I’m All Cash Pay with No Computers or Electronic Devices—Must I Comply with HIPAA?

Home \ HIPAA & HITECH BLOG \ HIPAA Compliance Blog \ I’m All Cash Pay with No Computers or Electronic Devices—Must I Comply with HIPAA?

I received the following Contact Form submission on this website:

Message: “Hi. I am wondering if you could do a blog in the following topic. A Health Care provider does not do any electronic transactions, and in fact is all cash pay, no computers or electronic devices are used in his/her practice. Must they comply with HIPAA?”

I am happy to post on that topic, which is one I run into quite often when I am giving seminars around the country.

The short answer is probably not, but several circumstances could make them have to comply with HIPAA notwithstanding the general rule that would exclude them from having to comply.

Covered entities and their business associates must comply with HIPAA. Covered Entities consist of health plans, health care clearinghouses, Medicare prescription drug sponsors, and providers that transmit any health information in connection with a covered transaction. 45 C.F.R. § 160.102. Business associates are not covered entities, but the HITECH Act requires them to comply with most of HIPAA as if they were. Title XIII of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act, Subtitle D—Privacy Part I, § 13401 (“HITECH Act”).

Unless something else requires HIPAA compliance, as discussed below, providers that do not transmit any health information in connection with a covered transaction are not covered entities.  Those standard transactions are the following:

  • Health care claims or equivalent encounter information.
  • Health care payment and remittance advice.
  • Coordination of benefits.
  • Health care claim status.
  • Enrollment and disenrollment in a health plan.
  • Eligibility for a health plan.
  • Health plan premium payments.
  • Referral certification and authorization.
  • First report of injury.
  • Health claims attachments.
  • Other transactions that the Secretary of Health and Human Services may prescribe by regulation.

Sometimes, people use the shorthand version of the above rule and say that, if a provider does not bill electronically, that provider is not a covered entity. And that theory is usually, but not necessarily always, true. A covered entity could avoid billing electronically, but if that covered entity, say, has to send a first report of injury to some other entity, then that covered entity is transmitting one of the standard transactions in electronic format and is therefore a covered entity. Note that sending a paper fax is not an electronic transmission for purposes of determining whether one is a covered entity.

Also note that using another entity to “bill electronically” does not allow you as a provider to avoid covered entity status. In that case, the billing or other service would be your agent, which means that you would be sending one or more of the standard transactions in electronic format.

Four other ways exist that could require a provider that does not transmit one or more of the standard transactions to comply with HIPAA. First, the provider may qualify as a health plan. The language “that transmit any health information in connection with a covered transaction” modifies only provider, not the other three types of covered entities. A college student clinic might not transmit any of the standard transactions in electronic format but might qualify under the definition of health plan.

Second, the provider could contract to provide health services to another entity that, by contract, would require the provider to be HIPAA compliant.

Third, the covered entity could be a business associate of another covered entity and so have to follow the Security Rule and Privacy Rule under the HITECH Act’s expansion of HIPAA compliance to business associates. A business associate is a person or entity that provides services for or on behalf of a covered entity that involves protected health information (“PHI”) other than the provision of health care. So if another (covered) entity hires the provider to provide health services, it would not be a business associate. But if the other entity hires the provider to provide quality assurance, utilization review, or other non-treatment services, it would qualify as a business associate and would have to comply with the portions of HIPAA applicable to business associates.

Finally, the provider might decide to be HIPAA compliant for business reasons. Covered entities may share PHI with other covered entities without the patient’s consent, but not with non-covered entities, which might make being a covered entity a good business decision. Or in a practice such as a mental and behavioral health practice, clients might wonder why other practices seem to “care about their privacy” and provide a Notice of Privacy Practices as required under HIPAA.

Further, a strong legal argument exists that HIPAA security and privacy standards are pretty much the standard of care for protecting health information regardless of whether or not one is a covered entity.

Note that whether the provider uses an electronic health record (“EHR”) is irrelevant. One could use the most sophisticated EHR available and not be a covered entity if it does not transmit one or more of the standard transactions in electronic format.

Go to the Department of Health and Human Services (“DHHS”) website at https://www.cms.gov/HIPAAGenInfo/06_AreYouaCoveredEntity.asp for a decision tool to help you determine whether you are a covered entity.

On August 16th, 2011, posted in: HIPAA Compliance Blog by

Blog Categories

RSS Feed / Social Media

RSS feed
seo by: k.c. seo