What's Happening with HIPAA: One Step at a Time -- No Need To Panic … Yet

Agency regulations can be a jungle of legal language, and physicians who are not aware of regulations may find themselves in an administrative conundrum. The most notable regulations facing Texas physicians are the federal regulations created to implement "HIPAA." In this monthly feature , the TMA Office of General Counsel discusses practical steps on how to begin the process of complying with those regulations .

One Step at a Time -- No Need To Panic … Yet
By Lee Spangler, JD, TMA Office of General Counsel  

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted to make sure employee health benefits were portable from one employer to another without the fear of exclusions from preexisting conditions and to provide administrative simplification.

Administrative simplification takes two forms: standardizing certain electronic transactions related to the delivery of health care, and protecting the confidentiality and reliability of the information exchanged in such transactions. The administrative simplification regulations are of the most concern to physicians.

Most physician practices have received an inflammatory sales blast-fax warning of the penalties physicians can face for violating the law, causing unnecessary concern. Recent news stories discussing filing deadlines and requirements for health care transactions often do not tell the whole story, lulling physicians into complacency where action is needed. There is no need to panic. There are very practical steps physician offices can take to start the process of HIPAA compliance.

Transactions and Code Sets  

Literally hundreds of electronic claims formats are required by insurers, health maintenance organizations (HMOs), and government health care programs. To make an already complex situation almost unmanageable, each claim format may require a different set of codes to complete the form. The HIPAA transactions and code sets regulations are an attempt to standardize electronic claims filing. The standardized transaction format applies to claims for payment, enrollment in a health plan, eligibility, claim status, referral certification and authorization, and coordination of benefits.

This can be of enormous benefit to physician practices, as staff training for filing claims and obtaining confirmation of eligibility and claims will be greatly reduced. The standardization also will reduce errors and speed payment. However, to accomplish the goals behind standardized transactions, the regulations require that plans be able to accept the standardized claims format and code sets, and that physicians who submit claims electronically must submit claims in the standardized format.

According to the regulations, all affected entities (including physicians) must comply with the "standardized transactions" regulation on Oct. 16, 2002. DON'T PANIC. Congress passed House Bill 3323, which will give physicians a one-year extension for compliance if they submit a compliance plan on or before Oct. 15, 2002. Congress required the U.S. Department of Health and Human Services (HHS) to provide a form and guidance to aid physicians in obtaining the extension.

Simple Steps  


  • Go to http://www.cms.hhs.gov/hipaa/hipaa2/enforcement/paper_complaint_form_revised.pdf , where the government has posted the necessary form to file for compliance;
  • Do some homework:

    • Read the form,
    • Gather the basic information it requires,
    • If you have a timeline for transactions compliance, you will need it,
    • Ask your current claims-processing vendor about their plans for compliance with HIPAA transactions regulations;


  • Complete the form and mail it; or
  • Go back to the Web site and click on the link for the electronic form and submit your compliance plan over the Web. If you file electronically, you will get a confirmation that the government has received your extension filing.

According to the federal government, submitting a properly completed compliance extension plan is sufficient to secure the one-year extension. Also, if a physician is in a group practice, the group may submit a single plan (i.e., each individual physician in a group need not submit an individual plan).

Confidentiality and Privacy  

Last year, HHS adopted a regulation meant to deal with the privacy of health information transmitted electronically. The privacy regulation has met with considerable controversy ever since. All physicians who transmit health information electronically must comply with the privacy regulation, which means, for all practical purposes, all physicians must comply. The final date for compliance is April 14, 2003.

When the government published the adoption of the privacy regulation in the Federal Register , it asked for comments on the rule. Several months after the adoption, HHS issued guidance on the privacy regulation and indicated that because of the comments received, the privacy rule would be modified. In March of this year, HHS published proposed modifications to the privacy regulation with a 30-day comment period after which HHS will finalize those modifications. Thus, the exact form the privacy regulation will take is, at this point, partly unknown.

DON'T PANIC . Practices have months yet to comply.

Simple Steps  


  • Get educated:

    • The regulation requires that a practice designate a "privacy officer" to make privacy-related decisions.  Tentatively appoint a person in the practice to be the "privacy officer." Send that person to educational seminars on HIPAA privacy. Have your new "privacy officer" provide the entire office with a summary of what was discussed at each seminar;

    • TMA will conduct training sessions on privacy and transaction standards in July and August. Tentative dates are Tyler, July 9; Dallas, July 10; Austin, July 11; Fort Worth, July 16; Abilene, July 17; Conroe, Aug. 14; Houston, Aug. 15; McAllen, Aug. 20; Corpus Christi, Aug. 21; San Antonio, Aug. 22; Amarillo, Aug. 27; and El Paso, Aug. 29.
  • Ask your vendors for claims payment and/or collections whether they plan to comply with HIPAA privacy.

  • After some education, evaluate (or have your privacy officer evaluate) your practice's current activities in comparison to what the HIPAA privacy regulation requires. Don't forget: Protecting privacy can also be good risk management under current law.     

    • The regulation requires the practice to have policies related to HIPAA privacy, so the evaluator should be thinking in terms of what revised or new office policies may be needed.

  • Create a tentative timeline for privacy compliance:

    • The proposed modification to the privacy rule (mentioned above) will not be final until this summer. So, ensure your plans are flexible.      

  • Watch for information in TMA publications and on the TMA Web site:

    • TMA will keep physicians informed about the HIPAA privacy regulation as it changes.     

Physicians have always had a legal and ethical duty to maintain the confidentiality of the information patients provide. Although the privacy regulation may create some changes in the methods used to protect that information or require documentation where none was previously required, the basic goal is the same -- ensuring the effective delivery of health care by giving patients confidence that the information shared with their physician will be used to heal, not harm or embarrass.