As seen in the April 2003 edition of

Understanding The Relationship Between HIPAA & Practice Management Systems

By Jim Clark

By now, everyone in the healthcare industry has at least heard of HIPAA, arguably the largest reform of the healthcare industry since Medicare. But despite the countless articles and a seemingly endless number of seminars on the subject, it may not be clear just how a provider's office management system can assist in their HIPAA compliance efforts. Medical management software has been around for 20+ years and continues to evolve at a rapid pace. Beyond the common goals of improving office efficiency and reducing errors, providers can look to their computer systems to help address the many provisions outlined in HIPAA.

HIPAA 101
To better understand how a practice management system can help your organization become HIPAA compliant, it helps to have a basic understanding about how HIPAA affects you. The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 were established to reduce the costs of healthcare administration, protect individual privacy, and secure health care information. These provisions, which create uniform standards for the handling and transmission of individually identifiable healthcare information, can be broken down into four separately defined standards: electronic transactions and code sets, privacy, security, and unique identifiers.

Electronic Transactions and Code Sets Standards
Among other things, this rule establishes a uniform format for sending and receiving electronically transmitted healthcare information, such as claims, eligibility information and payments. It also mandates the adoption of a standardized set of codes that would be used to describe injuries and illnesses, identifying the cause of the problems, and defining the remedies administered. This section has the most obvious correlation to a practice management system.

Privacy Standards
These regulations define a patient's control of their medical records, including restrictions on the access, uses, and disclosures of their personal and medical information. It also imposes stringent safeguards to protect paper-based medical records, and requires that a "Notice of Information Practices" be given to patients that outlines how the healthcare organization plans to use and safeguard all health information gathered.

Security Standards
Both the security and privacy standards share a number of common themes, primarily in regards to the safety of patient information. For example, the rules require the implementation of physical and technological safeguards to protect the security of electronically stored health information. The security standards also call for an administrative infrastructure similar to the privacy standards that manage these safeguards.

Unique Identifiers
The regulations specify that four identifiers be used in healthcare transactions to distinguish employers, health plans, providers, and patients. Though the standards are still being developed, details about the identifiers have already been announced. The employer identifier is slated to be the same number as the Employer Identification Number (EIN) issued by the Internal Revenue Service. The provider number would be a single code that would be used by healthcare providers with every company they do business with. The health plan identifier - while similar to provider numbers - are unique codes to identify health plans. This is meant to distinguish organizations that offer both health plans and healthcare provider services. Individual identifiers would be used identify patients. Development of these codes is on hold and it is believed that they will not be issued until after the privacy and security standards have been implemented.

The Relationship Between Software and HIPAA
The most important thing to remember when establishing the relationship between practice management systems and the HIPAA regulations is that not all of HIPAA's rules apply to medical software. Practice management systems were originally designed to increase productivity and reduce the chances of error. HIPAA essentially regulates some of the software's core functionality, such as sending electronic transactions and restricting access to electronically stored patient information. However, using a practice management system does not mean that an organization will be in complete compliance with the legislation. After all, software cannot prevent a doctor from violating the privacy standards by talking about a patient without the patient's permission.

Most practice management systems by design perform two of the four tasks regulated by HIPAA: electronic transactions and security. Software that sends and receives electronic transactions should be pre-programmed to adhere to the ANSI X12 standards defined by HIPAA, as well as provide the uniform code sets for patient information that is electronically stored. To address the security issues, medical office software should also be able to restrict user access to records, and more importantly, track what activity took place with a patient's record.

While on the surface it seems as though there is very little practice management systems can do to address the privacy and unique identifiers standards, there are, in fact, features that can help medical offices comply with these regulations. Since the privacy standards require that patients receive a letter advising them of how their individually identifiable information will be used, medical software systems can produce customized letters for each patient, and can track which patients have acknowledged receiving and signing these letters. And just as the systems store and use the standardized code sets, they could also maintain the employer, health plan, provider, and patient unique identifiers.

HIPAA-Ready vs. HIPAA-Compliant
Practice management systems can only provide a platform for HIPAA compliance. It remains the healthcare organization's responsibility to ensure compliance with the Administrative Simplification provisions. For this reason, healthcare information systems have commonly been referred to a HIPAA-ready, meaning the system meets current HIPAA guidelines and will presumably be updated to address future provisions.

A provider's assertion of being HIPAA-compliant is a much more broad statement saying that the organization meets all of the HIPAA guidelines applicable to the practice, outlined above. This, of course, is in addition to adhering to all of the non-software related rules.

HIPAA Does Not Mandate Automation
Just because the bulk of the HIPAA regulations apply to technological issues does not mean that HIPAA is pushing the use of computerized systems. The legislation does not mandate automation within the healthcare industry. It was designed to standardize the various codes and transactions that are used during the day-to-day operations of a healthcare organization, and to provide a set of guidelines for protecting personal healthcare information.

The automation provided by practice management systems address the HIPAA provisions. But they also improve the way offices are managed, increase the levels of patient and customer satisfaction, and make it easier to detect and repair mistakes.

A Final Thought
Understanding how medical software addresses HIPAA can help healthcare organizations pinpoint the right HIPAA-ready software. Forward-thinking companies would be wise to have a designated HIPAA compliance officer to ensure that they operate according to the government's guidelines. And practice management systems play an intricate part of this process.

Mr. Clark is vice president of SoftAid, Inc., a provider of practice management systems for the healthcare industry. For more information about SoftAid, visit http://www.soft-aid.com.