HIPAA Frequently
Asked Questions and
Answers:
Here are the answers to general questions that have been asked of
DHFS regarding HIPAA and may be of broad interest. Check out
"WI Medicaid HIPAA Questions
and Answers " to find questions specific to
Medicaid, BadgerCare, and HIRSP.
Q1: What are the compliance
due dates for HIPAA?
A: Please see our "Key
Dates" section.
Q2: What are the benefits of
HIPAA?
A: HIPAA is intended to improve the efficiency and
effectiveness of health
care through standardization of shared
electronic information. The
current lack of standardization creates a
great deal of extra
administrative work and makes it difficult and
expensive to develop and
maintain software.
The goals of HIPAA are to:
- Simplify the electronic exchange of information.
- Standardize codes.
- Streamline billing and administrative procedures.
- Reduce the costs of administrative operations.
- Reduce paperwork.
- Improve trust in the confidentiality of exchanged information.
Q3:When is the deadline for HIPAA
compliance?
A: The health care industry has approximately 26 months from the
publication of each rule to implement the standards of that rule. Each
component of HIPAA is separate and will be published and finalized in
a
staggered fashion, so compliance deadlines will vary based on the
publication date for each rule. The deadline for the final rule on
"Electronic Transactions" is October 2002. Covered
entities may
apply for an extension to October 2003. The compliance date
for the
"Privacy Rule" is April 2003.
For the most current compliance
deadline information available, refer
to the U.S. Department of HHS
Administrative Simplification Web site
at:
http://www.hhs.gov/
Q4: Who must comply with the federal HIPAA regulations?
A: Anyone transmitting electronic health care information must
comply
with the federal HIPAA regulations, including:
- All health care providers, including one-doctor offices, who
submit or receive any of the electronic transactions standardized
under HIPAA legislation.
- Health plans, including government plans.
- Health care clearinghouses, including billing services and
vendors.
- When one of the above entities submits or receives a standardized
transaction electronically, that entity must be able to support the
national uniform electronic standard for that particular
transaction.
Q5: Where can I get more information?
A: The Internet is the best source of information about HIPAA.
Please
see our Helpful Links
section to find out more.
Q6: What programs are small health plans
and when must they comply
with
HIPAA?
A: Health plans with $5 million or less in annual receipts are small
health
plans. The statewide Wisconsin Well Woman Program and statewide
WisconCare are considered to be small health plans. Each county
General
Relief Medical program may be a small health plan if annual
receipts are
$5 million or less. Each county is considered a separate
program and the
$5 million test can be applied at the county level.
Other county and
city funded programs may be health plans, and would
qualify as small
health plans if they meet the annual receipts test.
Counties and cities
should consult with their legal counsels for
determinations on specific
programs. Small health plans have until
April 14, 2004 to comply with
the Privacy Rule. They have until October
16, 2003 to comply with the
Electronic Code Sets and Transactions
Rule, regardless of whether they
filed for an extension
Q7:To the extent that counties are covered by
HIPAA, who are
their
business associates?
A: A business associate relationship exists when an entity acts
on the
behalf of a covered entity in the performance of an
administrative
function involving the use or disclosure of protected
health information
(PHI). A covered entity that shares PHI with
another entity for treatment
purposes does not establish a
business associate relationship.
Whether a county has a business
associate relationship with another
entity depends on the HIPAA status
of the county in the situation and
the nature of the business conducted
between the two parties.
Counties can have three statuses under
HIPAA.
1. Where a county is a covered provider under HIPAA
(e.g., because they
bill Medicaid electronically for health care
services):
- Other providers they refer clients to for health care services are
not business associates
- Other providers they subcontract and pay for health care services
are not business associates
- Individuals they directly hire to provide health care services are
not business associates
- Organizations and persons they engage to provide administrative
functions that involve PHI (such as but not limited to data
processing, quality assurance, billing, legal services, consulting) are
business associates. (Persons they directly hire as part of
their workforce are not business associates.)
2. Where a county is a covered entity as a health plan
(e.g., for General
Relief Medical):
- Providers or other health plans they refer clients to for health
care services are not business associates
- Providers they pay for health care services are not business
associates
- Individuals they directly hire to provide health care services are
not business associates
- Organizations and persons they engage to provide administrative
functions that involve PHI (such as but not limited to data
processing, quality assurance, billing, legal services or
consulting) are business associates. (Persons they directly
hire as part of their workforce are not business associates.)
