Health Insurance Portability and Accountability Act

Does HIPAA apply to your DPC practice?  If you are a hybrid then the answer is likely yes, but if you are a "pure" practice then you can attempt to build an argument that the answer could be no. For the original HIPAA language one should look to 45 CFR Parts 160 & 164.

Electronically billing an insurance company is one of many actions that can make a physician a "covered entity."  See this detailed explanation from HHS.  If the DPC physician electronically transmits health information in connection with one or more standard transactions (e.g., a health claim sent to an individual or group health plan or any other federal and/or state (e.g., Medicare, Medicaid) public health care program) then the physician is a covered entity. Standard transactions usually involve an insurance inquiry, transaction, claim, or authorization for payment. Isolated electronic prescribing is not a standard transaction, but if that same electronic prescribing software were used to handle a prior authorization with an insurer then this could trigger covered entity status. By avoiding the electronic transmission of PHI the physician can build an argument that the practice is not a "covered entity" and HIPAA covered entity limitations would not apply.  Remember that even if your practice were not a “covered entity” it could still be considered a “business associate” simply by its interactions with other health care entities (pharmacies, labs, etc).

Charging a patient’s bank account or credit card electronically is not a problem - this falls under a well established “conduit” exception. Here is a helpful free HIPAA toolbox from the National Association of Free and Charitable Clinics.  There are no current national standards (from HHS) for electronic prescribing, so merely using electronic prescribing does not lead to covered entity status.

Remember that 42 CFR Part 2 (Drug and Alcohol Abuse Law) (also see this discussion) applies broadly to any group that is "federally assisted."  This offers a broader and different kind of protection to substance abuse records that is totally independent of the HIPAA system.  

While there is disagreement in the legal community, some believe that the "Final Rule" update indicates that HIPAA now applies to your practice mere by the act of "storing" "protected health information" in any electronic format - such as making a photocopy.  Our website had previously highlighted this erroneous interpretation, but it is no longer one that we endorse (thanks to the wise advice of Andy Schlafly and Stacey Tovino).  This link also discusses some of the differences between "covered entities and business associates."  According to Professor Tovino "A physician that provides health care to a patient is not a business associate of any other physician or any other covered entity. To be a business associate, you need to be providing certain enumerated services to or on behalf of a covered entity.  A DPC provider is providing services to or on behalf of the patient, even if at the request of another covered physician, covered hospital, etc.  If a DPC provider wears two hats, one of which is a provider hat and one of which is a billing hat, and provides billing services to other covered physicians, then, yes, the DPC provider in the second instance is a business associate of the physicians s/he provides billing services to."

If you come to the conclusion that HIPAA applies to your practice (or you simply one to take the wiser and more cautious approach), you will need many documents, including but not limited to:

1) HIPAA Risk Assessment (updated annually - this link includes an online assessment tool)  When updating your risk assessment it is always wise to learn from the mistakes of others by reviewing these Resolution Agreements with HHS.
2) HIPAA forms for patients (Notice of Privacy Practices, Consent Form, Authorization Form, etc.) A covered entity must make its notice available to any person who asks for it.  A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits. 
3) HIPAA Compliance evidence (appropriate safeguards, employee education, consider privacy and security rules, etc)
4) Business Associate Agreements
5) Ability to provide an "Accounting of Disclosures"

You should establish a hierarchy of communication options with your patients by highlighting the most secure methods of communication and suggesting that these methods be used first. You might highlight your EMR’s patient portal, a secured texting application, your secure email (noting that the patient’s personal email might not be secure), a phone call, a fax message, and other secure options. You might point out that you are also available to your patient’s via less secure and unsecured options. You can still provide them with your cell and respond to SMS (unsecured) text messages, but patients need to understand that this is a less secure setting. Patients likely understand that Twitter and Facebook are not secure, so you would likely want to quickly steer any clinical messages out of these platforms should patient’s try to take that route.

Unlike some of the other legal areas discussed on our site, there are many reliable sources for expert legal information about HIPAA. HHS lists free training resources here. Medscape has an excellent set of educational and compliance resources.  Given the wide availability of these resources, and that HIPAA burdens land on all medical practice types, we would advise that you consider these excellent resources, and we will not reinvent the wheel here.  The folks at Cooley have prepared a nice overview of many HIPAA Privacy and Security Enforcement Actions.  The American Health Care Association has an example HIPAA Policy and Procedure Manual.  

Under the Privacy Rule your practice will be required to provide patients with an accounting of all "Non-Routine" Disclosures of PHI made for up to six (6) years prior to the date of the patient's request.  Employees must document all "Non-Routine" disclosures of PHI in the PHI Non-Routine Disclosure Log.  A patient has the right to request a copy of an accounting of any and all disclosures of his PHI which are considered "Non-Routine."   Records should be kept for six years (or more depending upon your state law requirements) and rules regarding the ownership of the records vary by state (as discussed by this JUCM article and this comparative overview).

As a DPC practice, you can use HIPAA to your competitive advantage as well.  Since you are receiving payments directly from the patient (rather than from the insurance company) this provides you with the option to offer the patient a higher level of privacy that is not available in standard practices.  Note that there are not many private causes of action under HIPAA and claims are typically filed through the Office for Civil Rights.

If you decide that you are interested in aggregating and publishing your data then you should "de-identify" any PHI.  

Excellent lectures about HIPAA issues are routinely provided by many individuals.  We are familiar with two that are known to be especially knowledgeable: Stacey Tovino, JD, PhD and Karen Zaner, JD.  Karen Zaner authored an excellent overview here discussing HIPAA causes of action.  Professor Tovino regularly teaches courses about HIPAA and numerous other aspects of health law, and has a HIPAA book scheduled for publication in 2016 (The HIPAA Privacy Rule: Theory, Practice, and Policy by Carolina Academic Press).  Karen Zaner has authored an excellent "Physician's Guide to HIPAA Compliance."  Given that these excellent resources that are already available, we will avoid any additional discussion here beyond providing these references.  Those considering opportunities in correctional medicine should note that HIPAA is applied a little differently in the correctional setting; this issue paper from Ms. Goldstein and this explanation from Mr. Bednar are helpful resources.