims after October 16, 2002, but do not comply with the transaction standards or have not filed for an extension, you could be excluded from Medicare.

30. What if I've already filed an extension for the October 2002 deadline with HHS?
Some lawyers have warned that filing an extension is an implicit promise to comply by the date stated. In other contexts, deviating from your own compliance plan can be a serious infraction in and of itself. However, the definition of covered v. noncovered is completely objective and does not depend on a doctor's intent. If a doctor is not covered as a matter of law, then it should not matter whether he asked for an extension or not.

31. What if my hospital asks me to sign a contract or a business associate agreement?
The HIPAA regulations are clear that extension of hospital privileges does NOT require a business associate agreement. Click here for a sample letter to a hospital and citation of the regulations.

32. What if I've already signed a business associate contract with my hospital or any other agreement promising or requiring compliance? Can I rescind that agreement?
You may still be able to qualify as a non-covered entity. Read the agreement for a termination clause, and check with your attorney.

33. Do I need a lawyer to help me become a non-covered entity?
If you meet the requirements and do not file a compliance plan or extension, and do not sign any agreements or certifications stating or implying that you are a covered entity, you should remain a non-covered entity.

But as with any legal issues, it would be wise to consult with an attorney who specializes in health care and HIPAA.

34. What if I transmit clinical data electronically for consults, etc. Under HIPAA, is that a covered transmission of data?
Communications with others, such as consultants who are caring for a patient, are not listed in the regulations as activities that are subject to HIPAA compliance. You should be able to continue to send data for this purpose as a non-covered entity - as long as the transmission is not a cover for regulated uses such as claims-filings or others listed in Section 1173.

35. Can I still send e-mail to attorneys as a non-covered entity?
Communications with attorneys are protected by the attorney-client privilege, which still exists under today's law. The New York State Bar Association has sued the government for attempting to apply the Gramm Leach Bliley "privacy" law (designed for financial institutions) to them. The definitions above do not include consultations with attorneys.

36. Can I use an outside billing company and be a non-covered entity?
Our attorney says the answer is probably no, unless they will file paper claims and you don't transmit the files to them electronically. (See section 1173 for the list of triggering activities.)

HHS insists that doctors are responsible for the activities of their outside billing services.

37. How does being a "non-covered entity" affect certification under other agencies and organizations?
Being a non-covered entity should not change your certification. You will attest that you have complied with all regulations that apply to you. As a non-covered entity, HIPAA should not be one of those. (Consider consulting your attorney about stipulating in the certification statement that you a non-covered entity.)

However, extreme caution is in order if the statement implies or states that you are a covered entity. PriceWaterhouseCoopers warns about statements certifying HIPAA compliance required by accreditation bodies such as NCQA and JCAHO, state regulators and licensing agencies, or federal programs including Medicare, Medicaid, and the Federal Employee Health Benefit Program. If a false certification is discovered, all the draconian penalties of the False Claims Act (FCA) could also be triggered - even if the claim itself is perfectly accurate. (See pwchealth.com/articles.shtml).

38. Can I be a non-covered entity under HIPAA and still participate in Medicare?
Yes, if you have fewer than 10 employees you can get an exemption from filing electronic claims for Medicare patients. But remember, you must not file ANY electronic claims. (See also #29.)

You might want to consider opting out. On careful analysis, some physicians have found that they are actually losing money on every Medicare patient that they see. Even if this is not true in your practice, the HIPAA compliance costs that you might otherwise not incur could tip the balance toward opting out. A simple, step-by-step plan for opting out is available at www.aapsonline.org/medicare/optout.htm.

39. How will being a non-covered entity affect my patients?
On an administrative basis, it should not change anything for your patients. If you continue to file their claims for them, you will now just do so with paper claims. However, it may have very real impact on your patients' privacy since their records will not be entered into a networked insurance or government database. Of course, the government can still demand the paper record, but this requires a subpoena. Many patients report that claims are paid more quickly if they file them directly with their carriers. You might consider encouraging patients to file their own claims.

40. How will being a non-covered entity affect my reimbursements?
While some entities may impose a surcharge for paper claims, the reimbursement should remain the same for any method of filing a claim. Some plans might take longer to process paper claims, but that would merely represent a one-time shift in monthly payments. Some physicians report faster payment with paper claims.

41. Won't it cost me more to process all paper claims?
The costs associated with attempting to reach and maintain compliance as a covered entity would greatly exceed any small administrative costs of handling paper claims. The same computer that you use to file electronically could be used just to fill out the paper claim. You might want to remove its connection to a phone line to be sure that transmission does not occur. Also, you need to weigh this cost against the potential fines and punishment for imperfect compliance.

42. Can private plans charge me a processing fee for filing paper claims? What about my Medicare carrier? Can I pass those surcharges along to my patients?
Yes, we expect that some plans may impose a processing surcharge, and CMS has discussed it as well. You probably will be prohibited from passing along the charge to Medicare patients, but could do so for private patients.

43. I use a handheld or laptop in the examining room to enter my notes. Can I continue to do so as a non-covered entity?
You may do so as long as you do not transmit information electronically. You might want to encrypt your hard drive and restrict access to the files even though this is not required of non-convered entities by government rules.

44. Will I have to restrict my use of online resources such as Medline?
You may use the computer, as long as you do not transmit protected health information electronically.

45. If I'm a non-covered entity, am I forever stuck with snail mail, faxes, phone calls, and stacks of paper?
No, you can always become a covered entity. Perhaps later the regulations will be rescinded, clarified, simplified, or at least truly finalized - and the record of the Office of Civil Rights regarding reasonableness of enforcement will be known. If the industry as a whole continues its policy of going along to get along, don't expect much improvement. But if, by becoming non-covered, physicians demonstrate - in a way that Congress can understand - that compliance is unworkable and wrong, regulatory and preferably statutory relief is more likely.

Better to suffer with horse-and-buggy technology for a few more years than to be forever stuck with a Yugo.

46. Do I need to advise my patients of my status and policies as a non-covered entity?
No, and you may continue to use your current privacy consent forms.

However, you might want to consider giving your patients a statement about being a non-covered entity. Even though it is not required, it is an excellent opportunity to make a very positive statement to your patients that you are their advocate and that you have taken a big step to protect their privacy (see sample Patient Protection Advisory).


The information above represents the analysis of the Association of American Physicians and Surgeons for public discussion and debate. This may not be construed as legal advice. Please consult an attorney for legal advice.

Resources utilized in preparation:

This FAQ utilizes in part statements by the following:

Karen Trudel
Director of HIPAA Projects
Centers for Medicare and Medicaid Serivces

Andrew Schlafly, Esq.
AAPS General Counsel
New York, NY

Vicki Yates Brown, Esq.
Chair, Health & Insurance Practice Group
Greenebaum, Doll & McDonald PLLC
Louisville, KY

Donna Boswell, Esq., PhD
Partner, Health Group
Hogan & Hartson
Washington DC

Paul Smith, Esq.
Partner, Health Group
Davis Wright Tremaine
San Francisco, CA

HIPAA Weekly Monitor
Published by HCPRO