Updating your Notice of Privacy Practice

If your Notice of Privacy Practice (NOPP) is updated - through regulatory or office policy changes - there are several things you must do to maintain your compliance with the HIPAA regulations.

First, you must updated the last revised date on the NOPP form.  You must post the new notice in a prominent location in your office and you must include it on your website, if you have one. 

It is not necessary to have your existing patients sign new NOPP acknowledgements nor is it necessary to give existing patients a copy of the new notice.  Publishing the changes in your office and on your website is sufficient for current HIPAA regulatory compliance. 

Be sure you are providing all new patients with a copy of your Notice of Privacy Practice and that you are getting your acknowledgment signed!

HIPAA Privacy: 18 Things You Should Know

18 Elements of PHI 

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and that was created, used, or disclosed in the course of providing a health care service such as diagnosis or treatment..  The HIPAA Privacy Rule covers protected health information in any medium.

ePHI stands for Electronic Protected Health Information. It is any protected health information (PHI) which is stored, accessed, transmitted or received electronically. Protected Health Information (PHI) under HIPAA means any information that identifies an individual and relates to at least one of the following:

  • The individual’s past, present or future physical or mental health.
  • The provision of health care to the individual.
  • The past, present or future payment for health care.

There are 18 identified elements of protected health information (PHI) covered under the HIPAA Rules. 

  • Names
  • Geographic subdivisions smaller that state (geocodes, county, city, street address, etc)
  • Dates. 
  • Telephone numbers
  • Fax numbers
  • e-Mail addresses
  • Social Security Numbers
  • Medical Record numbers
  • Health plan beneficiary numbers
  • Account numbers
  • Certificate/license numbers
  • Vehicle identifiers and serial numbers (includes license plate numbers)
  • Device identifiers and serial numbers
  • Web URL (universal resource locator)
  • IP Addresses
  • Biometric identifiers
  • Full face and comparable photographic images
  • Any other unique identifying number, characteristic, or code

Many of the items in this list are obvious – we’ve all been training to know that names, social security numbers, birthdates, etc are protected health information.  It’s number 18 that is the “catch-all”; the place where any unlisted item can that uniquely identifies a patient becomes PHI.

Is your staff trained for HIPAA Privacy and Security?  Have you trained them in the last year?  Is that training documented??  Check out our upcoming "What's new with HIPAA" training classes here.

Will your records survive the Railroad Medicare Claims Review?

It has begun. 
Railroad Medicare has stated on their website that they are targeting chiropractic claims for audit “due to the high percentage of errors” identified by CERT testing. 
Palmetto GBA, which administers the Railroad Medicare program, states that 10% of all chiropractic claims will be reviewed.  If you receive a request for records for one or more patients please use the following guidelines to submit your information:

  • Provide all documents requested on the Additional Document Request letter.  These include your daily notes (electronic or paper) for the date(s) in question, your most recent exam/re-exam and treatment plan, all outcomes assessment forms the patient filled out, radiology reports and any additional paper documentation pertaining to the date(s) in question.
  • Make a copy for Palmetto and another for your records.  This additional set will help you should your claim be denied.  It will be clear what information was provided to the reviewer.
  • You have 30 days to respond.  If you fail to respond, your claim will be denied on the 45th day.  If your response is received between day 30 and 45 – it may not be processed.
  • You will receive the results of the review in approximately 60 days. 
  • If you disagree with the decision of Palmetto Reviewers you will have 120 days from the decision date to appeal.

Do not delay in responding to this request. 

Medicare will not negotiate an extension.  

Failure to respond will result in a denial - and an increase in your error rate.  

If your claim is denied, we can help you appeal