Whether HIPAA applies to acupuncturists who share a medical record, is one of those arcane questions our healthcare lawyers get. The answer isn’t all that easy to obtain. Like many healthcare & FDA legal issues, this HIPAA question is a fun treasure hunt through the legal rules.
HIPAA itself is really a statute, under which the U.S. Secretary of Health and Human Services has promulgated at least five regulations, of which only the first two (Privacy and Security) are the ones we normally care about.
Before we even start, there’s a preemption rule to tackle: HIPAA will supersede relevant state law, unless state law is found to be more stringent. HIPAA does not preempt state requirements related to reporting of disease, child abuse, birth and death, or that authorize public health surveillance or public health investigation or intervention.
Let’s move past preemption now.
HIPAA regulates electronic data exchange of health care information. The relevant provisions of HIPAA, known as the “Administrative Simplification” provisions, essentially amend the federal Social Security Act’s Medicare and Medicaid provisions.
HIPAA is intended to protect the privacy of patients’ protected health information (“PHI”). PHI means individually identifiable health information that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium (whether electronic or hardcopy). PHI is a subset of the individual’s health information; identifiable health information means health information (including demographic information) that identifies the individual, or with respect to which there is a reasonable basis to believe the information can be used to identify the individual.
HIPAA requires covered entities to:
- Provide information, in writing, to patients about their privacy rights and how their information will be used.
- Develop policies, procedures, and systems to protect patient privacy and patients’ ability to access, addend and amend their records.
- Train staff on these procedures.
- Appoint a “privacy officer” to ensure privacy procedures are developed, adopted, and followed.
- Appoint a “security officer” to ensure security procedures are developed, adopted, and followed.
- Secure patient records that contain PHI from individuals who should not see them.
- Account for specified disclosures of PHI.
- Establish a complaint mechanism for privacy concerns.
- Establish and enforce a system of sanctions for employees who violate privacy policies and procedures.
- Notify patients and government agencies in the event of a breach, where required.
Typically, health care plans subject to HIPAA will have a compliance plan, including a compliance manual with a full set of policies, procedures and forms.
HIPAA only applies to the following types of covered entities (for the moment, we’re omitting business associates and their subcontractors):
(1) a health plan;
(2) a health care clearinghouse;
(3) A health care provider who transmits any health information in electron form in connection with a transaction referred to in section 1173(a)(1).
Here, “262” refers to the section of HIPAA, and “1173” to the section being inserted into the Social Security Act; HIPAA is, as noted, codified in Title 42 of the U.S.C.
Under HIPAA, the term “health care provider” includes: “a provider of services (as defined in section 1861(u)), a provider of medical or other health services (as defined in section 1861(s)), and any other person furnishing health care services or supplies.” Next, under section 1861(u), the term “provider of services” means a “hospital, critical access hospital, skilled nursing facility, comprehensive outpatient rehabilitation facility, home health agency, hospice program, or … a fund.”
The term “medical or other health services” has a lengthy definition, which includes: (1) physicians’ services; (2) services and supplies furnished as a “incident to a physician’s professional service;” (3) diagnostic X-ray tests …. (6) durable medical equipment; (7) ambulance service; and other services which do not appear to apply to services an acupuncturist might furnish
The catch-all, “any other person furnishing health care services or supplies” is not limited to medical services or physicians. It would appear to encompass services by an acupuncturist.
This conclusion is bolstered by the definition of “health care” under the HIPAA regulation
Health care means care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following:
(1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment, or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and
(2) Sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription.
Further, the U.S. Department of Health & Human Services (“HHS”), on its webpage dedicated to Health Information Privacy, states that a “health care provider” includes: doctors, clinics, psychologists, dentists, chiropractors, nursing homes, pharmacies, and others (but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard (see b. below)). The list suggests that other providers, such as acupuncturists, would be included.
HHS also provides an easy-to-use question and answer decision tool to determine whether one is a covered entity. This links to a decision chart on the website for the Centers for Medicare & Medicaid Services. The first question is: “does the person, business, or agency furnish, bill or receive payment for, health care in the normal course of business.”
It does sound as though acupuncturists would be considered healthcare providers subject to HIPAA.
However, HIPAA only applies to a “health care provider who transmits any health information in electronic form in connection with a transaction referred to in section 1173(a)(1).” This statutory section requires HHS to adopt
(1) …. standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically, that are appropriate for—
(A) the financial and administrative transactions described in paragraph (2); and
(B) other financial and administrative transactions determined appropriate by the Secretary, consistent with the goals of improving the operation of the health care system and reducing administrative costs.
(2) TRANSACTIONS.–The transactions referred to in paragraph (1)(A) are transactions with respect to the following:
(A) Health claims or equivalent encounter information.
(B) Health claims attachments.
(C) Enrollment and disenrollment in a health plan.
(D) Eligibility for a health plan.
(E) Health care payment and remittance advice.
(F) Health plan premium payments.
(G) First report of injury.
(H) Health claim status.
(I) Referral certification and authorization.
Under the HIPAA regulations, transaction means the transmission of information between two parties to carry out financial or administrative activities related to health care. It includes the following types of information transmissions:
(1) Health care claims or equivalent encounter information.
(2) Health care payment and remittance advice.
(3) Coordination of benefits.
(4) Health care claim status.
(5) Enrollment and disenrollment in a health plan.
(6) Eligibility for a health plan.
(7) Health plan premium payments.
(8) Referral certification and authorization.
(9) First report of injury.
(10) Health claims attachments.
(11) Other transactions that the Secretary may prescribe by regulation.
Of these, the question is whether sharing patient medical information in-office via an EHR constitutes “health claims or equivalent encounter information.
HIPAA regulations define “health claims or equivalent encounter information” as either of the following:
(a) A request to obtain payment, and the necessary accompanying information from a health care provider to a health plan, for health care.
(b) If there is no direct claim, because the reimbursement contract is based on a mechanism other than charges or reimbursement rates for specific services, the transaction is the transmission of encounter information for the purpose of reporting health care.
So, the scenario of acupuncturists sharing an EHR in and of itself does not appear to trigger HIPAA compliance necessarily. The short form of this is that we typically look to whether providers electronically transmit patient health information for insurance reimbursement. This isn’t legal advice, per se – it’s a journey through the regulatory treasure hunt.
Our HIPAA attorneys track privacy and security legal developments, as we counsel our clients on their compliance legal obligations. Contact our HIPAA legal team for laws and regulatory updates relevant to your situation.