M&B logo










Sample Fax & E-Mail Confidentiality Notice

The information contained in this facsimile [a.k.a. fax or e-mail] message is private and confidential. It may contain Protected Health Information deemed confidential by HIPAA regulations. It is intended only for the use of the individual named above, and the privileges are not waived by virtue of this information having been sent by facsimile [e-mail]. Any use, dissemination, distribution or copying of this, the information contained in this communication, is strictly prohibited by anyone except the named individual or that person’s agent. If you have received this facsimile [e-mail] in error, please notify us by telephone and immediately destroy this fax [purge this e-mail].







Living the Law
An Update on HIPAA

By Cherie Sohnen-Moe


In 1996 the Health Insurance Portability and Accountability Act, or HIPAA, was passed and healthcare providers (and other agents) were mandated to have it in place by April 2003. HIPAA has three major purposes: 1) To protect and enhance the rights of consumers by providing them access to their health information and controlling the inappropriate use of that information; 2) To improve the quality of healthcare in the United States by restoring trust in the healthcare system among consumers, healthcare professionals and the multitude of organizations and individuals committed to the delivery of care; and 3) To improve the efficiency and effectiveness of healthcare delivery by creating a national framework for health privacy protection that builds on efforts by states, health systems, individual organizations and individuals.

The Four Facets to HIPAA
The four parts to HIPAA’s “Administrative Simplification” are:

1. Electronic Health Transactions Standards: If billing insurance, practitioners are required to use the Standard Code Sets of the International Classification of Disease (ICD-9) codes and the Current Procedural Terminology (CPT) codes.

2. Unique Identifiers for Providers, Employers, Health Plans and Clients: Each practitioner who transmits claims electronically is assigned a National Provider Identifier (NPI).

3. Security of Health Information and Electronic Signature Standards: All practitioners must provide uniform levels of protection of all health information that is housed or transmitted electronically. This includes your computer, along with any faxes and e-mail messages sent. An electronic signature is required for all HIPAA transactions. (The final regulations are being completed as of this writing.)

4. Privacy and Confidentiality: This limits the non-
consensual use and release of private health information; gives clients new rights to access their medical records and to know who else has accessed them; restricts disclosure of most health information to the minimum needed for the intended purpose; institutes criminal and civil sanctions for improper use or disclosure; and establishes new requirements for access to records by researchers and others.

Who is a Covered Entity?
Unfortunately, the answer is not straightforward. In the Atlanta Business Chronicle (Dec. 2, 2002), journalist Julie Bryant writes, “What was to be a simple federal rule, designed to lift the healthcare industry out of antiquated paper-based systems and into the bright, organized world of high-speed technology, has instead spawned hysteria, predatory opportunists and outright befuddlement.”

Many companies are charging hundreds (and even thousands) of dollars to provide practitioners with training, guidelines and forms to ensure HIPAA compliance. Some of these may even be worth it. Caution is advised before investing in these programs, particularly since it’s still not clear exactly what is required of massage practitioners.

The current emphasis of HIPAA compliance centers on electronic transmission of clients’ Protected Health Information (PHI). When you go to the HIPAA site (See HIPAA References on sidebar) and fill out the questionnaire to determine if you are a covered entity, most massage practitioners (unless they are billing insurance) will find that indeed they are not required to be HIPAA compliant. Unfortunately, this is misleading because the privacy considerations remain. According to Marilyn Allen of the American Acupuncture Council, “The privacy of every client’s PHI is mandatory. When you maintain client records, gather information from a client, engage in oral communication or transmit records (whether electronic or not), you are considered a covered entity.”

I suggest following the HIPAA guidelines: They actually make good business sense and are fairly easy to implement. Consumers are now accustomed to getting privacy policy statements from other healthcare providers as well as from a myriad of other businesses such as insurance carriers and credit card companies. Your clients might find it disconcerting if you don’t follow suit.

Note that even if you do not need to be HIPAA compliant for your own practice, you still need to be compliant if you work with other covered entities. The term for this is a “chain of trust.” If you are a business associate, you must meet the same requirements for privacy and security as if you were a covered entity. According to the HIPAA regulations, a business associate is defined as: Persons, companies or entities hired by the practitioner to perform duties which require access, the use of, or disclosure of a client’s PHI. Thus, if a primary care provider refers a client to you or you send a client’s progress report to her doctor, then you are considered a business associate. There is a form that business associates must sign. If you are currently working with other providers and haven’t received one of these forms, you will soon. Also, be aware that your state regulations might be more stringent than the federal requirements.

Keep in mind that within the next few years all insurance companies will require that insurance forms be submitted electronically. So for those of you who bill insurance manually and avoid being a HIPAA covered entity, be aware that it’s just a matter of time before you will need to be compliant.

Some of the confusion about client privacy has led to unnecessary changes. Paige Joyner of Compliance+ LLC says, “Doctors’ offices have gone so far as to purchase restaurant-style beepers, handing them out to patients for fear that calling names out in a crowded waiting room might violate HIPAA privacy regulations.”

Myths abound regarding client paperwork such as sign-in sheets and files. You can still have client sign-in sheets as long as they don’t disclose any PHI. You can put clients’ charts on the treatment room doors as long as the clients’ names aren’t visible and unauthorized people don’t have access to the charts. For instance, if people must walk past a treatment room on the way to the bathroom, then it might not be wise to put a chart on that treatment room door.

