Wednesday, August 26, 2009

It’s Nice to be N.a.C.E (Not a Covered Entity)

From soon after HIPAA, and its subsequent Privacy Rule took effect, I tried hard to comply in my psychiatric practice, handing out notices of my "privacy policy" to patients (who rarely, if ever, read them) and informing forensic clients and examinees of what I could only guess my duties, and their rights, might be. Who would have thought a complaint by a disgruntled forensic examinee to the Office of Civil Rights (OCR) would free me, at least for now, from the mysterious Privacy Rule?

I also understood from the beginning that the Privacy Rule might only apply to those meeting the criteria to be considered a “covered entity”. At the beginning it seemed less than clear how these criteria might be applied. Indeed it seemed at first glance that I might not meet these criteria, but my risk management advisors, arguing that the Privacy Rule would become a national standard regardless, and apparently thinking they were playing it safe, always encouraged me to assume that I was a covered entity and comply with the rule as well as I might.

Denial of Access

It seemed at first that forensic evaluations would be exempt from some of the many requirements of the Privacy Rule, one of which addresses limitation of right of access to the medical record. Indeed according to 45 CFR Subtitle A, Subchapter C, § 164.524 (a) (1) (ii):

“Except as otherwise provided in paragraph (a)(2) or (a)(3) of this section, an individual has a right of access to inspect and obtain a copy of protected health information about the individual in a designated record set, for as long as the protected health information is maintained in the designated record set, except for: …

“(ii) Information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding;... ”

It seemed to me that "civil" and "criminal" probably referred to lawsuits and trials, and that “administrative action or proceeding” might include termination of employment, disability determination, and the like. If this was true, I reasoned that the Privacy Rule might not entitle examinees to a copy of records of forensic examination.

But then a case summary or “guidance” published at the OCR Web site described a case in which the covered entity had denied access in what sounded to me like a case of “administrative action.” OCR draws attention to the “payment source” (presumably the insurance company rather than the examinee) as a critical factor. (I find no reference to payment source in the regulation.):

“Private Practice Revises Process to Provide Access to Records
Covered Entity: Private Practices
Issue: Access

“At the direction of an insurance company that had requested an independent medical exam of an individual, a private medical practice denied the individual a copy of the medical records. OCR determined that the private practice denied the individual access to records to which she was entitled by the Privacy Rule. Among other corrective actions to resolve the specific issues in the case, OCR required that the private practice revise its policies and procedures regarding access requests to reflect the individual's right of access regardless of payment source.”


Because of this interpretation of the regulation, and in spite of the fact that medical records law in my state seems to specifically exclude right of access to such records, I dutifully began to inform examinees of this apparent right to a copy of my report. I also began to inform my forensic clients that I might have to allow access even against the client’s wishes.

I even cancelled two scheduled forensic examinations when the client, an insurance company, refused to withdraw their requirement that I deny the examinee access to my report. The letter requesting the examinations included a statement I had not seen before:

“By accepting this engagement, you agree that information provided by us and your report shall not become part of or constitute a ‘designated record set’ as that term is defined in the HIPAA Privacy Rule. In addition, this information and your report shall not be subject to an individual’s rights of access or amendment under the Privacy Rule.”

Again, my risk management consultants, taking what they probably thought was the safest path, and having failed to inform me that I was N.a.C.E, advised me not to agree to that condition because it might set me up for a violation of the Privacy Rule. I cancelled the evaluations.

The Complaint

In 2008 I examined a worker at the request of the employer. The examinee requested a copy of my report at the time of the examination. I probably would have complied with this request, but my client, the examinee’s employer, asked me not to. I was caught in the middle. After the examinee threatened to file a complaint with OCR, I convinced the employer to release a copy of my report to the treating psychotherapist. That did not satisfy the examinee. Ultimately I convinced the client to release a copy of my report directly to the examinee. That did not satisfy the examinee.

I expected a visit from an FBI agent, or at least a certified letter, but instead someone identified as a representative of OCR left a message on my voice mail that a complaint had been filed. My professional liability carrier assigned (and paid for) an attorney to represent me.

My attorney, after contacting the attorney from OCR, asked me, “Do you bill electronically?” I asked her what that meant. She said she did not know. But she said that if I could answer that I do not bill electronically, OCR might not investigate further. She also confirmed my suspicions about the source of the complaint, but she said OCR had not described the allegations.

For someone who thrives on conflict, that disappointed me. I had envisioned a real investigation. I would have an opportunity to tell of my valiant efforts to do the right thing. I would show OCR the examinee's written acknowledgement of receipt of my report. (I assumed there would be an allegation that I had refused to provide it. Which was true. The employer, not I, provided it to the examinee, but only after I exerted pressure.) I would learn something about how OCR interprets and enforces the Privacy Rule. Maybe the case would even help establish legal precedent which might clarify the regulation for other forensic examiners. After all, what’s so bad about a $100 fine or a couple years in Club Fed (where I would be entitled to free medical care). Best of all: I could write about the experience.

My attorney did not agree with this approach.

My attorney asked again, “Do you bill electronically?” I said, “Tell them I don’t know, and we will see what they do.” I started a list of questions for OCR.

