"Eye on Managed Care: Protect Yourself on HIPAA Issues"
Some third-party payers might overreact as they amend their provider agreements.
by Gil Weber, MBA
Adapted with permission from Ophthalmology Management
© Copyright, 2002. All rights reserved.
The third party payers with whom you're now contracted will be amending their provider agreements to address new requirements imposed by HIPAA (the Health Insurance Portability and Accountability Act). But some of the changes they make may be inappropriate for your practice -- and may even be out of step with the intention and wording of HIPAA. You'll need to be alert and avoid signing any contract amendment that misdirects you or results in unnecessary expense.
Pitfalls to avoid
Be on the lookout for amendments that require you to:
- Dedicate more resources to HIPAA compliance than you realistically (and legally) need
The authors of HIPAA acknowledge that size does matter, so HIPAA regulations and degree of detail apply differently to various organizations. You shouldn't have to meet unnecessarily high standards.
For example, a hospital system or HMO likely will need a full-time person implementing and supervising patient privacy matters. However, your solo or small group practice probably only needs a staff person managing this part-time. Be wary of a provider agreement or amendment that misapplies HMO or hospital-level HIPAA requirements to your practice. That's overkill.
- Provide any and all data demanded by the payer
Plans are entitled to certain information in order to conduct business -- for example, to pay claims or perform a quality assurance audit -- but they're not entitled to more information than is reasonably required for that specific purpose. For example, if you're asked to submit data justifying a claim coded at a certain level, or for a grievance investigation, the payer is only entitled to the minimum amount of information it needs to make that decision.
If the new language says you must provide all data requested, you may find yourself caught between a rock and a hard place. If you provide the additional data you violate HIPAA; if you don't provide the data you're in breach of the amended provider agreement.
- Release any information the patient requests
Watch out for wording (existing or amended) that mandates release of any and all information to the patient at no charge.
HIPAA regulations mandate that, upon demand, you must give your patient a report detailing to whom you've released PHI, and you can't charge your patient for that report. However, you're only required to provide each patient with one free report in a year. If a patient requests any additional reports, you're allowed to charge a "reasonable, cost-based" fee for each (as long as you follow rules mandating prior, written disclosure of such a fee).
You don't want to sign anything that obligates you to provide more than HIPAA specifies -- especially for free.
Be Alert and Get Help
Now more than ever, review provider agreements and amendments carefully. If you find language that's out of step with the new HIPAA requirements get it amended -- soon! (Always seek the help of experienced advisers and legal counsel.
HIPAA compliance will be painful and costly. But "over-compliance" could be even more so.
Gil Weber is an author, lecturer and practice management consultant to the managed care and ophthalmic industries. He has served as Managed Care Director for the American Academy of Ophthalmology.