|
Notes from the Academy The
New HIPAA-cratic Oath for Health Care
Professionals Patrick B. Kavanaugh, Ph.D. (Author’s
Note: The American
College of Physicians and Surgeons has published an analysis
of HIPAA and its privacy provisions for public discussion and
debate. This article relies on its analysis and background
information and, additionally, the information presented at
the Academy’s May 10th Board meeting. The following
information may not be construed as legal advice. As with any
legal issues, it would be wise to consult with an attorney who
specializes in healthcare and HIPAA.) Passed in Congress with broad bipartisan support, the privacy rules of the Health Insurance Portabiltity and Accountability Act of 1996 (HIPAA) went into effect this past April 14th for most covered entities. And the American Association of Physicians and Surgeons (AAPS), among other groups, went to court to protest HIPAA and the privacy provisions developed by the Department of Health and Human Services (HHS). In letters sent to the HHS secretary, the AAPS wrote on March 15th, In
a nutshell, we object to the way the rule gives greater rights
of access to the government than to the patient himself .... There
is no justification for permitting public health surveillance
and dissemination of personal medical records. and on March 26th, the AAPS warned the HHS secretary that the regulations, would have unintended consequences: the worst would be to enable if not guarantee wholesale invasions of privacy. We fully support the effort in Congress to repeal this work of the previous administration. Don’t the HIPAA privacy provisions protect patient privacy? In practice, the permitted uses and disclosures of patient information under HIPAA are anything the government authorizes—without patient authorization. The Institute for Health Freedom, a nonpartisan think-tank in Washington, D.C., that analyzes health issues, has made known its grave concerns about the HIPAA privacy provisions. After studying the 1200-page regulation, president Sue Blevins said, The
rule does not provide true medical privacy. Rather it actually
weakens individuals’ ability to restrict access to their
medical records. Since
its inception, members of the Academy have shared the common
goal of ensuring that the privacy and autonomy necessary for
psychoanalytic practice are solidly protected. And with the
new HIPAA requirements, it appears that they are not. The
Academy’s Board is opposed to the new HIPAA-cratic oath that
requires the entry of personal and private information into a
nationwide computer data base where it can be accessed by
dozens of government agencies, thousands of bureaucrats,
pharmaceutical corporations, private insurance companies,
police agencies, foreign government officials, and others...without the person’s consent. According
to the AAPS’s analysis of HIPAA, this is what happens to
information in the HIPAA system. Further, this sharing of
records and information can take place for purposes that
include: reporting abuse, health oversight activities, law
enforcement, judicial and administrative proceedings, organ
procurement, military and intelligence functions, workers’
compensation, health care research projects, marketing
health-related products and services, and providing the data
base for fund raising for health-related projects.
There
is something quite disturbing about this new HIPAA-cratic
oath: with the enactment of HIPAA, there has been a radical
and dramatic shift in the nature of the relationship between
government, professional associations, and the citizenry. HIPAA-crates: The Father of 21st-Century
Medicine In
many respects, our technocratic system has become the father
of medicine in the 21st century. And HIPAA’s rules and
regulations speak his technocratic rationality. The
industrialization and deprofessionalization of the health care
professions continue as the health care
reformation redefines
our professional standards from within this rationality. In
psychology, recent years have witnessed standards developed
for: continuing education (mandatory CE), analytic education
and training (national health-care accreditation standards),
and practice (HIPAA) and care (duties to report, warn, and
medicate). More and more our professional associations turn to
government to validate ourselves (licensing laws), our bodies
of knowledge (national healthcare accreditation standards and
licensing exams), and to the insurance industry to validate
our scientific view of people (DSM-IV)." Regulations
regulate; standards standardize; and, institutions
institutionalize. Apparently, it now takes a village of
educrats, bureaucrats, governmental agencies, and professional
associations to mandate and monitor matters of privacy and
confidentiality. During
the past several years, HIPAA-related information and
questions have been presented to the psychological community
through the American Psychological Association’s (APA)
Monitor, the American
Professional Agency’s Insight,
and through seminars and workshops by state psychological
associations. For example: Are you aware of the requirements
mental health professionals must meet to be HIPAA-compliant
with the recent changes in privacy rules and patient consent?
