September 28, 2017
By Bert Ryan

About "Crushing Kim With HIPAA"
HIPAA is widely misunderstood, not because of any one thing, but rather the accumulation of many confusing concepts, phrases and terms. This series explores those confusing things through the eyes of Kim, a hypothetical office manager in a small clinic named Memphis Family Clinic. Big hospitals have departments of lawyers and information technology specialists (I/T, CIO) to handle HIPAA challenges. Kim and Memphis Family Clinic do not have those resources. This series tries to show how challenging HIPAA is for small clinics.

Memphis Family Clinic gives each new patient a copy of their Notice of Privacy Practices (NPP). Of course, this is required by HIPAA. Beyond that, Kim hasn't given much consideration to HIPAA. She has taken an online certification class and passed a 20 question multiple choice test. For that, she got a certificate. More than anything, the CE accredited HIPAA class confused her.

Some time later, one of the admins asked Kim, "We are a small clinic. Do we have to obey HIPAA?" Kim replied truthfully. "I think so, but since we are small they won't bother with us." They Google it and found this confusing definition of who must comply with (obey) HIPAA. Keep in mind, this comes from HHS, the definitive source.

As required by Congress in HIPAA, the Privacy Rule covers:
  • Health plans
  • Health care clearinghouses
  • Health care providers who conduct certain financial and administrative transactions electronically. These electronic transactions are those for which standards have been adopted by the Secretary under HIPAA, such as electronic billing and fund transfers.
These entities (collectively called “covered entities”) are bound by the privacy standards even if they contract with others (called “business associates”) to perform some of their essential functions.

HIPAA is widely misunderstood because of the residue of too many legal, legislative, and confusing concepts. From above, here are the confusing things:

  • "As required by Congress in HIPAA" — it is not necessary to establish the authority of Congress, HHS or HIPAA — healthcare workers, like Kim, are rule followers — it is NOT that people disrespect Congress or the law, they just don't understand these HIPAA rules
  • "Health care clearinghouse" — there are people who have worked in healthcare for 30 years and can't tell you what is a health care clearinghouse — of all the new business models in healthcare, why focus so much on these mysterious clearinghouses
  • "Covered entity" — this is a weird legal phrase that tries to aggregate or encompass many different types of healthcare organizations - it is a phrase that comes up over and over but lacks a crisp meaning
  • "conduct certain financial and administrative transactions electronically" — either specify those "certain" transactions or don't make it the crux of understanding who must obey HIPAA
  • "Privacy Rule" — another article in the series will deal with confusing rule names

What were they thinking?

The people that wrote the HIPAA rules are good people. They probably had constraints - unknown to us - that made it diffucult to write these rules. What contstraints would lead them to compromise with the contorted definition "conduct certain transactions electronically"? Here is a guess. There are still many healthcare providers that might be characterized as "old school." These old school clinics prefer to use paper medical records, prefer to fax documents and don't trust email, computers or the internet. I suspect that this kind of loophole language is the result of pushback to exempt the old school clinics. Perhaps the law makers were trying to say, if you are an old school clinic, you do not have to obey HIPAA.

Returning to the small clinic perspective

Kim and Memphis Family Clinic do not have the legal or technical resources to parse these rules. Keep in mind that this is just the first of hundreds of HIPAA rules that Kim has to interpret. The ClinicNerds refer to this and other confusing phrases as "Hard HIPAA." If HIPAA is ever to be widely understood, we need to simplify the legal language, the legislative language, and the confusing concepts. We need to create "Easy HIPAA" which dials back the legal, legislative and technical jargon and is explicit, not abstract or interpretive.

Some suggestions for fixing the problems. The healthcare industry is huge. Do not try to cover the whole healthcare industry with one explanation of the HIPAA rules. Give separate documents for health insurance companies, health researchers, health providers, pharmacies, etc. Lumping them together creates too many permutations and wording challenges.

Be explicit. Make it easy for providers to know if they are in or they are out. Wouldn't it be easier to say something like:

  • All healthcare providers must obey HIPAA rules.
  • This includes the following types of practices:
    • doctors and medical specialists
    • dentists and dental specialists
    • therapists (physical, psychiatrist, speech, etc)
    • chiropractors
    • assisted living facilities, nursing homes, hospice, home health providers
    • urgent care providers
    • etc ...
  • These features are irrelevant in determining if you must obey HIPAA:
    • Size of the practice does not matter
    • Size of the workforce does not matter
    • location of the provided service does not matter (except that must be in the USA)
    • type of payment does not matter (health insurance, out of pocket, etc)
    • etc ...
  • These types of clinics/businesses are not required to obey HIPAA:
    • acupuncture
    • alternative medicinal practices
    • gyms, yoga studios, etc
    • veterinarians
    • etc ...
  • { ..other inclusive/exclusive reasons.. }

Laughing about the veterinarian bit? There are several veterinarian websites that include a HIPAA Notice of Privacy Practices (NPP). HIPAA explanations are so confusing that even some veterinarians are claiming to obey HIPAA. Or maybe this is a new marketing gimmick for vets in a competitive market: "We give your labradoodle the same HIPAA rights as people!"

For the record, veterinarians DO NOT have to obey HIPAA and dogs have no HIPAA rights guaranteed by Congress.

Update: This document is a little better but, in my opinion, this is still too hard. Are You a Covered Entity? This also highlights another problem - the explanations are spread out across too many government websites. This link is from CMS yet most authoritative HIPAA documents are on the HHS or NIST websites. Is Kim supposed to know to go to all of these different websites? Is she expected to know the hierarchical structure of the various government agencies? There are at least six different government websites with HIPAA explanations.

Terms & Acronyms:
  • HHS or DHHS: Department of Health & Human Services
  • "the Secretary under HIPAA" is the Secretary of HHS - reports to the US President and manages the largest budget in the federal gov
  • CMS: Centers for Medicare & Medicaid - is part of HHS
  • PHI: Protected Health Information
  • NPP: Notice of Privacy Practices