September 28, 2017
By Bert Ryan
Memphis Family Clinic gives each new patient a copy of their Notice of Privacy Practices (NPP). Of course, this is required by HIPAA. Beyond that, Kim hasn't given much consideration to HIPAA. She has taken an online certification class and passed a 20 question multiple choice test. For that, she got a certificate. More than anything, the CE accredited HIPAA class confused her.
Some time later, one of the admins asked Kim, "We are a small clinic. Do we have to obey HIPAA?" Kim replied truthfully. "I think so, but since we are small they won't bother with us." They Google it and found this confusing definition of who must comply with (obey) HIPAA. Keep in mind, this comes from HHS, the definitive source.
As required by Congress in HIPAA, the Privacy Rule covers:
These entities (collectively called “covered entities”) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions.
- Health plans
- Health care clearinghouses
- Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
HIPAA is widely misunderstood because of the residue of too many legal, legislative, and confusing concepts. From above, here are the confusing things:
The people that wrote the HIPAA rules are good people. They probably had constraints - unknown to us - that made it diffucult to write these rules. What contstraints would lead them to compromise with the contorted definition "conduct certain transactions electronically"? Here is a guess. There are still many healthcare providers that might be characterized as "old school." These old school clinics prefer to use paper medical records, prefer to fax documents and don't trust email, computers or the internet. I suspect that this kind of loophole language is the result of pushback to exempt the old school clinics. Perhaps the law makers were trying to say, if you are an old school clinic, you do not have to obey HIPAA.
Kim and Memphis Family Clinic do not have the legal or technical resources to parse these rules. Keep in mind that this is just the first of hundreds of HIPAA rules that Kim has to interpret. The ClinicNerds refer to this and other confusing phrases as "Hard HIPAA." If HIPAA is ever to be widely understood, we need to simplify the legal language, the legislative language, and the confusing concepts. We need to create "Easy HIPAA" which dials back the legal, legislative and technical jargon and is explicit, not abstract or interpretive.
Some suggestions for fixing the problems. The healthcare industry is huge. Do not try to cover the whole healthcare industry with one explanation of the HIPAA rules. Give separate documents for health insurance companies, health researchers, health providers, pharmacies, etc. Lumping them together creates too many permutations and wording challenges.
Be explicit. Make it easy for providers to know if they are in or they are out. Wouldn't it be easier to say something like:
Laughing about the veterinarian bit? There are several veterinarian websites that include a HIPAA Notice of Privacy Practices (NPP). HIPAA explanations are so confusing that even some veterinarians are claiming to obey HIPAA. Or maybe this is a new marketing gimmick for vets in a competitive market: "We give your labradoodle the same HIPAA rights as people!"
For the record, veterinarians DO NOT have to obey HIPAA and dogs have no HIPAA rights guaranteed by Congress.
Update: This document is a little better but, in my opinion, this is still too hard. Are You a Covered Entity? This also highlights another problem - the explanations are spread out across too many government websites. This link is from CMS yet most authoritative HIPAA documents are on the HHS or NIST websites. Is Kim supposed to know to go to all of these different websites? Is she expected to know the hierarchical structure of the various government agencies? There are at least six different government websites with HIPAA explanations.