... the new liability risks posed for psychologists by the
HIPAA privacy regulations? ...what the state or federal
penalties might be if the proper forms are not kept or the
wrong information is released? Or, ... how forgiving the HHS
might be if you are not HIPAA-compliant and violations
inadvertently occur? Considerable
time, money, and effort have been spent by our professional
associations on the question of becoming HIPAA-compliant; it
seems that very little of these resources has been spent on
critically assessing HIPAA’s impact on the practice and
profession of psychology.
Is the state psychological association planning to
survey the psychological community to determine its impact in
Michigan? Is there any opposition to the HIPAA privacy rules
by our national or state associations? Is the APA--or Division
39—planning to file an amicus
brief in
support of the AAPS’s current legal challenge to HIPAA’s
privacy provisions? It
might make it easier for people to consider APA’s slogan to
“Talk to Someone Who Can Help” if their personal and
private information stays in the consulting room unless (s)he
specifically authorizes its release. Is it not HIPAA-critical
to do otherwise? HIPAA-cratic Language: Covered or
Non-covered Entity Is
there a HIPAA-potamus in the middle of psychology’s living
room that no one is talking about? The HIPAA is talked about
in terms of how to be compliant as a covered entity...... but what
about the
potamus? ... the option of
being a non-covered entity.
Submerged in the murky waters of 1200 pages of federal
regulations is a river
horse (HIPAA potamios) question
that generates much confusion
in the healthcare community: What is a covered v. non-covered
entity in the HIPAA system?
One of the observations made in the AAPS’s analysis of HIPAA
is that most consultants, seminar producers, and lawyers are
neglecting to advise physicians of the option of being a non-covered
entity under HIPAA. And
unfortunately, this seems to hold true in the psychological
community as well. Last
month, the Academy’s Board invited Ms. Karen Grotberg, J.D.,
and Mr. Lawrence Jordan, J.D., to speak with us about HIPAA
and its privacy provisions. Ms. Grotberg is quite
knowledgeable about HIPAA’s rules and regulations as she
specializes in employee benefits, including health care
related plans. She represents clients before governmental
agencies (such as the IRS and Department of Labor) and has
counseled a wide variety of employers from Fortune 500
corporations to sole proprietors, not-for-profit
organizations, and both public and private entities. Mr.
Jordan specializes in intellectual property rights, e.g.,
the legal protection of
creative ideas via copyright and trademarks. He represents
artists, poets, musicians, authors, and inventors. He has been
involved with the Academy since its early beginnings. The
morning was spent discussing the current legal challenges to
HIPAA, HIPAA’s
privacy provisions, and other practice-related issues. For the
most part, however, our discussion centered on the question:
Who is a covered
v.
non-covered entity ? HIPAA
privacy rules apply only to covered
entities; they do not apply
to non-covered entities. According to
the Administrative Simplification standards adopted by HHS
under HIPAA, a covered
entity is: (1) a health care
provider that conducts certain transactions in electronic
form, (2) a health care clearinghouse, or (3) a health plan. A
psychologist is a covered entity only if (s)he
electronically transmits protected health information on or
after April 14, 2003. If the psychologist does not engage in
the electronic transactions described in HIPAA’s privacy
rules (and assuming that the psychologist does not also
operate a clearinghouse enterprise), the psychologist is
not a covered
entity. This means that the
psychologist has the ability to control her/his destiny under
HIPAA. It should be noted, however, that a psychologist who is
a member of a practice group rather than a sole practitioner
could get drawn into HIPAA by virtue of the practice group’s
billing or other practices involving electronic transmission
of data. By engaging in electronic transmission of protected
health information, a psychologist voluntarily relinquishes
non-covered entity status and becomes a covered entity under
HIPAA. Thus, as a psychologist you are not a HIPAA covered entity if the following conditions are met: (1) no protected health information is transmitted electronically outside your office; (2) the records you maintain are all paper or you keep them in a computer (a word of caution: be aware that if you fax data outside your office via computer—as opposed to faxing the traditional way with hard-copy paper—you will be considered to have electronically transmitted data); and (3) you file no claims or do any billing via electronic transmittal, and you do not engage a billing service or clearinghouse to file claims on your behalf —(including private and Medicare claims). Additionally,
you should be aware that if you are or become
a “business associate” of another party who is a
covered entity, and protected health information is in any
form is exchanged, you will be required to comply with certain
of HIPAA’s privacy rules. There are no affirmative steps or
declarations necessary for a non-covered entity to identify
him-/herself as a non-covered entity. Those who are
non-covered entities have the
increasingly unique opportunity to inform people that you are
an advocate for their privacy. As a non-covered entity, you
are not required to make disclosures that HIPAA otherwise
mandates. Personal information can remain private and
confidential outside the HIPAA system (keep in mind that HIPAA
not only permits certain disclosure of protected health
information, it also requires
disclosure in some circumstances). There
was a second closely related question considered at the Board
meeting: If
a provider steps into HIPAA by virtue of electronic billing,
will (s)he always be a covered entity for HIPAA purposes even
if he/she reverts back to paper billing?