3. Where a county is a business associate of DHFS in
administering the
Medicaid Home and Community Based Waivers and COP:
- The providers they pay for health care services are not business
associates
- Individuals they directly hire to provide health care services are
not business associates
- Providers or health plans they refer clients to for health care
services are not business associates
- Organizations and persons they engage to provide administrative
functions that involve PHI (such as but not limited to data
processing, quality assurance, billing, legal services or
consulting) are not business associates. (Persons they
directly hire as part of their workforce are also not business
associates.). However, according to the county's
business associate agreement with DHFS, the county as a business
associate must ensure that any of its agents performing covered
administrative functions, including subcontractors, agree to the
same restrictions on PHI that apply to it. (An entity can not
in the role of business associate have business associates of its
own. But that same entity could have business associates in
its role as a covered entity.)
Q8:
Must county and tribal agencies that administer Medicaid Home
and Community Based Waiver
programs as business
associates of DHFS accept
electronic claims from providers for
non-health care services, or may
they require paper?
A: The agencies may require paper for non-health care services
in the
waiver programs. As business associates
of DHFS administering the
waiver programs, county and tribal
agencies must accept standard
HIPAA electronic claims from providers in
those programs for health
care services. However, HIPAA does not
cover non-health care
services and the agencies have the option
of requiring claims be
submitted on paper. Agencies should
nonetheless consider accepting
HIPAA standard electronic claims for
non-health care services where
this would be efficient (such as when
they already have the capacity to
accept electronic claims for health care
services).
Q9:Why is case management in the Home and Community Based
Waiver (HCBW) programs listed as a health
care service when it was
earlier listed as non-health care?
A: DHFS is considering case management to be a health care service
whenever Medicaid funds it. This applies across
all programs using
Medicaid funding, including "card
services", HCBW and Child
Welfare. This is consistent with a federal
interpretation that for HIPAA
purposes case management is health care in the
Medicaid program.
Case management in HCBW was earlier listed as
non-health care
because most services that are managed in a
HCBW case are
non-health care and because case management has
traditionally
been considered in social programs to not be a
medical service. After
further analysis, however, we now place greater
emphasis on the
importance of consistency within the Medicaid
program and with the
federal interpretation.
Considering case management to be health care
for HCBW should
have minimal local impact. Many if not most
counties provide case
management with in-house staff. These staff
would have to comply with
the Privacy Rule, but will often be in
organizational units that are already
designated as health care components and
complying with the rule.
Counties and tribes that contract for case
management could be
impacted if the providers of case management
want to bill for these
services electronically, in which case the
counties and tribes would
need to pay for conducting (more) electronic
transactions. This could be
a minor incremental cost of paying for claims
translation through the
DHFS County Claims Clearinghouse or other
clearinghouse service. In
some cases, processing claims electronically
rather than manually will
be a saving for the agency. Providers of
contracted case management
services should not be significantly impacted,
as they have the option
of electronic or paper billing. If they are
electronically billing Medicaid
card services for case management or any other
service, they will
already be using the standard HIPAA
transactions.
Q10:
What responsibilities do counties and tribes have for issuing a
Notice of Privacy
Practices?
A: The Division of Health Care Financing (DHCF) distributed the
HIPAA-required Notice of Privacy Practices to
current enrollees in
these programs: Medicaid (MA, Medical
Assistance, T-19) programs
including BadgerCare; Family Care; Healthy
Start; Medical Assistance
Purchase Plan (MAPP); Program for all Inclusive
Care for the Elderly
(PACE); Partnership; Community Options
Program-Waiver; Community
Integration Program II; Community Integration
Program 1A; Community
Integration Program 1B; Brain Injury Waiver;
Community Supportive
Living Arrangement. Separate but similar
Notices were distributed for
HIRSP and SeniorCare. DHCF will continue to
issue the Notice to new
enrollees in these programs. Because they are
small health plans, no
Notices are currently being distributed for
WisconCare, Wisconsin Well
Woman Program, or Chronic Disease. These
Notices will be
distributed by DHFS later, as these programs
have until April 2004 to
comply. Here is what counties and other DHFS
business partners must
do regarding Notices to comply with HIPAA.
- As business associates of DHFS in administering the Home and
Community Based Waiver programs, counties do not need to issue a
Notice of Privacy Practices. The DHFS Notice is all that is needed.
Counties should direct any questions from enrollees about the Notice
to the contacts identified in the Notice. DHFS will be providing
more information to counties about procedures for accessing and
amending client records.
- As covered entities in their own right (as health plans), Family
Care Care Management Organizations (Family Care CMOs) and
PACE/Partnership sites must issue a separate Notice to enrollees by
April 14, 2003 (and to new enrollees thereafter). They do not need
to obtain an acknowledgment of receipt of the Notice.
