The Department of Health & Human Services says HIPAA standards apply only to:
Health care providers who transmit any health information electronically in connection with certain transactions.
Health care providers that meet this standard are said to be a HIPAA Covered Entity.
We wonder if the expectations of the healthcare marketplace have moved beyond the notion of a Covered Entity. If you are in healthcare, do patients expect you to behave like a Covered Entity?
Try to imagine this encounter between a patient and the receptionist in a small clinic:
Patient: Hi, I would like a copy of my medical records.
Receptionist: I'm sorry but we don't provide copies of medical records.
Patient: But I heard it is my right under HIPAA to get a copy of my medical records.
Receptionist: This clinic is not a 'Covered Entity' under HIPAA so legally we do not have to give you a copy of your medical record.
Patient: What is a Covered Entity?!? I just want a copy of my medical records...
Is it becoming irrelevant to even ask if a clinic is a HIPAA Covered Entity? Patient's expect all healthcare providers to respect Patient Rights and protect Patient Privacy. Beyond the letter of the law, the healthcare marketplace now assumes the HIPAA policies as a baseline - or is rapidly moving in that direction.
Although HIPAA also applies to insurance companies and medical researchers, the focus of this book is just on small health care providers - small clinics with less than 50 employees.
This book takes the perspective of the small clinic. By small clinic we mean a couple of clinicians and some administrative support staff, usually less than 50 employees in total. There is nothing magic about the number 50. If you have 52 employees, this book is still good for you.
While we think that the healthcare industry is suggesting that all clinics should respect Patient Rights and protect Patient Privacy, legally, these types of small clinics *may* need to comply with HIPAA.
Offices of Physicians (except Mental Health Specialists)
Offices of Physicians, Mental Health Specialists
Freestanding Ambulatory Surgical and Emergency Centers
Offices of Dentists
Offices of Optometrists
Offices of Podiatrists
Offices of Chiropractors
Offices of Physical, Occupational and Speech Therapists, and Audiologists
Offices of All Other Miscellaneous Health Practitioners
source: US Census Bureau: North American Industry Classification System (NAICS)
We suggest that you not get too caught up in whether you are an old-school clinic or a new-school clinic, whether you are a covered entity or not a covered entity. The healthcare industry has moved beyond the politicians and now assumes that all clinics comply with HIPAA. The rebel image may work for the Dukes of Hazzard, but younger patients and clinicians are unlikely to want to work with a non-HIPAA compliant clinic. This book helps you get with the program.
A short story of how this book came to be:
Dr. Andrew Lyons has a small clinic that makes home visits to patients in New York City. Dr. Lyons asked Norby, his college roommate, to create a website for his small clinic. While building the website for Dr. Lyons, Norby saw, first hand, the HIPAA challenges faced by small clinics.
By coincidence, Norby was having lunch with his friend Kristen Ahearn and told her about the HIPAA challenges in the small clinic. Norby knew that Kristen was a lawyer but didn't really know what she did at the hospital. Kristen explained that she is the Privacy Officer for Memorial Sloan Kettering Cancer Center, a large medical center in NYC, and it is her job to implement HIPAA policies. Over the next year, Kristen patiently explained HIPAA to Norby.
The authors discovered that there were a couple problems. First, there is not much easy-to-understand HIPAA information. Second, once you do finally understand HIPAA, it is hard to know what to do about it. Third, there is not much information written specifically for a small clinic. So the doctor, the lawyer and the nerd decided to write an easy-to-understand book just for small clinics.