HIPAA Update
Ed Zuckerman, PhD

It has been almost two years since most clinicians made their practices "HIPAA-compliant" and so it is time for an update on new developments. First, the good news: None of the basics has changed nor is any change contemplated because the implementation stages are continuing and lawsuits have not had enough time to change anything. If you are using an NPP (Notice of Privacy Practices) and a “Consent” tailored to your practice, just keep it up. Similarly, if you added some HIPAA elements to your locally-legal Authorization Form, it is still legit. You can keep HIPAA-legal Psychotherapy Notes and release only the more basic information to insurance companies. If you have not become HIPAA-compliant, it is never too late to gain the small benefits (added privacy in dealing with insurance companies, tightening up your staff education in confidentiality, reviewing your practices for risks of disclosure, almost impregnable private notes, and not having to explain why you chose not to comply) at the cost of a few pieces of paper.

However, there are some developments you should be aware of and which have not been discussed widely. You will need an NPI, must comply with the Security Rule, might want to implement encryption, must use the ICD-9 codes, and there are a few other interesting ramifications.

NPIs

You, whom Managed Care changed from a therapist into a “provider,” and the HIPAA Privacy Rule turned into the even more anonymous “CE” (Covered Entity), will now be just a number. You will have to get a National Provider Identifier (NPI). Don’t panic; the earliest this will start is May 23, 2005 and you will have two full years to do it. If you are not now and don’t want to be a CE, ignore this. If you want one for some administrative purposes but are not a CE, you can get one without it making you a CE. Employers who are CEs can use their EINs (since July 30, 2004). Applications for NPIs will be on paper and via the internet (by the way, Wired magazine, the apparent authority, has decided that “email” no longer needs a hyphen nor “internet’ a capital.) There will be accounts with user names and passwords, and telephone support but apparently no fee. Mike Feely, the savvy therapist, and aficionado of bureaucracy suggested VNPIs (Vanity National Provider Identifiers) for a small fee which could go to the National Coalition to fight HIPAA. Can someone look into this, please? No procedures have been announced yet but you can find more information at http://www.cms.hhs.gov/hipaa/hipaa2/regulations/identifiers/default.asp.

The HIPAA Security Rule

The practice changes which most psychologists made in April of 2003 to become HIPAA-Compliant were required by the Privacy Rule, one of the three components of HIPAA. The first, the hugely complex Transactions Rule, has to do with electronic billing and is being implemented over several years. The third part, the Security Rule must be complied with by April 20, 2005. The good news is that in all but a few aspects, when psychologists implemented the Privacy Rule their new procedures also made them compliant with the Security Rule.

[Editor's note: Dr. Zuckerman provides the following updated information as of 9/1/2006: "Although the Security Rule applies to Electronic PHI, related compliance activities must be implemented in order to support the Privacy Rule’s required actions. Also, the analyses of how you received, create, store, use, and disclose PHI are different because the Privacy Rule focuses on the authorized disclosure of PHI and the Security Rule focuses on how you maintain the privacy of the EPHI you have and transmit electronically essentially for payment. For additional explanations of the relationship of compliance with the Security Rule and of compliance with the Privacy Rule, see, for example, "Security rule requires taking steps beyond privacy rule".]

There are two points of interest here. The first is simply strange. The Privacy Rule applies to all forms of PHI (protected health information), whether electronic, written, or oral. In contrast, the Security Rule applies only to PHI in electronic form. Any PHI created, received, transmitted or stored in any electronic form is covered - the internet and email, computer drives, CDs and tapes, disks, etc. The Security Rule does not apply to PHI created, transmitted, received, or stored on paper or any oral communications. Some truly impressive reasoning has been used here. For example, if you typed up a page of notes on a typewriter (which did not store it electronically) and faxed it where it was again not stored but simply printed out and used and filed, it would not be covered by the Security Rule. However, a computer fax would be. Gotcha. In these circumstances, the best policy is likely to be to treat all PHI as if it were Electronic PHI.

The second point is even more complex and I will explain it briefly because you might actually have to take some actions around some aspect or aspects of your practice in order to comply. The Security Rule lists a moderate number of physical, administrative, and technical “safeguards” designed to protect PHI from the “risks” of “unauthorized release.” Each safeguard has some detailed instructions, called “implementation specifications,” for how to carry out these safeguards. These implementation specifications come in two flavors. Some are “required” and must be met in the clinical practice by policy or procedures. The others implementation specifications are called “addressable” and require some thought. You, the CE have to consider whether, in your particular environment, each of these implementation specifications, is reasonable and appropriate to safeguarding your PHI and EPHI from threats and hazards which you can “reasonably anticipate.” To be concrete, you can decide, after considering your office’s location, building, layout and the location of your office computer, files, staff, patients, etc. whether a lock or two and a password are sufficient safeguards or whether you should have a monitored premises security system, universal encryption, and off-site storage of backups to “address” the risks to your EPHI.

[Editor's note: Dr. Zuckerman adds this comment 9/1/2006: "To perhaps be more specific, you do not have much choice in implementing the 'required' specifications. Furthermore, the list of actions you can take may conflate the ways of implementing the two Rules. To the practicing psychologist, taking privacy- and security-related actions they are all of a piece, and the Rules intersect and are dependent. But for thorough compliance they should be separated into actions relatd to implementing the Privacy Rule and those implementing the Security rule."]

How is this done? In the writing of the required HIPAA Policy and Procedures Manual."

You obtain some relief in this “risk analysis” in two ways. First, HIPAA makes the security requirements “scalable” which means small practices do not need anywhere near as much as large CEs must in terms of costs, training, new hardware and software, systems, etc. Second, these implementation specifications are to be “technologically neutral” and so do not require any particular technology, hardware, software, etc. More concretely, encryption of emails is not required but, as it becomes easier to do, will be a good decision on your part.