- If a county has covered entity status under HIPAA as a health plan
for a county funded program, such as General Relief Medical, the
county must issue a separate Notice to enrollees by April 14, 2003
(and to new enrollees thereafter). Many county funded programs will
meet the definition of a small health plan and have until April 14,
2004 to distribute their Notice. They do not need to obtain an
acknowledgment of receipt of the Notice.
- If a county has covered entity status under HIPAA as a provider
(because they electronically bill a health plan for health care),
then they must issue a separate Notice to service recipients at the
first instance of service starting April 14, 2003. They must make a
reasonable effort to obtain a written acknowledgment of receipt and
document situations where they do not obtain an acknowledgment.
Q11: As business associates of DHFS administering the Waiver
programs, must
counties and tribes be capable of conducting all the
HIPAA standard
electronic transactions?
A: Counties and tribes have a limited
amount of flexibility in complying
with this
requirement. Read a discussion.
Q12: Can I bill Medicare on paper after October 15, 2003?
A: Effective October 16, 2003
only a small provider may bill Medicare
on paper.
There are two types of small providers.
- The Social Security Act defines "provider of services"
to include seven types of institutional or special purpose
providers. This term generally describes hospitals, skilled nursing
facilities, comprehensive outpatient rehabilitation facilities, home
health agencies, hospice programs and other institutional providers
that are paid through Medicaid fiscal intermediaries (in Wisconsin,
Blue Cross Blue Shield of Wisconsin—doing business as United
Government Services) under Part A and some of Part B. A
"provider of services" with fewer than 25 full-time
equivalent employees may continue to submit claims on paper.
- The Social Security Act also defines "physician,
practitioner, facility, or supplier" as entities that furnish
Medicare services. These are generally paid through Medicare
carriers (WPS in Wisconsin) under Part B. A provider of this type
with fewer than 10 full-time equivalent employees may continue to
submit claims on paper.
Read two CMS
documents on this subject.
June
24, 2003 memo "Medicare "waiver" for small providers
billing on paper".
June
23, 2003 memo "Are Small Providers Covered Entities
under HIPAA?"
Q13: How do I file a complaint about
a HIPAA privacy violation?
A: You may complain to the provider
or health plan you believe
violated
HIPAA. A contact must be listed in their Notice of Privacy
Practices.
You may also complain to the federal Office of Civil
Rights. You
do not need to file with the provider or health plan first.
You may file
first with the federal government.
Contact
information for filing a complaint with the federal
government.
Q14. What is the status of county income maintenance
units
under
HIPAA?
A14. County units determining eligibility determination for state
programs
are not considered by the
federal Department of Health and Human
Services or the state
Department of Health and Family Services to be
covered under HIPAA.
Consequently, counties should not designate
these units as health
care components. Consistent with this
interpretation, DHFS
considers CARES to not contain PHI. If a county
nonetheless designates
its IM unit as covered under HIPAA it may
have difficulty complying
because DHFS is not treating the
information in CARES as
covered by HIPAA. (CARES will, however,
continue to abide by
existing federal and state confidentiality
requirements other than
but usually consistent with HIPAA.) DHFS’
position on this is laid
out in DHCF numbered memo 3-06, available
on the Internet
at
http://dhfs.wisconsin.gov/em/adminmemos/2003/pdf/03-06.pdf
Q15: Does HIPAA allow protected health information to be disclosed by
the
mental health division of a Human
Services Department to the Child
Protective services unit of the same
HSD without authorization by the
subject of the record?
A15. Wis. Stat. § 49.981(2) & (3) require certain persons to
report information
about suspected child abuse or neglect to county
departments providing
child welfare services. These departments are
required by
Wis. Stat. § 49.981(3)(c) and Wis. Stat. § 48.57(1)(a) to
conduct a
diligent investigation upon receipt of such report. Wis.
Stat. § 46.23
allows the county HSD to perform the duties of a county
child welfare
department. Thus, it is the opinion of DHFS that the
CPS unit of the HSD
may receive otherwise protected and confidential
information from other
parts of the HSD without client/parent
authorization if the information is
related to a report of child
abuse. The amount and kind of information
disclosed is limited by
HIPAA to the minimum necessary for the purpose
of the disclosure and by
Wis. Stat. § 46.23 to what is needed for the HSD
employee or contractor
to perform his or her duties, or for the HSD to
coordinate service
delivery.
Counties should discuss their specific situation with
their Corporation
Counsels. Read a
letter from DHFS to Rock County providing
more
information on this
subject.
Last updated: September 02, 2009
|
