HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.  The overall intent of HIPAA is to improve the administration of the health care system while ensuring the privacy and security of individually identifiable health information.  HIPAA establishes national standards for electronic transactions and code sets; identifiers for employers, health plans, and providers; security standards; and other provisions to protect individuals’ personal health information and give patients increased access to their medical records and enforcement provisions. This legislation addresses medical, mental health and substance abuse services paid for through such funding sources as Medicaid.

The time for the implementation of HIPAA is approaching.  If you do not know what HIPAA means or its relevance to you, you are not alone. Many other agencies are in the same position.   

Who must comply with HIPAA? 

Covered entities include health care providers (including providers of mental health and substance abuse services) who choose to conduct any of the covered transactions electronically, health plans, and healthcare clearinghouses.  

How are child welfare agencies affected?  

Public and private child welfare agencies may be required to comply with HIPAA, especially if involved through contractual arrangements in service delivery networks.  It is still not absolutely clear who will be required to comply, but details may not be clear until after the compliance date has passed.  Therefore, CWLA recommends that all public and voluntary child welfare agencies proceed as though they are a covered entity for purposes of HIPAA compliance until their status is determined.[1]

As a covered entity, what changes will be required? 

If you are a covered entity and must comply with HIPAA rules, there will be changes to your business operations.  The thousands of local procedure codes utilized across the country have been distilled into about 80 codes with modifiers for such elements as location of the service and funding sources.  Covered entities must use the new procedure codes as well as meet requirements to ensure privacy that include identification of a Privacy Officer, policies and procedures to be in place, and training.  There are significant financial penalties for failure to comply with the requirements of HIPAA. 

What are the timeframes for compliance? 

The privacy requirements are the first part of HIPAA requiring compliance.    Currently, some parts of the rule are being revised, with a release anticipated in August, but there has been no extension and agencies must comply with the HIPAA Privacy Rule by April 14, 2003.  

Compliance with the requirements for the electronic transaction and code sets is the next step.  The Administrative Simplification Compliance Act (ASCA), effective in December 2001, extended the deadline for compliance with the HIPAA Electronic Health Care Transactions and Code Sets standards.  It extends the date one year, to October 16, 2003, for all covered entities.  In order to facilitate receiving an extension, the Centers for Medicare and Medicaid Services (CMS) have developed an on-line form.  If you are required to comply with HIPAA and do not submit an extension, then the presumption is that you will “go live” on October 16, 2002.

How is a covered entity determined? 

The U.S. Department of Health and Human Services (HHS) will not make a determination regarding whether a specific provider, organization, or agency is a covered entity. They recommend seeking legal counsel in combination with an internal review of your business operations and associations.   Each State will determine who is and who is not a covered entity for purposes of HIPAA compliance.  If you do not know who the HIPAA representative or team is in your state, please contact HIPAA@cwla.org and we will help facilitate this process.    

What should an agency do pending a determination? 

CMS recommends that any public or private agency that potentially could be considered a covered entity or business associate complete a “cautionary filing” for an extension.  A cautionary filing is considered a filing that may result in an extension when an organization is not sure it will be ready, or does not know whether it is a covered entity.  Filing a cautionary extension does not mean that you become a covered entity, but provides coverage in the event that HIPAA applies to you.[2] 

In order to receive an extension, covered entities must submit their ASCA compliance plans on or before October 15, 2002 to CMS.  The Electronic Filing Form may be accessed at the following site: 

http://cms.hhs.gov/hipaa/hipaa2/ascaform.asp  

Once the determination is made that you are a covered entity, all requirements of this law must be met. 

What action is CWLA taking? 

CWLA has been working with Substance Abuse and Mental Health Services Administration (SAMHSA) to identify:·         The required criteria for compliance, as the process of distilling the rules into “understandable” guidelines is still underway; Strategies to ensure full compliance and model documents for actual implementation of HIPAA compliance; and  Possible resources for implementation. 

References:

(Codified at 45 C.F.R. Parts 160, 162)   (42 C.F.R. Parts 2 – Related to Substance Abuse services and records privacy that may influence HIPAA compliance)