What Is HIPAA, and How Does It Affect You? Part I

By Vivian Madison-Mahoney, LMT
May 29, 2009

What Is HIPAA, and How Does It Affect You? Part I

By Vivian Madison-Mahoney, LMT
May 29, 2009

I am asked frequently about the HIPAA rulings regarding electronic transactions and privacy rules. Because of this, I decided to do some research to obtain some answers to common questions I hear, especially regarding rules which might affect us as massage therapists and bodyworkers.

I wrote to "Center for Medicare & Medicaid Services" (CMS) to inquire as to the necessity of alternative medical providers (massage therapists included) having to comply with HIPAA Rules. Their reply is as follows, along with information on HIPAA in general.

We have received your question and will be responding as soon as we can. However, please check the "frequently asked questions" on our website, located at http://questions.cms.hhs.gov/. (Click on HIPAA from the drop-down list in "Category.") If you would like to speak with a member of the Centers for Medicare & Medicaid Services (CMS) HIPAA project staff, please call the HIPAA hotline at 1-866-282-0659. If you have a question about the HIPAA privacy regulations, please call 1-866-627-7748, the Office for Civil Rights in the Department for Health and Human Services, or send your e-mail to ocrprivacy@hhs.gov if you have privacy questions.

With the above response provided to me, I was able to gather a large amount of additional information from a variety of their websites. If you wish to obtain more information than what I have provided within this article, please connect to the websites or call the phone numbers provided herein.

Question: What Is HIPAA?

Answer: HIPAA is the acronym for the Health Insurance Portability and Accountability Act of 1996. The Centers for Medicare & Medicaid Services (CMS) is responsible for implementing various unrelated provisions of HIPAA, therefore HIPAA may mean different things to different people.

The Health Insurance Portability and Accountability Act (HIPAA, Public Law 104-191), signed by President Clinton on August 21, 1996, aims to improve productivity of the American health care system. The law encourages development of information systems based on the exchange of standard management and financial data using Electronic Data Interchange (EDI). It also requires organizations exchanging transactions for health care to follow national implementation guidelines for EDI established for this purpose. For more information, please go to http://aspe.os.dhhs.gov/admnsimp/.

Administrative Simplification

The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) require the Department of Health and Human Services to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addresses the security and privacy of health data. Adopting these standards will improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in health care.

HIPAA Rules Regarding Providers Who Do Not Submit Claims Electronically

Question: If I am a provider who does not submit any electronic transactions, do I have to comply with the HIPAA Administrative Simplification regulations, or submit an ASCA compliance plan to get an extension?

Answer: No. All of the HIPAA Administrative Simplification regulations apply to all covered entities. Health care providers who transmit health information in electronic form meet the final rule definition for a covered entity. If you do not transmit such information in electronic form, you are not a covered entity and HIPAA does not apply to you. Therefore you do not need to submit a compliance plan to request a compliance extension.

The Administrative Simplification Compliance Act (ASCA) prohibits Health & Human Services, (HHS) from paying Medicare claims that are not submitted electronically after October 16, 2003, unless the Secretary grants a waiver from this requirement. It further provides that the Secretary must grant such a waiver if there is no method available for the submission of claims in electronic form, or if the entity submitting the claim is a small provider of services or supplies.

In this case, small provider of services or supplier means:

  1. A provider of services with fewer than 25 full-time equivalent employees; or
  2. A physician, practitioner, facility or supplier (other than provider of services) with fewer than 10 full-time equivalent employees.

Entities that qualify for this waiver do not need to submit a compliance plan and will be allowed to continue to file paper claims for Medicare payment. The Secretary may grant such a waiver in other circumstances. HHS will publish proposed regulations to implement this new authority.


Note: Since we as massage therapists at this time, do not bill for Medicare services, we do not have to be concerned with any of this documentation that pertains to Medicare. However, you may work in an office that does work with Medicare, therefore I have included this information.


Question: Are small providers exempt from HIPAA?

Answer: No. Any provider who transmits any of the designated transactions electronically is subject to the HIPAA Administrative Simplification requirements, regardless of size.

Small providers are exempt from the ASCA provision that excludes paper claims from Medicare coverage effective October 16, 2003. Small providers will be able to continue to submit paper claims.


Note: See ASCA definition of small provider or supplier in paragraphs above.


Question: Does the ASCA extension affect the compliance date for the HIPAA Privacy Standards?

Answer: No. The compliance date for the Privacy Standards is still April 14, 2003 or, for small health plans, April 14, 2004.

Question: What is the HIPAA Administrative Simplification Compliance Act (ASCA)?

Answer: In December 2001, the Administrative Simplification Compliance Act (ASCA) extended the deadline for compliance with the HIPAA Electronic Health Care Transactions and Code Sets standards (codified at 45 C.F.R. Parts 160, 162) one year, to October 16, 2003 for all covered entities, other than small health plans (whose compliance date was already October 16, 2003).

To receive an extension, covered entities must submit their ASCA compliance plans on or before October 15, 2002.

ASCA requires that a sample of the plans be provided to the National Committee on Vital and Health Statistics (NCVHS), an advisory committee to the Secretary of Health and Human Services. The NCVHS will review the sample to identify common problems that are complicating compliance activities, and will periodically publish recommendations for solving the problems.

Under the Freedom of Information Act (FOIA), information held by the federal government is available to the public on request, unless it falls within one of several exemptions. The model form is designed to avoid collection of any information that would be subject to exemption, such as confidential personal or proprietary information. If such information is submitted, both the FOIA and the ASCA require that it be redacted before the files are released either to the NCVHS or to the public.

Question: Do all covered entities automatically get an ASCA extension?

Answer: No. Covered entities must submit a compliance extension plan to the Department of Health and Human Services (HHS) before October 16, 2002 to get an extension.

Question: Where can I get a copy of the ASCA compliance form?

Answer: The form was released on March 28, 2002 and is available on our website at: www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.asp. The form was published in the Federal Register on April 15, 2002.

Question: Can I file the ASCA compliance extension form electronically?

Answer: Yes, electronic filing of compliance extension plans is encouraged, although plans submitted on paper also will be accepted. To submit a form electronically, go to www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.asp.