Department of Health and Human Services
Centers for Medicare & Medicaid Services
7500 Security Boulevard
Baltimore, Maryland 21244-1850
DATE: June 23, 2003
SUBJECT: Are Small Providers Covered Entities under HIPAA?
As a health care provider, you have probably heard about HIPAA - the Health Insurance Portability and Accountability Act of 1996. HIPAA mandates new standards and procedures that promote standardization and efficiency in the health care industry. Today's health care industry relies more and more on advances in technology to help administer health care. Doctors, hospitals, clearinghouses, and health care vendors, such as billing services and software companies, use computers to conduct many of their health care transactions.
Congress passed HIPAA in response to the health care industry's increasing reliance on electronic transmission of health care data. The law will help streamline the administration of health care by requiring basic standards for conducting several transactions in electronic form, including processing claims and payments. It also governs disclosure of electronic patient protected health information and provides the minimum safeguards required to ensure the security of electronic health care information.
This document responds to many questions we have received from small providers - especially, those small providers who currently do not conduct any of their health care transactions electronically. If you are a provider that conducts office operations manually, there are two important questions you should ask in order to determine if HIPAA applies to you.
1. Does your office conduct all of the following transactions on paper, by phone, or by FAX (from a dedicated fax machine, as opposed to faxing from a computer)?
- Submitting claims or managed care encounter information
- Checking claim status inquiry and response
- Checking eligibility and receiving a response
- Checking referral certifications and authorizations
- Enrolling and disenrolling in a health plan
- Receiving health care payments and remittance advice
- Providing coordination of benefits
If your office does not conduct any of the above standard transactions electronically and you do not have someone else conduct them electronically on your behalf - such as a clearinghouse or billing service, you are not a covered entity and HIPAA does not apply to you.
If you conduct any of these transactions electronically, you are a covered entity and you must comply with all HIPAA requirements, regardless of the size of your practice.
2. Do you bill Medicare and are you a small provider with fewer than 10 full-time equivalent employees?
Effective October 16, 2003, Medicare may not pay claims submitted on paper, with certain exceptions. One of the major exceptions is for claims submitted by "a small provider of services or supplier." The term "small provider of services or supplier" is defined to mean:
- a provider of services with fewer than 25 full-time equivalent employees, and
- a physician, practitioner, facility, or supplier (other than provider of services) with fewer than 10 full-time equivalent employees.
The term "provider of services" is defined for Medicare by § 1861(u) of the Social Security Act to include seven specific types of institutional or special purpose providers. This term generally describes hospitals, nursing facilities and other institutional providers that are paid through Medicare fiscal intermediaries. The terms found in the phrase "physician, practitioner, facility or supplier" are used to describe entities that furnish Medicare services described in § 1861(s) of the Act, and are generally paid through Medicare carriers.
If you do not meet the small provider exception, you will be required to submit your Medicare claims electronically effective October 16, 2003. Once you begin submitting your claims electronically to Medicare, your answer to question 1 above would be "no", and you would become a covered entity under HIPAA.
If you have additional questions about HIPAA, you may call our CMS hotline at 866-282-0659 or you may email us at firstname.lastname@example.org.
I hope this letter helps clarify some important issues regarding HIPAA and the small health care provider. At CMS we are committed to serving the entire provider community and encourage you to contact us if you have questions about HIPAA and its effect on your practice.