It is Ms. Grotberg’s opinion that the provider would
cease to be a covered entity if (s)he reverts back to paper
billing -- assuming the provider is not required to bill
Medicare electronically and, of course, provided that there is
no electronic transmission of protected health information for
other purposes. However, Ms. Grotberg cautioned that the
provider would likely remain subject to HIPAA’s privacy
requirements with respect to protected health information
acquired, created, used, or disclosed during the period when
the provider was a HIPAA covered entity. The
Center for Medicare and Medicaid Services (CMS) confirms this
conclusion: CMS indicates that health care providers who do
not cease electronic transactions by April 14, 2003, are
required to comply with HIPAA privacy rules but that such
providers could revert to conducting solely paper
transactions. Doing so, however, would delay receipt of
Medicare payments for those providers who submit bills to
Medicare. CMS goes on to say that unless such providers fall
within the "small provider" exception or another
exception to Medicare electronic billing rules, the providers
will have to bill Medicare electronically no later than
October 16th of this year and will thereby become a HIPAA
covered entity. Effective October 16, 2003, Medicare’s
electronic billing rules will generally require health care
providers who have 10 or more employees and who bill Medicare
to submit billing information electronically. Thus, a provider
who bills Medicare and who employs at least 10 employees will
not be able to avoid becoming a HIPAA covered entity. Ms.
Grotberg’s opinion is that the provider in question is not
subject to HIPAA during the period of time when (s)he reverts
to paper billing before having to resume electronic billing
for Medicare compliance purposes. Any
uses and disclosure of protected health information obtained
or created during the period of time when the provider was a covered entity would continue to
be subject to HIPAA's privacy rules. Thus, any protected
health information gathered or created during a period when a
provider is a covered entity should only be used or disclosed
as permitted or required by the privacy rules. Government
agency overseers will likely maintain that all applicable
HIPAA privacy requirements must be met during any period of
time when a provider is a covered entity. Ms. Grotberg’s
additional research following the Board meeting confirmed the
foregoing interpretation of covered entity status. The Board
learned that the opportunity is still there for those who
choose to practice outside of HIPAA-cratic parameters, which
led to the last major topic considered at the Board meeting:
the question of the Academy’s principles and guidelines for
the practice of psychoanalytic psychology. On the Question of Principles and
Guidelines Since its founding in 1995, members of the Academy have been involved in articulating those principles and guidelines that support psychoanalytic practices, theories, education, and ethics that are consistent with the study of the psychoanalytic arts. It is through the practice of the psychoanalytic arts that such study takes place and such understanding and knowing is achieved. From
this study, certain principles or practice guidelines have
been advanced that appreciate the uniqueness of the
individual, celebrate the mystery of human being-ness, and
respect the drama of the lived experiences of everyday life.
Like-minded individuals derive support and legitimacy in the
practice of psychoanalytic psychology by joining together,
articulating their shared principles and practices, and
advancing those guidelines in the professional community.
And Dr. Kavanaugh is the current past president of the Academy. He is in private practice in Farmington Hills. Ms. Grotberg (Detroit) and Mr. Jordan (Ann Arbor) are with the law firm of Jaffe, Raitt, Heuer & Weiss, P.C. |
