'Second Generation' Internet e-Health: The Gladiator for HIPAA Compliance?The Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) is intended to simplify administrative processes and improve health information security. There are a number of traditional ways to address the expense and complexities of simplification, but none of them are bargains or beauties to behold: (1) Do-it-yourself encryption; (2) new back-end system purchases; (3) legacy system reprogramming Reprogramming refers to erasure and remodeling of epigenetic marks, such as DNA methylation, during mammalian development[1]. After fertilization some cells of the newly formed embryo migrate to the germinal ridge and will eventually become the germ cells ; or (4) onerous paper documentation. The good news is that 'second generation' e-health solutions are emerging that act as internal "wrappers In data mining and treatment learning, wrappers were used by Ron Kohavi and George John. Their idea was to wrap their treatments learners in a preprocessor that would search to make subsets from the current set of attributes. " for health plan or provider data systems. They provide both an interface for end-users and a layer of security for organizational information and allow detailed patient-related data to remain at the system owner's physical location. These second generation solutions don't just 'connect,' data, they actually 'understand' the information, and can use data elements to invoke necessary rules, processing pathways, or personalization Custom tailoring information to the individual. On the Web, personalization means returning a page that has been customized for the user, taking into consideration that person's habits and preferences. for specific stakeholders Stakeholders All parties that have an interest, financial or otherwise, in a firm-stockholders, creditors, bondholders, employees, customers, management, the community, and the government. as required by HIPAA . KEY CONCEPTS * Health Insurance Portability and Accountability Act (HIPAA) * Health Information Security * HIPAA Provisions and Regulations * Ensuring HIPAA Compliance * 'Second Generation' e-Health Solutions THE COLISEUM The administrative burden of health care delivery on providers has grown dramatically over the last ten years, particularly with all the managed care reorganizations and reimbursement rules that have cropped up among different health plans and insurers. The unfortunate result is that clinicians are forced to deal with this bureaucracy and have less time to spend with patients. Across clinician clinician /cli·ni·cian/ (kli-nish´in) an expert clinical physician and teacher. cli·ni·cian n. offices, the focus has shifted from traditional matters (diagnosis and therapy) to administrative details: patient coverage and benefits, eligibility for treatment, plan specific co-payments, formulary formulary /for·mu·lary/ (for´mu-lar?e) a collection of recipes, formulas, and prescriptions. National Formulary see under N. for·mu·lar·y n. versus non-formulary medications, almost ad infinitum ad in·fi·ni·tum adv. & adj. To infinity; having no end. [Latin ad, to + . The Kassebaum-Kennedy Act, passed into Federal law in 1996, is known as the Health Insurance Portability and Accountability Act (HIPAA). It was intended to simplify administrative processes and improve health information security. The law is generally good for everyone: patients, providers, and health plans, particularly since the health industry spends an estimated $250 billion annually on administrative costs--approximately 25 to 40 cents per health care dollar. [1] The toll of the clerical frustration for patients and providers is inestimable in·es·ti·ma·ble adj. 1. Impossible to estimate or compute: inestimable damage. See Synonyms at incalculable. 2. ; 60 percent of claims are denied the first time they are received by health plans due to ineligibility, inaccurate, or incomplete information submission. [2] Most involved parties would agree that fixing this mess would be a good thing. Regulations have been finalized See finalization. for data standards and privacy, [3] and even though other provisions are not finalized, the proposed rules offer indications of what is sure to come. Pardon the oxymoron, but the 'complexities of simplification,' not to mention the potential costs of HIPAA compliance, are mind-boggling. In the final Privacy regulations published on December 28, 2000, rules, procedures, and penalties are outlined for dealing with the security and confidentiality of patient information. These regulations affect all areas of patient data transmission and communication. The information that moves through health plan systems and between health care entities is complex, but it must be thoroughly understood in order to implement solutions that will achieve compliance. Considering the typically long purchase and implementation cycles that are standard in the health care industry, it is important that this understanding be obtained quickly, and compliance strategies put in motion now. Some of the HIPAA provisions deal with administrative policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental , such as locking office doors at night or mandatory training in health data security to protect patient data and requiring policies and procedures for protection of information confidentiality. Many HIPAA requirements, however, require technological solutions, in addition to managerial ones. One portion of the regulations, for example, deals with standardized data formats and code sets for transactions. All electronic health related reimbursement transactions must use the same "language" to communicate. Currently, electronic claims are transmitted using about 400 different formats in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. . [4] While the required standard code sets (such as ICD-9 CM for diagnosis coding and CPT CPT See: Carriage Paid To for procedure coding) are widely used, covered entities also use 'proprietary' (and soon to be prohibited) codes for data transactions. Many computer systems use non-standard data exchange formats in addition to these renegade code sets, and must be replaced, modified, or supplemented to become HIPAA compliant. The broken e-health promise All of us watched as Internet technology transformed processes in other industries, and it was natural for health care insiders and informaticists to anticipate a similar transformation in their own arena. 'Connectivity,' it was thought, would be the panacea Some antidote or remedy that completely solves a problem. Most so-called panaceas in this industry, if they survive at all, wind up sitting alongside and working with the products they were supposed to replace. for a fragmented health industry, and numerous web-based solutions were launched, each promising dramatic results. Some proved calamitous ca·lam·i·tous adj. Causing or involving calamity; disastrous. ca·lam  i·tous·ly adv. financially and others were negligible from the start.