Encryption

There are other email encryption programs which require you to provide the key or passphrase to the recipient of your email in some way other than the insecure internet. Zixmail (http://www.zixcorp.com) costs $50 a year. Shyfile does not require the recipient to have the program. The recipient uses a browser and the passphrase you have given them or the Shyfile website to decrypt the email. For more info see http://www.shyfile.net/index2.html. Adhaero Transit allows you to send an executable file or email which the recipient decodes with the passphrase you have communicated to them. They don’t need to have the program. More info at http://www.adhaero-transit.com-download.net/. There are other programs available as well and I am working on one.

For the paranoid and technically sophisticated the National Institute of Standards and Technology (NIST) believes that the Data Encryption Standard (DES), a popular encryption algorithm, is not secure enough. The algorithm, sometimes referred to as single DES, uses a 56-bit key to encrypt blocks of data, and can produce up to 72 trillion unique keys. Paul Kocher, president of Cryptography Research Inc. in San Francisco said. "It's gotten to the point where any government curious enough to break DES traffic could." Even malicious hackers in control of an army of virus-infected "zombie" computers could make short work of the single DES algorithm, he said. Either Triple DES or AES are "many trillions of times" stronger than DES and could take decades or centuries to break, even with the current rate of advancement in computer processing speed, Kocher said. Ed’s Opinion: most current programs use 128 bit or higher and are safe enough for our usual notes. If you treat those whose PHI exposure would be catastrophic, find a AES or Triple DES program.

When ever you send a fax or an email there is a risk of its being misdirected so you might place a confidential notice paragraph as a "sig file" or signature at the bottom of all your transmissions. You can construct your own version to contain these essential elements:

1. A notification that the material is sensitive.
2. An indication that its distribution and use are restricted by specific laws.
3. A request that, if it were incorrectly sent or received, that

a. the sender be notified;
b. that it not be distributed or used, and
c. that it be destroyed or returned.

4. A message of gratitude for the recipients cooperation.

ICD-9-CM

HIPAA requires the use of diagnoses from the International Classification of Diseases, 9th Edition, Clinical Modification, (ICD-9-CM) Chapter V (Mental Disorders) instead of DSM-IV-TR. Changes to the ICD implemented in October 2004 bring the two closer but there are still many differences, stemming from the European origins of ICD and its design in 1980. DSM has many more disorders and sub-classifications and the ICD has some categories from DSM-III. There is no book of just the mental disorders and no small version (except my own Reference List of ICD-9-CM Diagnoses at http://www.PsychMeds.info) but the whole ICD is available from http://www3.cms.hhs.gov/paymentsystems/icd9/cdrom.asp on CD for $25 for Windows computers. A downloadable version is available at ftp://ftp.cdc.gov/pub/Health_Statistics/NCHS/Publications/ICD9-CM/2004/. You want DTAB05.ZIP and will have to find Chapter V. If you need only a code or two, try http://icd9cm.chrisendres.com/index.php.

Other Points

If you use a Telecommunications Relay Services (TRS) programs to communicate with a patient who is deaf or for any other reason, the Federal Communications Commission (FCC) decided that this does not violate the HIPAA Privacy Rule and you don’t need to have a Business Associate (BA) agreement with the TRS. Read more at http://www.hipaadvisory.com/action/faqs/fcc.htm.

The Centers for Medicare & Medicaid Services (CMS) recently exempted benefit debit-card transactions from the HIPAA requirements of electronic data transfer. This specifically applied to the use of such cards to pay for services from a Flexible Spending Account (FSA) but is based on earlier decisions that credit and debit card payments to professionals or pharmacies are not subject to these security rules. Ed’s Opinion: Privacy Rules still apply and so I would put a notice in my Brochure for Patients that credit card payments and similar arrangements are more secure than checks (with names on them) and are protected by business laws and security methods but both are discoverable in litigation.

Subpoenas and other legal proceedings may require you to disclose PHI. On Jan. 20, 2005, CMS offered some guidance on some of the sticky issues at http://answers.hhs.gov/cgi-bin/hhs.cfg/php/enduser/std_alp.php
?&p_cat_lvl1=7&p_cat_lvl2=52.

CMS has not changed it approach to ”unauthorized disclosures” of PHI. They are reactive (they will wait for complaints rather than seek out problems), prefer to educate rather than prosecute, offer little or no specific help (such as forms and wordings), will not issue advisory opinions for future guidance, and because they are understaffed in enforcement, rely on voluntary compliance. I believe there has been only one settled case of a HIPAA prosecution and this was for a case primarily involving identity theft.

Medicare's HIPAA web site now has a suggested and sample NPP only for Medicare clients which you can see at www.medicare.gov/privacypractices.asp. It is about two pages and has a 9-10th grade reading level. If you intend to use it, you will need to add any variations imposed by more stringent laws in your state and adapt it to your office procedures.

There is now a specific address to file complaints about violations of one's privacy and you might add this to your NPP. Privacy Complaints, P. O. Box 8050, U. S. Department of Health and Human Services, Centers for Medicare & Medicaid Services, 7500 Security Boulevard, Baltimore, Maryland 21244-1850.

Trivia Contest: I will send a free copy of my Reference List of ICD-9 Diagnoses, to the first 5 correct answers to this question: Who are the new fourth kind of CE besides Providers, Clearinghouses, and Insurers? Email to edzuckeman@mac.com. No fair Googling.

Dr. Zuckerman is the author of HIPAAHelp: A Compliance Manual for Mental Health Practices. For further information about Dr. Zuckerman or this HIPAA compliance manual, visit http://www.HipaaHelp.info.