Upcoming events


TORT Auto Insurance



Classified Ads




Red Flag Rules
HIPAA on CCA Web Site Links
Part 1 Electronic Records
Part 2 Medical Records Privacy
Part 3 Security
HIPAA resources

ASSISTANCE with the Red Flag Rules EFFECTIVE 6-1-2010 (note that NEW compliance date is June 1, 2010 - 4th extension):

Basic information and explanation (includes info on on-line seminar): http://www.coloradochiropractic.org/headlines/files/RedFlagsRule5_09infoandseminar.pdf

Info brochure from the FTC:

DETAILED FTC information (see pages 63773-63774 for program development) :

SAMPLE program from the Wisconsin Chiropractic Association:

Purchase a Manual for only $79

FREE HIPAA Training available through 3DGrid 
www.3dgrid.com or 866-334-7431
Link to Latest and Final HIPAA Enforcement and Fines 2-16-06

(courtesy of NACA - National Association of Chiropractic Attorneys)

This Final Rule (45 pages) adopts the complete regulatory structure for implementing the civil money penalty authority of the Administrative Simplification part of HIPAA (SSA, section 1176), completing the structure begun when the Privacy Rule was issued in 2000 and expanded by the interim final procedural enforcement rules issued in 2003.  The Final Rule covers the enforcement process from its beginning, which will usually be a complaint or a complicance review, through its conclusion.  A complaint or compliance review may result in informal resolution, a finding of no violation, or a finding of a violation.  If a finding of a violation is made, a civil money penalty will be sought for the violation, which can be challenged by the covered entity through a formal hearing and appellate review process.

This rules apply to covered entities who violate any of the rules implementing the Adminstrative Simplificiation provisions of HIPAA.
You may register for a HIPAA regulations list serve by visiting:  http://aspe.hhs.gov/admnsimp/lsnotify.htm

HIPAA ON CCA WEB Updated August 6, 2003

HIPAA, the Health Insurance Portability and Accountability Act of 1996, is a federal law which sets guidelines for health care providers (and others) for electronic transactions AND protecting patient privacy and security.  It includes electronic transmission of claims and medical records privacy.  The CCA apologizes for any confusion regarding HIPAA guidelines.  We have used several sources for information; this information has been inconsistent and confusing.  This current information is the best we have at this time.  There are no simple answers or solutions to HIPAA.  There are many detailed definitions and exceptions.  We suggest that you consult with your legal counsel about the impact of the requirements to your practice.

NOTE:  There is a possiblity that insurance companies and managed care organizations could require (with only a 30 day notice) contracted health care providers to comply with the electronic (part one) & privacy requirements (part two) of HIPAA, even if the health care provider is NOT doing electronic transactions.

Part ONE
Electronic Transactions: National electronic standards were developed to improve effectiveness of the health care system.  The definition of Electronic Data Interchange is “the exchange of computer-processable data in a standardized format between two entities.”  Electronic transactions are defined as anything transmitted via the Internet, extranet, leased line, dial-up line, private network, transactions sent via magnetic tape, disk –  including FAX.  If your office does not do electronic transactions but your business associate does (clearinghouse/billing service) you must comply with HIPAA electronic requirements. 

Electronic Transactions covered by HIPAA include:

  • Enrollment in or disenrollment in a health plan.
  • Eligibility for a plan or benefits.
  • Health care claims and encounters.
  • Health care payments and remittance advice.
  • Health care claim status.
  • Referrals, authorizations and pre-certifications.
  • If your practice uses a billing service, and they do electronic billing for you, you must comply with HIPAA.
  • Coordination of benefits.
  • FAX generated by computer.
  • If you conduct ONE electronic transaction, you must comply with HIPAA guidelines.
  • You must comply with the electronic transaction standards by October 15, 2002. The compliance deadline for electronic transactions was extended – BUT YOU MUST have SUBMITTED A PLAN BY OCTOBER 15, 2002, STATING HOW COMPLIANCE WILL BE ACHIEVED to receive the extension to October 15, 2003.  (Remember, the HIPAA definitions for electronic transactions are very broad.)  If you did not submit or mail your extension form by the deadline - you are not in compliance and may be subject to fines and/or you may get dropped from Medicare.  Call the HIPAA Hotline at (866) 282-0659 if you did not file an extension form.
    <back to top>

    Part TWO
    Medical Records Privacy:  Effective April 14, 2003
    HIPAA has established standards for privacy of individual health information.  The privacy rule creates national standards to protect individuals’ medical records and other personal health information.  Although there may be RARE exceptions, the CCA recommends that ALL DOCTORS comply with these rules.  Keep in mind that as these guidelines are adopted by other health care professionals, patients will expect the same from you and your clinic's staff. 