Curiously, even when these solutions provided connectivity, they failed to deliver results and were unable to achieve a level of usage among providers and health plans to realize measurable improvement in administrative efficiency. While connectivity enables the transfer of data, it does not organize, manipulate, or comprehend its meaning in a way that allows users access to real-time, accurate, pertinent protected information. In fact, connectivity has existed at some level between health care constituents for years--if only through the telephone, fax, and snail mail Mail sent via a country's government-regulated postal system. (messaging) snail mail - (Or "snailmail", "smail" from "US Mail" via "USnail"; "paper mail"). Bits of dead tree sent via the postal service as opposed to electronic mail. . (Consider what it would mean to your operations as will be the case in two years, you can no longer fax patient information.) e-Health solutions that provide connectivity via the Internet speed up these processes, but the inefficiencies inherent in the exchange of complex data between parties remain. Distinguishing between useless data and useful information is a tricky thing, but at the very least it involves timeliness, accuracy, completeness, relevance, and context. HIPAA, with its multifaceted mul·ti·fac·et·ed adj. Having many facets or aspects. See Synonyms at versatile. Adj. 1. multifaceted - having many aspects; "a many-sided subject"; "a multifaceted undertaking"; "multifarious interests"; "the multifarious requirements, has merely brought all the problems to the fore, and very few systems are prepared to meet the demands. Methods of dealing with HIPAA: 'to e or not to e' Most health organizations' data operations are not HIPAA compliant. Even their electronic legacy systems do not conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?" fit, meet coordinate - be co-ordinated; "These activities coordinate well" the law and cannot be readily made compliant. They were not designed to keep data safe and secure, at least to the rigors of the new legislation. Most health delivery and payment organizations also require multiple systems to store or access data, even on a single patient, and multiple complex interfaces move the data. This system incongruence in·con·gru·ent adj. 1. Not congruent. 2. Incongruous. in·con gru·ence n. is even worse when it comes to
communication between participants in the health care continuum.
Physicians and provider groups are at a major technological disadvantage
because they typically work with many health plans and, even if they
only work with one such plan, they still have to face multiple
noncommunicating systems to access or contribute information on their
patients. Interacting with multiple health plans, each with more than
one non-communicating back-end system, is a nightmare that has spawned
'claims clearinghouses that try to straighten things out. While
clearinghouses are helpful for laboriously la·bo·ri·ous adj. 1. Marked by or requiring long, hard work: spent many laborious hours on the project. 2. Hard-working; industrious. standardizing and submitting claims, they do not overcome the greater hurdle of direct communication between health care participants for eligibility, benefits, and health status, let alone accurate clinical information. There are a number of ways to address the standards and security problems of 'administrative simplification,' but none of them are a beauty to behold: 1. Do-it-yourself encryption Certain HIPAA provisions mandate a technical system infrastructure to protect patient data. Entities must be capable of continually running at least 128-bit secured transaction streams of data all the time, not just while a password is being accessed. Many systems use encryption only when a user is logging on and accessing limited information to enhance performance. Meeting this requirement means health care will have to step into the encryption business, which is a dangerous notion--the government groups encryption with munitions mu·ni·tion n. War materiel, especially weapons and ammunition. Often used in the plural. tr.v. mu·ni·tioned, mu·ni·tion·ing, mu·ni·tions To supply with munitions. and arms for oversight purposes. 2. Purchase new back-end systems Purchasing and installing one or more new back-end systems to achieve compliance is not a feasible option. First, the cost of replacing all systems is prohibitively high. Second, finding and implementing solutions could easily take longer than the two-year period HIPAA allows for plans and providers to meet legislated requirements. An organization could spend enormous amounts of money and still be out of compliance when the bell rings; it is likely that many will. 3. Re-program legacy systems Back-end systems in health care organizations (whether payer or provider) are typically old and were not designed with the capabilities for HIPAA security and standards. It may not even be possible to re-program applications to make it over the HIPAA bar because of basic design constraints. Even if re-programming is an option, such projects require a great deal of time from staff or money to outsource the work. Just as with outright new system purchases, a large capital investment and significant business disruption might not guarantee compliance in the end. Even when successful, re-programming does not necessarily offer an organization a 'newer' system or other benefits in addition to compliance. 