As seen in the April 2004 edition of

Halfway Through HIPAA
A look at where you should be and what's on the horizon

By Jim Clark

It started out eight years ago as legislation primarily geared toward benefiting patients. Today, HIPAA represents the largest overhaul of the nation's healthcare system since the introduction of the Medicare program. As of April 14, 2004, we are at the mid-point, with two of the four parts of the Administrative Simplification provisions now past their compliance deadlines. And while compliance has been burdensome and costly, the benefits seem to be eminent.

A Look Back
By now, every medical practitioner should have some method in place to protect their patients' personal information, since compliance with the privacy standards was required as of April 14, 2003. These were the regulations that placed restrictions on the access, usage and disclosures of the patient's personal and medical information, and also required that all patients receive a notice explaining how healthcare organizations planned to use and safeguard these records. Many providers struggled to define how these rules and provisions applied directly to them, seeking answers in articles, workshops and conversations with colleagues and advisors. Business Associate agreements were introduced and are now commonplace between trading partners.

Compliance with the electronic transactions standards presented more questions and challenges. Every covered entity had to determine how they would upgrade their computer systems to submit and receive electronic transactions in the new ANSI format. This requirement has proved more costly and challenging than originally planned. Contingencies and leniency was provided by CMS to allow covered entities to complete the task without a devastating impact to their core business. Yet still, as of March 19, 2004 Medicare is reporting that only 74.6% of all claims sent are HIPAA compliant. That's over 25% of all claims being sent in a non-compliant format over five months after the deadline.

To help move things along, the Centers for Medicare and Medicaid Services have amended its electronic transactions contingency plan. Effective July 1, 2004, providers will still be able to submit non-compliant electronic claims, but payment for those claims will take an additional 13 days. This means HIPAA-compliant claims received on July 1, 2004 can be paid as early as July 15th. Non-compliant claims received on or after July 1st will be paid no sooner than July 28th.

Compliance with the electronic transactions and code set standards is something you should resolve with your medical software vendor. Find out how they plan to provide you with the ANSI X12 format necessary to send HIPAA-compliant claims. And as for uniform code sets - the oft-overlooked part of this provision - every practice management system should be able to store the most up-to-date coding formats, such as ICD-9 and CPT.

The Second Half Begins
With all eyes on the electronic transactions standards, people may be losing sight of the unique identifiers and security provisions. This is a dangerous prospect when you consider that everyone should be using standardized employer identifiers by July 30, 2004. Yes, four months from now the second half of HIPAA officially begins.

There are four sets of unique identifiers included in HIPAA, but only two have been defined thus far. The nine-digit employer identifier will be the same number that is assigned by the Internal Revenue Service. While on the surface it appears that this identifier has little to no impact on healthcare providers, there may come a time where the need to use this number will arise. The most likely scenario is when submitting claims to health plans, which may require that the patient's employer be identified for eligibility verification. Most software providers have already included a means for these numbers to be stored.

The national provider identifier (NPI) will be a 10-digit numeric number that will replace the use of all legacy provider identifiers, including UPIN, and the Medicaid, Medicaid and Blue Cross/Blue Shield provider numbers. However, there is plenty of time to plan for this standard, as the implementation deadline is May 23, 2007.

Of greater significance are the security rules - due to take effect in April 2005 - which can be summed up as being the privacy standards written specifically for electronically stored data. They, in fact, define the technical, physical and administrative safeguards required to protect all electronic health information. But the security standards are extremely broad and allow healthcare professionals to make "addressable" approaches to meet specific rules, an acknowledgement from the government that not everyone runs their office the same way.

Basically, there's no one thing that must be done since the rule is based on how you run your office. To become compliant you can create a set of policies that detail what your office will do to protect electronic data. Administratively, the policies should be designed to prevent, detect, contain, and correct security violations. The standard does contain four required implementation specifications: risk analysis, risk management, sanction policy, and information system activity review.

On the technical side, there are four sets of actions that must be implemented to control and monitor the access to information.

• All systems must allow for unique user identification and include an emergency access procedure for obtaining electronic data during an emergency.
• Two forms of transmission security must be in place, including 1) integrity controls that ensure that electronically-transmitted health information is not improperly modified without detection; and 2) data encryption, particularly over the Internet.
• There needs to be some method in place to provide for audit controls.
• Procedures should be established to protect patient health information from being altered or destroyed, and must include a mechanism to prove that the data has not been tainted.

Your medical management systems can help maintain compliance with the technological aspects of the security rules, but you will need to put in place new policies and procedures around these software updates. HIPAA compliance requires the combined efforts of covered entities and their trading partners to ensure the safe usage, exchange and storage of protected health information.

Mr. Clark is president of SoftAid, Inc., a provider of practice management systems for the healthcare industry. For more information about SoftAid, visit http://www.soft-aid.com.