As seen in the July 2003 edition of

Practice Management Systems Help Providers Manage HIPAA Regulations

By Jim Clark

Despite the countless articles and seemingly endless number of seminars on the subject, it may not be clear to healthcare professionals just how a provider’s office management system can assist in their HIPAA compliance efforts.

Medical management software has been around for more than 20 years and continues to evolve at a rapid pace. Beyond the common goals of improving office efficiency and reducing errors, providers can look to their computer systems to help address the many provisions outlined in HIPAA. 

To better understand how a practice management system can help your organization become HIPAA compliant, it helps to have a basic understanding about how HIPAA affects you (see sidebar).

Piece of overall puzzle

The most important thing to remember when establishing the relationship between practice management systems and the HIPAA regulations is that not all of HIPAA’s rules apply to medical software. Practice management systems originally were designed to increase productivity and patient satisfaction, make it easier to detect and repair mistakes, and reduce the chances of error.

HIPAA essentially regulates some of the software’s core functionality, such as sending electronic transactions and restricting access to electronically stored patient information. However, using a practice management system does not mean that an organization will be in complete compliance with the legislation. After all, software cannot prevent a doctor from violating the privacy standards by talking about a patient without the patient’s consent.

Most practice management systems by design perform two of the four tasks regulated by HIPAA: electronic transactions & code sets and security. Software that sends and receives electronic transactions should be pre-programmed to adhere to the ANSI X12 standards defined by HIPAA, as well as provide the uniform code sets for patient information that is electronically stored. To address the security issues, medical office software also should restrict user access to records, and more importantly, track what activity took place with a patient’s record.

While on the surface it seems as though there is very little practice management systems can do to address the privacy and unique identifiers standards, there are, in fact, features that can help medical offices comply with these regulations. Since the privacy standards require that patients receive a letter advising them of how their individually identifiable information will be used, medical software systems can produce customized letters for each patient, and can track which patients have acknowledged receiving and signing these letters. And just as the systems store and use the standardized code sets, they also can maintain the employer, health plan, provider and patient unique identifiers.

Ready vs. compliant

Practice management systems can only provide a platform for HIPAA compliance. It remains the health-care organization’s responsibility to ensure compliance with the Administrative Simplification provisions. For this reason, health-care information systems have commonly been referred to a HIPAA-ready, meaning the system meets current HIPAA guidelines and will presumably be updated to address future provisions.

A provider’s assertion of being HIPAA-compliant is a much more broad statement, in saying that the organization meets all of the HIPAA guidelines applicable to the practice, as outlined in the side bar. This, of course, is in addition to adhering to all of the non-software related rules.

And, just because the bulk of the HIPAA regulations apply to technological issues does not mean that HIPAA is pushing the use of computerized systems. The legislation does not mandate automation within the health-care industry. It was designed to standardize the various codes and transactions that are used during the day-to-day operations of a healthcare organization, and to provide a set of guidelines for protecting personal health-care information.

Understanding how medical software addresses HIPAA can help health-care organizations pinpoint the right HIPAA-ready software for them. Forward-thinking companies would be wise to have a designated HIPAA compliance officer to ensure that they operate according to the government’s guidelines. Practice management systems play an intricate part of this process.

SIDEBAR

HIPAA 101

Electronic Transactions and Code Sets Standards: Among other things, this rule establishes a uniform format for sending and receiving electronically transmitted health-care information, such as claims, eligibility information and payments. It also mandates the adoption of a standardized set of codes to describe injuries and illnesses, identifying the cause of the problems, and defining the remedies administered. (This section has the most obvious correlation to a practice management system.)
Compliance deadline: October 16, 2003

Privacy Standards: These regulations define a patient’s control of their medical records, including restrictions on the access, uses and disclosures of their personal and medical information. It also imposes stringent safeguards to protect paper-based medical records, and requires that all patients receive a “Notice of Information Practices” that outlines how the health-care organization plans to use and safeguard all health information gathered.
Compliance deadlines: April 14, 2003 (all covered entities except small health plans)
April 14, 2004 (small health plans)

Security Standards: Both the security and privacy standards share a number of common themes, primarily in regards to the safety of patient information. The security rules require the implementation of physical and technological safeguards to provide security for electronically stored health information. The security standards also call for an administrative infrastructure similar to the privacy standards that manage these safeguards.
Compliance deadline: April 21, 2005 (covered providers, claims clearinghouses and most payers)
April 21, 2006 (small payers with annual receipts below $5 million)

Unique Identifiers: The regulations specify that four identifiers be used in health-care transactions to distinguish employers, health plans, providers and patients. Though the National Employer Identifier is the only standard to have been finalized, details about the other identifiers have been announced. The employer identifier is slated to be the same number as the Employer Identification Number (EIN) issued by the Internal Revenue Service. The provider number would be a single code used by all health-care providers with every company they do business with. The health plan identifiers – while similar to provider numbers – are unique codes. This is meant to distinguish organizations that offer both health plans and health-care provider services. Individual identifiers would be used to identify patients. Development of these codes is on hold and it is believed that they will not be issued until after the privacy and security standards have been implemented.
Compliance deadline: July 30, 2004 (Employer Identifier Standard for all covered entities except small health plans)
August 1, 2005 (Employer Identifier Standard for small health plans)

Mr. Clark is vice president of SoftAid, Inc., a provider of practice management systems for the healthcare industry. For more information about SoftAid, visit http://www.soft-aid.com.