In 1996, Congress passed the Health Insurance Portability and Accountability Act, commonly referred to as HIPAA, detailing new regulations for protecting the confidentiality of patient healthcare information. These regulations significantly impact how Critical Care Specialty Billing conducts billing operations for our clients organizations, requiring both CCSB and our clients to carefully examine how each of us manage healthcare information and patient records. In short, HIPAA requires us to:
Protect the confidentiality of patient healthcare information. The “protected health information” ( PHI) of patients must be identified and remain confidential from the point it is recorded by a client, transferred to CCSB for billing purposes, used by CCSB to file insurance claims or mail invoices, and stored by CCSB and/or a client for record keeping purposes.
Not disclose PHI unless permitted to do so. CCSB and our clients can only use PHI and related healthcare information for the purposes of filing insurance claims, mailing invoices and conducting legitimate business operations related to financial transactions, record keeping and the administration of an EMS system or M.D. practice. All other uses of PHI must be approved by the patient prior to the release of such information.
Report disclosures of PHI, if they occur. CCSB and our clients must report inadvertent or purposeful disclosures of PHI to the patient, if they occur. Such disclosures may involve civil or criminal penalties.
Provide accountability for PHI practices. Both CCSB and our clients must provide accountability for business practices, record keeping and information management related to the use or storage of PHI to the Federal Department of Health and Human Services ( HHS), if requested.
To meet these requirements, CCSB and our clients must enter into a “Business Associate Agreement,” outlining the responsibilities of each organization with respect to HIPAA. This agreement defines the role of each organization:
Our clients retain responsibility for managing patient records. Because our clients are considered “healthcare organizations,” they retain responsibility for the management of patient records and the protection of PHI. This includes “notification of privacy practices” (NPP) to patients, obtaining an “acknowledgement of receipt” of NPP signed by patients when practical, maintaining the original patient record in a secure storage facility and meeting the procedural requirements of HIPAA with regard to patient inquires concerning PHI.
CCSB and our clients share responsibility for secure patient record transfer. Our clients provide CCSB with copies of patient care reports (PCRs) in paper or electronic format to be used for billing purposes. Both organizations share responsibility in developing a secure method for transferring such information. CCSB shall recommend a HIPAA compliant transfer method for both paper and electronic PCRs as part of each client’s billing contract.
CCSB becomes responsible for PHI management related to billing functions. After receiving PCR information, CCSB files insurance claims and mails invoices. Our firm assumes responsibility for the management of PHI during billing operations and provides accountability to the client for our business practices. CCSB will release PHI only for the purpose of treatment, payment or other circumstances required by HIPAA regulations. PHI is shared only with authorized CCSB employees, patient representatives and third party organizations involved in securing payment for our clients services. CCSB does not disclose PHI unless authorized by the patient, the client or directed by legal authority.
More information concerning HIPAA can be found at the Department of Health and Human Services Office for Civil Rights web page.