    This section includes:

  • Education of employees about “patient health information.”
  • Provide information to patients about their privacy rights.
  • Establish office procedures.
  • Secure patient records from others.
  • Designate an individual responsible for privacy procedures for your practice.
  • Patients must have access to their files.
  • Patients must be informed of their privacy rights and how their information can be used.
  • Employees must be trained regarding privacy procedures.
  • Patient information must be secure so that only employees needing this information will have access to this information.
  • Patients may request changes to their records.
  • Patients may request restrictions on disclosures.
  • All doctors should review what patient health information (PHI) they collect, who has access to it, what security they have now to deny others access to the PHI, what security is required under HIPAA, develop a compliance plan on how they will comply with HIPAA security rules, implement those changes, develop a privacy notice, get authorization (if required) from a patient for use of PHI, develop and enter into business associate agreements with any entity they deal with that receives PHI from them. 

    Part THREE
    Security Standards:  The final HIPAA security rule was released on 2-13-03.  The 289-page rules works hand-in-hand with the HIPAA privacy rule.  While the privacy rule sets standards for how protected health information can be used, when it can be disclosed, and what rights patients have regarding their information, the security standards "define administraive, physical, and technical safeguards to protect the confidentiality, integrity, and availability of electronic protect health information."  To read the security rule, visit the CMS web site. 

    REMEMBER to use common sense when dealing with patient information.  Use at least the "minimum necessary standards" to ensure files, records, and information are secure.
    <back to top>

    DOCUMENT - DOCUMENT - DOCUMENT:  The CCA suggest that you keep a log in each patients' file of where and when and to whom records are released.  In addition, keep a log of the dates and types of all staff training completed AND of all efforts you've made to comply with HIPAA rules.

    Below is privacy standard information verified with Jeff Selmandow (303-844-7841) in the Denver Office of Civil Rights (local branch of a FEDERAL office):

    SIGN-IN SHEETS:  It was NOT the intention of HIPAA privacy standards to include office sign-in sheets.  Names may be listed and announced in the office; HOWEVER, you should take reasonable care in protecting privacy on your sign-in sheets (for example:  DO NOT have the patient list "complaint" or "illness" on the sign-in sheet).

    PRIVATE ROOMS:  It is NOT necessary to retrofit your office for "private" rooms.  Again, you should take reasonable care in protecting patient privacy by having a private area to discuss diagnosis and treatment with the patient - however, treatment rooms may have curtains or short walls.  Discuss personal information where other people cannot hear.

    RECORDS:  Other patients/people SHOULD NOT have access to patient files.  Example:  DO NOT leave patient files out on a counter or desk where other patients may have access to them.

    REFERRAL BOARDS:  You should have approval from the patient to place his/her name on a referral board in your office.

    More information will be available in the future and another CCA HIPAA Seminar will be provided in early 2003.  Check our Upcoming Events page for classes.  Call the Office for Civil Rights for more on privacy standards at (866) 627-7748.
    <back to top>


    <back to top>


    HIPAA information from Health & Human Services

    Click on Technical Assistance.  Click on mailbox for questions regarding Privacy Rule

    More on Electronic Transactions

    HIPAA information from Medicare

    Frequently Asked Questions on Electronic Transactions

    Implementation Guidelines by Washington Press

    HIPAA Training 

    Web sites on Medical Records Privacy
    “FINAL” Privacy Regulations 
    FAQ on Privacy Regulations 
    HHS Office of Civil Rights web site
    Security Standards final rule 2-13-03
    <back to top>

    8751 East Hampden Avenue #B-7 | Denver, Colorado 80231-4929
    Phone: 303-755-9011 or 800-829-0339 | Fax: 303-755-1010
    E-Mail: cca@coloradochiropractic.org

    CCA Logo
    Colroado Chiropractic Association
    The Voice of Colorado chiropractic since 1917
    Usage Agreement