Most of us have heard at least one urban myth, those shocking stories shared around the water cooler or emailed around the country. While they make for interesting conversations or reading, they aren't reliable sources for industry news. There are several myths about HIPAA circulating around our industry, and unfortunately some companies have believed the myths and ignored the importance of HIPAA. However, like so many urban myths, these industry myths are not true. Below I've compiled a list of the most common HIPAA myths I've encountered in the marketplace, along with the real facts you need to know.

1. Congress will eliminate HIPAA before the compliance deadline.

While we may cringe at the workload and cost incurred by HIPAA regulations, most healthcare experts agree they will bring needed change and standardization to the electronic exchange of information within the healthcare industry. While many groups are working to modify specific parts of the regulations, very few are advocating complete elimination. Many expect changes to the regulations after the November elections, but most experts predict HIPAA is here to stay.

Furthermore, the HIPAA regulations have widespread, bi-partisan support and cannot be viewed as a Clinton-era regulation the current administration is working to eliminate. HIPAA has popular support as a consumer privacy issue, which is an important topic supported by both parties.

2. Attorneys are responsible for HIPAA compliance.

HIPAA does create additional legal responsibilities for your business, and you should consider hiring an attorney who is familiar with HIPAA to provide counsel for drafting or reviewing HIPAA-related contracts with your healthcare clients. However, HIPAA regulations extend well beyond the scope of most attorneys' expertise, and they should not be deemed responsible for HIPAA compliance.

HIPAA encompasses procedural issues and will change how you run your operations on a daily basis. For example, your attorney cannot assist you in encrypting electronic communication with your healthcare clients or ensure your staff doesn't leave their passwords taped to their computers.

While your attorneys will be important players on your HIPAA team, they cannot be expected to make you HIPAA compliant.

3. Our software vendor is responsible for making us HIPAA compliant.

Your software must allow your organization to conform to the same HIPAA transaction, privacy and security guidelines as your healthcare clients. The collection and billing software will receive, store and transmit protected health information, and you will need to ensure that information is secure. The business associate agreements, to which you will be required to adhere, might specify the use of passwords, access control, auditing, encryption and more.

While your software must have tools available to become HIPAA compatible with each healthcare client, it alone cannot make you HIPAA compliant. Your managers are responsible for determining the steps necessary to meet HIPAA obligations. Additionally, your software vendor should be proactively working with you to help you understand the aspects of HIPAA their product can help to address, thus giving you a clearer picture of outstanding issues and improving your HIPAA planning.

4. HIPAA mandates will not be enforced.

HIPAA will be enforced by the Office of Civil Rights, which has assigned 31 staff members to the task. While this team has stated that it will not initiate investigations through tactics such as sting operations, it will respond to consumer complaints and employee whistle-blowers. This is the same effective strategy used to enforce the FDCPA.

The HIPAA regulations cannot be ignored and cannot be approached from the philosophy that you aren't guilty until you are caught. This approach could produce serious repercussions. The penalties for non-compliance are significant and can include both fines up to $250,000 and prison sentences of up to 10 years.

Reputable businesses in our industry carefully comply with the FDCPA, and HIPAA regulations will require the same treatment.

5. Since we use a clearinghouse to submit bills, no changes are needed.

HIPAA regulations allow non-standard data to be sent under certain circumstances, including transmissions to your clearinghouse that will convert the data into a standard format. However, in order to convert non-standard data in the standard format, all of the data fields must be present. The HIPAA transaction and code set regulations require data content over and above that which is available today to support a UB or HCFA claim. Simply stated, an existing UB or HCFA claims interface cannot support all of the required and situational data elements defined under HIPAA.

If your collection agency submits bills to payers, directly or through a clearinghouse, you likely will need enhanced collection or billing software to manage the additional data fields.

6. Our clients will file for the transaction extension of October 2003 giving us plenty of time. We'll address HIPAA later.

While the transaction and code set extension is available to all covered entities that file for the extension prior to October 2002, the extension requires the covered entity to be testing transactions by spring of 2003. The extension imposes accountability to help organizations move toward compliance. It is reasonable for healthcare providers to expect the same diligence from their business associates. One could argue they will probably expect more of their agencies than they will expect of themselves in regard to testing and preparedness.

HIPAA will require an ongoing commitment to compliance by your technology vendors, healthcare clients and your operations management. The truth about HIPAA is the opposite of what people hope about HIPAA. Responding to this challenge requires diligent and immediate efforts from the entire industry if we are to meet the HIPAA deadlines and uncover new healthcare business opportunities.

See more releases by year: 2008 | 2007 | 2006 | 2005 | 2004 | 2003