Frequently Asked Questions: HIPAA
General Rules

Q: Where can I find the HIPAA Forms? (January 2004)

A: Outside of standardized HIPAA transaction formats, there are no prescribed HIPAA forms. Every covered entity is required to develop its own set of forms, notably the Notice of Privacy Practices, Authorization forms, and Business Associate Agreements. However, for education and guidance purposes, sample HIPAA forms are available on the CMS website

Q: Does this (HIPAA) law mean that you can change coverage and, as long as there is no lapse in coverage, pre-existing conditions MUST be covered by the next insurance company? If so -- what is the specific language that defines that? (June 2003)

A: The OMH HIPAA Website is intended to focus on providing information about the Administrative Simplification provisions of HIPAA (Title II), and not its Insurance Portability provisions (Title I). However, to obtain more information about Title I of this law, which protects health insurance coverage for workers and their families when they change or lose their jobs, please consult the DHHS Centers for Medicare and Medicaid Services web site.

Q: What forms are necessary for psychologists in private practice to be considered HIPAA compliant in New York? (June 2003)

A: You should first determine whether you meet the definition of a “covered entity” under HIPAA. To assist you in making this determination, you may wish to consult DHHSCovered Entity Tool. .

If you are a covered entity, you are required to comply with the HIPAA EDI, Privacy, and Security regulations. In a nutshell, for the purposes of the privacy regulations, this will mean that you must provide your clients with a Notice of Privacy Practices, including a required header, that tells your clients what you will do with their protected information and describes their rights related to that information. You must obtain authorizations from your patients before you can use and disclose their protected health information under certain circumstances. You must have procedures in place that will enable patients to access and amend their health information, and you must be able to provide patients with an accounting of disclosures you have made regarding their health information upon their request. You must also execute Business Associate Agreements with your business partners. You must also designate a Privacy Official and develop a privacy policy, which includes specific sanctions if the policy is violated. And, you must provide all members of your workforce with training. You should also note that you will have similar, but distinct, administrative responsibilities under the HIPAA Security regulations.

As you know, the Office of Mental Health does not license individual practitioners, and our materials and forms have not been developed with the individual practitioner in mind. In this regard, you may wish to contact the Office of Professions within the State Education Department, for specific information regarding your own compliance with HIPAA. Additional information about EDIregulations can be found on eMedNY.

Q: What is HIPAA? (March 2002)

A: "HIPAA" stands for the "Health Insurance Portability and Accountability Act of 1996" and the regulations that were established as a result of that federal law. In general, these regulations create uniform standards for electronic health care transactions (EDI), establish security protections for data that is electronically stored and transmitted (Security), and set forth privacy rights for individuals regarding their personally identifiable health information (Privacy).

Q: Is OMH responsible for enforcing HIPAA? (March 2002)

A: No. HIPAA was created by federal law and regulations The responsibility for enforcing HIPAA lies with the federal Department of Health and Human Services.

Q: Who is covered under HIPAA? (March 2002)

A: Generally speaking, you are probably a "covered entity" for purposes of HIPAA if you are: (1) a health care provider that engages in certain electronic transactions or uses/stores information electronically: (2) a health plan; or (3) a health care clearinghouse. However, it is important that you study the particular regulation at issue (EDI, Security, Privacy) to determine what requirements may apply to you, since there are subtle differences in the definitions of "covered entity" for each regulated area.

Also, the requirements of HIPAA also extend to "business associates" of covered entities. In general, "business associates" are entities that perform a function or service on behalf of a covered entity. When a covered entity engages a "business associate" to provide a service or function required by the EDIregulations on its behalf, or which involves the use/disclosure of information that is protected under the Privacy regulations, a "business associate" agreement must be executed binding the "business associate" to act in a HIPAA-compliant manner when it performs these functions or services.

Q: When is compliance required? (March 2002)

A: It depends upon the regulation in question. Compliance is required with the EDIregulations by October 16, 2002. However, as a result of recent legislation, covered entities can request a one year extension by filing a compliance plan with the Department of Health and Human Services.

Covered entities must be in compliance with the Privacy regulations by April 14, 2003.

The Security regulations have not yet been issued as final regulations; they are still proposed regulations. Therefore, a compliance date has yet to be determined.

Q: What are the specific HIPAA regulations for mental/behavioral health programs? (March 2002)

A: If you are a behavioral/mental health program, you will be probably be governed by all of the HIPAA regulations that apply to "health care providers." Broadly generalized, this means: (1) if you engage in "covered electronic transactions," you must utilize the standardized transactions set forth in the EDIregulations when exchanging data with another covered entity; (2) you can use and disclose protected health information in accordance with the privacy regulations only as approved by the individual for certain purposes; and (3) you must safeguard the confidentiality, integrity and accessibility of health information that is stored or maintained electronically, as set forth in the security regulations.

The HIPAA regulations (EDI, privacy, and security) do not make distinctions between types of providers (i.e., general health and mental health). Instead, the regulations apply to "covered enitities," one type of which is a "health care provider" that participates in some sort of electronic activity (see the FAQs for each regulation for further definition on this point). "Health care" is broadly defined in 45 CFR Section 160.103 as "care, services, or supplies related to the health of an individual. Health care includes, but is not limited to, the following: (1) Preventive, diagnostic, therapeutic, rehabilitative, maintenance, or palliative care, and counseling, service, assessment or procedure with respect to the physical or mental condition, or functional status, of an individual or that affects the structure or function of the body; and (2) sale or dispensing of a drug, device, equipment, or other item in accordance with a prescription."

This means that once you have determined that you are a provider of "health care," be it general health care or behavioral health care, (and you engage in electronic transactions), you are bound by all of the requirements in the HIPAA regulations (EDI, privacy, security) that apply to "health care providers."

There is one exception to this, which is applicable only in the context of the HIPAA privacy regulations (not the HIPAA security or EDIregulations). The federal regulations governing the confidentiality of alcohol and substance abuse records (42 C.F.R. Part 2) continue to remain "on the books" and therefore co-exist with the HIPAA privacy regulations. Where these regulations and the HIPAA privacy regulations are inconsistent, the more stringent provision will apply.