One of the more recent myths I encountered was that your client database is no longer an asset that may be sold for any reason. This would make it extremely difficult to sell a practice. Carrie Allen, a business broker from Kiernan and Associates, Inc. in Tucson, Ariz., clarified that the concern with the database and records will not affect the sale of a practice very much: “According to the American Medical Association guidelines, patients have the right to know if the doctor is leaving or the practice is moving, but do not have to be notified until it happens, after the close. At that point the patients have to be notified that their records will be staying with the new doctor.” Thus, if you act in good faith to provide a qualified guardian of the records (and hopefully the care of the clients as well), then legally, the records stay with the practice. Of course the clients could request their records after they have been notified. This standard should equate to massage practitioners.

Hopefully, by now the majority of the myths have been debunked, although as witnessed by the examples above, I’m sure more will proliferate. Visit the websites listed in HIPAA References on sidebar for more common myths, as well as the HIPAA regulation guidelines.

Cherie Sohnen-Moe has been an author, business coach, international workshop leader and business owner since 1978. Before shifting her focus to education and coaching, she was in private practice for many years as a massage practitioner and holistic health educator. She is the author of Business Mastery and co-author of The Ethics of Touch. If you would like any of the sample forms in this article, visit www.sohnen-moe.com/forms.html.

Steps To Implement Now
If you work with insurance reimbursement, then it's wise to immediately follow the HIPAA compliancy guidelines —and if you are a covered entity, compliance is mandatory. Regardless of insurance issues, it's vital that you take appropriate measures to ensure client privacy, confidentiality and security. More clarity will emerge as the rest of the HIPAA guidelines go into effect over the next couple of years.

Here are some steps to integrate into your practice now:

• Designate someone in your office (or hire an outside party) as a privacy officer. This person is responsible for creating a process to handle PHI. If you work alone, you are the privacy officer.
• Train office staff on how to handle PHI, including under what circumstances PHI may be disclosed.
• Use consent/authorization documents that clients sign.
• Do not discuss any medical information with any third
parties unless written consent and/or authorization has been obtained. [*See Release of Information Authorization form]
• Be careful when discussing a client's PHI with office staff; disseminate it on a need-to-know basis.
• Assign both user IDs and passwords to anyone with access to electronic information (e.g., computer billing software, voice dictation programs).
• Contact your practice management software company and make sure the version you are using is HIPAA compliant.
• Use passwords and security programs to protect and maintain computer files and personal digital assistant (PDA) files.
• For e-mail, obtain written consent from the client and use encryption software. Use electronic signatures to authenticate who sent the e-mail.
• Use auditing software to monitor who sent what and when.
• Develop a policy and procedure manual that delineates how you will handle all aspects of HIPAA compliance. Also designate your policy for the destruction or retention of medical records that include e-mail communications.
• Design a client information sheet that explains the following: How you use clients' information; the storage method for client files; the circumstances under which you may disclose client information; and the procedure for clients to see or obtain copies of their files. [*See sample Privacy Policies Notice.]
• Store all client files in a locked room or in a locked cabinet. Only allow authorized employees access to these files.
• Do not leave files in an area that is accessible by clients or unauthorized staff.
• Keep appointment books from view of anyone except those directly dealing with client care.
• Get authorization from clients about marketing (including greeting cards, fliers and newsletters).
• Present each client with a "Notice of Privacy Policies" form. [*See sample Privacy Policies Notice.]
• New clients must sign a separate form indicating that they have received the Notice of Privacy Policies. [*See Client Consent form.]
• Each client must sign a form giving consent for treatment, payment and healthcare operations. [*See Client Consent form.]
• When applicable, have clients sign an authorization for any and all releases of PHI. [*See Release of Information Authorization.]
• Put confidentiality notices on all faxes and e-mails. [*See the Fax & E-mail Confidentiality Notice on sidebar.]

HIPAA References
• American Health Information Management Association provides tools, resources and other HIPAA links. www.ahima.org
• Centers for Medicare & Medicaid Services have a checklist for dealing with HIPAA at www.hipaa.org
• Covered Entity Decision Tools walks you through the process so you can decide if you are a healthcare provider covered in HIPAA. www.cms.hhs.gov/hipaa/hipaa2/support/tools/decisionsupport/default.asp
• Get your assigned National Provider Identifier: www.aspe.hhs.gov/adminsimp/faqnpi.htm
• HIPAA Hotline 886/282-0659; 866/627-7748
• Health Privacy Project lists myths, facts and current legislations
information about HIPAA. This site also provides links to help you determine if your state has greater privacy protection laws than those mandated by HIPAA. www.healthprivacy.org
• McGraw-Hill online healthcare informatics has articles and extensive links. www.healthcare-informa-tics.com/ontopic/hipaa/hcionhipaa.htm
• Phoenix Health Systems HIPAA advisory page provides links, FAQs and a free e-mail newsletter (HIPAAlert) with archive availability on HIPAA information. www.hipaadvisory.com
• Physicians Practice has articles, FAQs and free forms.
• U.S. Department of Health & Human Service Office for Civil Rights www.hhs.gov/ocr; Center for Medicare & Medicaid Service FAQ on HIPAA http://questions.cms.hhs.gov
• U.S. Department of Health and Human Services (includes actual document and great links) www.hhs.gov/ocr/hipa; 800/368-1019


Share your thoughts! Click here to send a letter to the editor and let us know what you think. Your letter may be used in an upcoming issue of Massage & Bodywork magazine.



Please close window after reading.


M&B logo 2003 Associated Bodywork & Massage Professionals. All rights reserved. No portion of this website may be reproduced, stored in a retrieval system, or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from ABMP.