Health Insurance Portability and Accountability Act
Does HIPAA apply to your DPC practice? If you are a hybrid then the answer is likely yes, but if you are a "pure" practice then the answer might be no. For the original HIPAA language one should look to 45 CFR Parts 160 & 164.
Electronically billing an insurance company is one of many actions that can make a physician a "covered entity." See this detailed explanation from HHS. Unless the DPC physician electronically transmits health information in connection with one or more standard transactions (e.g., a health claim sent to an individual or group health plan or any other federal and/or state (e.g., Medicare, Medicaid) public health care program) then the physician does not need to fear the dreaded "covered entity" label and HIPAA does not apply. Here is a helpful analysis from the National Association of Free and Charitable Clinics. There are no current national standards (from HHS) for electronic prescribing, so merely using electronic prescribing does not lead to covered entity status.
Remember that 42 CFR Part 2 (Drug and Alcohol Abuse Law) (also see this discussion) applies broadly to any group that is "federally assisted." This offers a broader and different kind of protection to substance abuse records that is totally independent of the HIPAA system.
While there is disagreement in the legal community, some believe that the "Final Rule" update indicates that HIPAA now applies to your practice mere by the act of "storing" "protected health information" in any electronic format - such as making a photocopy. Our website had previously highlighted this erroneous interpretation, but it is no longer one that we endorse (thanks to the wise advice of Andy Schlafly and Stacey Tovino). Assuming you design your practice to make the argument that you are not a HIPAA covered entity, you will also need to argue that you are not a "business associate." This link also discusses "covered entities and business associates." According to Professor Tovino "A physician that provides health care to a patient is not a business associate of any other physician or any other covered entity. To be a business associate, you need to be providing certain enumerated services to or on behalf of a covered entity. A DPC provider is providing services to or on behalf of the patient, even if at the request of another covered physician, covered hospital, etc. If a DPC provider wears two hats, one of which is a provider hat and one of which is a billing hat, and provides billing services to other covered physicians, then, yes, the DPC provider in the second instance is a business associate of the physicians s/he provides billing services to."
If you come to the conclusion that HIPAA applies to your practice (or you simply one to take the wiser and more cautious approach), you will need many documents, including but not limited to:
1) HIPAA Risk Assessment (updated annually - this link includes an online assessment tool) When updating your risk assessment it is always wise to learn from the mistakes of others by reviewing these Resolution Agreements with HHS.
2) HIPAA forms for patients (Notice of Privacy Practices, Consent Form, Authorization Form, etc.) A covered entity must make its notice available to any person who asks for it. A covered entity must prominently post and make available its notice on any web site it maintains that provides information about its customer services or benefits.
3) HIPAA Compliance evidence (appropriate safeguards, employee education, consider privacy and security rules, etc)
4) Business Associate Agreements
5) Ability to provide an "Accounting of Disclosures"
Unlike some of the other legal areas discussed on our site, there are many reliable sources for expert legal information about HIPAA. Medscape has an excellent set of educational and compliance resources. Given the wide availability of these resources, and that HIPAA burdens land on all medical practice types, we would advise that you consider these excellent resources, and we will not reinvent the wheel here. The folks at Cooley have prepared a nice overview of many HIPAA Privacy and Security Enforcement Actions.
Under the Privacy Rule your practice will be required to provide patients with an accounting of all "Non-Routine" Disclosures of PHI made for up to six (6) years prior to the date of the patient's request. Employees must document all "Non-Routine" disclosures of PHI in the PHI Non-Routine Disclosure Log. A patient has the right to request a copy of an accounting of any and all disclosures of his PHI which are considered "Non-Routine." On the next page are some common examples of disclosures which are "Non-Routine."
As a DPC practice, you can use HIPAA to your competitive advantage as well. Since you are receiving payments directly from the patient (rather than from the insurance company) this provides you with the option to offer the patient a higher level of privacy that is not available in standard practices. Note that there are not many private causes of action under HIPAA and claims are typically filed through the Office for Civil Rights.
Excellent lectures about HIPAA issues are routinely provided by many individuals. We are familiar with two that are known to be especially knowledgeable: Stacey Tovino, JD, PhD and Karen Zaner, JD. Karen Zaner authored an excellent overview here discussing HIPAA causes of action. Professor Tovino regularly teaches courses about HIPAA and numerous other aspects of health law, and has a HIPAA book scheduled for publication in 2016 (The HIPAA Privacy Rule: Theory, Practice, and Policy by Carolina Academic Press). Karen Zaner has authored an excellent "Physician's Guide to HIPAA Compliance." Given that these excellent resources that are already available, we will avoid any additional discussion here beyond providing these references. Those considering opportunities in correctional medicine should note that HIPAA is applied a little differently in the correctional setting; this issue paper from Ms. Goldstein and this explanation from Mr. Bednar are helpful resources.