Answers to your questions about...

Privacy vs security

Q: Is it true that the information covered by the security rule will be different from that covered by the privacy rule?

A: Yes. The privacy rule covers any protected health information—that is, any information that may identify a person, her health status, and the healthcare she receives. The security rule—which doesn't go into effect until April 21, 2005 for most covered entities—covers only health information in electronic form.

Q: What's the difference between the privacy regulations—which we've already implemented in my practice—and the security rules?

A: The privacy rule sets standards for how protected health information should be controlled. It does this by specifying authorized uses and disclosures and the rights of patients. The security rule, in contrast, defines the administrative, physical, and technical safeguards that a practice must use to protect electronic health information. This includes information the practice creates, receives, maintains, or transmits.

"Covered entities"

Q:My practice isn't considered a "covered entity" under the privacy rule because we're paper-only. Are we also exempt from the HIPAA security regulations?

A: Yes. Only practices that transmit health information in electronic form are considered covered entities under HIPAA. That includes practices that submit even one claim electronically—or that are paid electronically. If, on the other hand, you don't conduct any of the standard HIPAA transactions electronically (file claims, request authorizations for services, run checks on insurance eligibility, etc.), you aren't considered a covered entity, and neither the privacy nor the security rule applies. Obviously, there's only a very small percentage of medical practices that aren't covered entities.

Faxing information

Q:Is medical information I fax to my hospital covered under HIPAA?

A: That depends. Even fax machines that contain memory aren't considered computers under HIPAA, and thus aren't covered under the security rule. On the other hand, telephone "fax-back" systems—which respond to voice or keypad-activated requests for information in the form of a fax—are covered. Other types of communication that don't fall under the security rule include information transmitted by phone (either by voice or tone pad), video teleconferencing, and voice mail.

Appointing a security officer

Q:Under the security rule, must I appoint a separate person in my office as "security officer"?

A: No. The person who's now responsible for your practice's privacy compliance may also assume this duty. The key thing is to place final responsibility for security in one person's hands, whoever that person might be. This individual should make sure that security measures are in place and that staff members are implementing them appropriately.

Margaret M. Davino (mdavino@kbrny.com) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City. This department answers common HIPAA-related questions. It isn't intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com, or by regular mail to Medical Economics, 5 Paragon Dr., Montvale, NJ 07645. ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.

Margaret Davino. HIPAA Consult: Answers to your questions about. . ..

Medical Economics

Aug. 6, 2004;81:17.