My attorney advised against it. “Let sleeping dogs lie,” she might have said. I might have said, “Make sleeping dogs tell the truth.”

In the end I relented: I print bills and claim forms with a computer and mail them. Apparently OCR does not consider that electronic. I fax prescriptions for controlled substances directly from my computer. I order prescriptions for non controlled substance drugs using a Web-based service. I keep patient records on three computers. I keep my office schedule on the computers and my smart phone. I take notes during patient visits and forensic evaluations on a tablet PC and dictate progress notes with voice recognition software. I dictate evaluations (free of identifying information) using audio recording software, encrypt them and ftp (upload) them to New Delhi for transcription. Sometimes I feel like my whole professional life is electronic. However, I do not communicate with my patients via email, and I do not, and perhaps never have, submit(ted) bills via the Internet. I described all this to my attorney.

My attorney wrote the attorney at OCR describing how I bill. OCR wrote back promptly. OCR did not question the veracity of my statement, did not require me to prove that I do not bill electronically, did not ask me whether I ever billed electronically, and did not ask whether I might start billing electronically tomorrow. The letter to myself and the complainant was unequivocal: [the doctor] “… does not meet the definition of a covered entity as he does not bill electronically for his services. Therefore, the requirements of the Privacy Rule do not apply to him.”

It’s official. I am Not a Covered Entity.



What does this get me? In theory at least:

  • I do not have to pass out the never-to-be-read and comprehensively hedged Notice of Privacy Policies.

  • I do not have to provide forensic examinees a copy of my report.

  • I do not have to try to get “business associates” who might see protected health information to sign a “business associates” agreement.

  • I do not have to worry about what “minimum necessary” might mean.

  • I do not have to tell anyone how to file a complaint with OCR.

I am not a covered entity. I can just try to practice ethically and comply with state medical records law, and Tarasoff, and specific authorization for sexually transmitted diseases and substance abuse records. (Did I miss any?)


How can you be N.a.C.E? (Consult an attorney and…) Do not bill electronically, and if you were thinking about starting, put those thought stopping techniques to work right now.

The attorney who handled the complaint at my local OCR answered most of my questions, apparently to the best of her ability. She explained that my status as a covered entity could change. If I start to bill electronically, I become a covered entity, and, if the examinee alluded to previously finds out that I am not N.a.C.E. and again demands access to my report, I will be obligated to provide it subject to the Privacy Rule. If I stop billing electronically, I will once more be N.a.C.E.

If you were the examinee in a forensic evaluation and you believe you were mistreated, do not lose heart. Even if the examiner is N.a.C.E. you can still retaliate by filing a complaint. Who knows? With the vicissitudes of federal bureaucracy all of this could change at moment’s notice – or more likely without any notice – and you will have a chance to really annoy the examiner and give those OCR workers some added job security. But be warned: You risk doing the examiner the same favor my examinee did me: providing the examiner with written proof that they are N.a.C.E.

You might wonder what could ever induce me to give up my N.a.C.E status. I have no desire to start billing for my services electronically. The Electronic Medical Record? My last flirtation with EMR resulted in an enormous waste of time and money. Opt back in with Medicare? No way. Contract with health plans? Not if I can help it. But as this case was unfolding, and as dealing with pharmacies has reached the point of pain, a company that sets up physicians to dispense medications from their offices approached me, and the attorney at OCR advised me that use of the electronic pharmacy benefit billing system that goes along with it would render me no longer N.a.C.E.

But that’s another story.

Enforcement of the Privacy Rule represents yet another nail in the coffin of private practice of medicine, including forensic medicine, and it acts as an unwanted and unnecessary disincentive to movement of health care into the digital age. With the escalating cost of health care none of us can afford to waste resources in a futile attempt to understand how to comply with an ill-defined regulation. Enforcement of this regulation appears to contradict the exclusion in paragraph ii. Regardless of whether you believe an examinee should be denied access to the record of a forensic examination, enforcement should parallel to some degree the wording of the regulation. I recently interviewed two OCR representatives in the hope of finding a clearer interpretation of what "civil," "criminal," and "administrative" might mean to OCR. Neither could provide a clear or credible explanation. When the very agency charged with enforcement is incapable of clearly stating where the regulation applies and where it does not our government has failed us. With respect to this particular regulation at least, enforcement appears to be arbitrary, and OCR has failed miserably to clearly and adequately inform "covered entities," or anyone else for that matter, of what is required of them to comply with the regulation. OCR should immediately take steps to clarify paragraph ii. Furthermore, for such a law to hinge on whether a provider "bills electronically" seems to fly in the face of the equal protection clause of the Fourteenth Amendment. This regulation should apply to everyone or no one


  1. Do you have Medicare patients? If so, you do submit you are required to submit your bills electronically, so I don't buy that you are not a covered entity. Someone did not investiage. Besides, the privacy issues covers records in any form, and the release of information falls under that, so what are you talking about?

  2. I can treat Medicare patients but I opted out of Medicare, so neither I nor the patient can bill Medicare for my services, so no electronic billing. State law still governs how I handle patient information.