4. Require paper documentation If organizations do not have technology that can adequately control information access, it becomes necessary for them to document access on paper! This means that each time information is accessed, a record must be made detailing who looked up the information and when, and to whom it was ultimately given. HIPAA protection covers everything from written to even spoken information regarding patient health. First generation e-health solutions Recently, overvalued Overvalued A stock whose current price is not justified by the earnings outlook or price/earnings (P/E) ratio and thus, expected to drop in price. Overvaluation may result from an emotional buying spurt, which inflates the market price of the stock or from a deterioration in a e-health solutions have cropped up all over the landscape, promising HIPAA compliance and other benefits. Some solutions require that organizations load their system data onto a server at another location to be accessed via the Internet. This is a risky proposition, because HIPAA holds health plans and provider organizations responsible for their data use and distribution. Allowing information to be stored outside of the provider's physically secure buildings poses yet another threat to the security of that data. Other first generation solutions allow end-users to tap directly into an organization's back-end systems through the Internet, once again posing a threat to the data security. e-Health solutions that simply replicate data at another site or allow direct information look-ups in back-end systems are not effective in dealing with the disparity in code sets from a standards perspective either. The data being 'securely' retrieved would, therefore, have limited value. These early Internet-based solutions are generally capable of at least encrypting data at all times (browsers can do so automatically, assuming adequate server resources are available), which means that new or unique rules for encryption need not be developed and maintained to prevent system insecurity during data transmission. What happens to information on the computer servers is an entirely different matter; even Pentagon systems have been hacked into over a quarter of a million times, and highly publicized pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. Adj. 1. publicized - made known; especially made widely known publicised intrusion into health databases on servers has raised significant privacy concerns. [5,6] Enter Maximus: New second generation e-health solutions There are emerging e-health solutions that act as internal 'wrappers' for health plan or provider data systems and provide both an interface for end-users and a layer of security for organizational information; detailed patient-related data is not stored outside of the data owner's physical location. Second generation solutions also don't just 'connect,' they actually 'understand' the data, and can use each data element to invoke necessary rules, processing pathways, or personalization for any specific stakeholder stakeholder n. a person having in his/her possession (holding) money or property in which he/she has no interest, right or title, awaiting the outcome of a dispute between two or more claimants to the money or property. as required by HIPAA. If the back-end data is 'understood' by the new solution, standard code sets mandated for HIPAA can be mapped to custom code sets already in use. This means that the day-to-day business processes do not have to change in order for health data to conform to both HIPAA security and code representation requirements. With any e-health solution, it is important to document and audit the source of the data and how it was accessed by specific participants in the process, to prove that the information access was HIPAA compliant. For some information, the newer e-health solution facilitates direct invulnerable in·vul·ner·a·ble adj. 1. Immune to attack; impregnable. 2. Impossible to damage, injure, or wound. [French invulnérable, from Old French, from Latin linkage to authorized users authorized user Radiation physics A person who, having satisfied the applicable training and experience requirements, is granted authority to order radioactive material and accepts responsibility for its safe receipt, storage, use, transfer and disposal within the plan. Other data stored in back-end systems can be made available depending upon the combination of the particular user attempting to access information and the nature of the individual data elements requested for viewing. Such a level of control is at the heart of HIPAA privacy and security; second generation systems can make required determinations and assure compliance. Second generation e-health wrappers can provide a complex information service level to standalone organizations, but, if properly deployed, can also provide a significant new benefit to health care communities: multi-payer-provider access. A great frustration to providers is that data originates in multiple places: labs, health plans, pharmacies, etc. A properly designed architecture recognizes that while all data and information used to complete health care transactions originates with an individual health plan, laboratory, etc., information from multiple sources can be made available seamlessly to providers because of data presentation standards and common operative rules for understanding and managing data. One thing is clear: the law of large numbers Law of large numbers The mean of a random sample approaches the mean (expected value) of the population as sample size increases. makes it inevitable that one of the key drivers of e-health and HIPAA compliance will be health plans. Health plans already have much of each member's health history derived from claims data, available in codified cod·i·fy tr.v. cod·i·fied, cod·i·fy·ing, cod·i·fies 1. To reduce to a code: codify laws. 2. To arrange or systematize. , electronic form. Even though this data is flawed by the vagaries and inaccuracies of the coding systems Noun 1. coding system - a system of signals used to represent letters or numbers in transmitting messages code - a coding system used for transmitting messages requiring brevity or secrecy used to record them (ICD ICD International Classification of Diseases (of the World Health Organization); intrauterine contraceptive device. ICD abbr. and CPT leveraging this resource for use in an Internet-based solution could still be helpful to all parties. Properly architected systems extract enough information from claims to provide personalized per·son·al·ize tr.v. per·son·al·ized, per·son·al·iz·ing, per·son·al·iz·es 1. To take (a general remark or characterization) in a personal manner. 2. To attribute human or personal qualities to; personify. views of health information for both the provider and the patient; they use claims data and provider/ plan input to pre-populate a personalized health 'strategy' for the patient. These systems can abstract and extract diagnoses, procedures, and medications and convert them to a care map comprehensible com·pre·hen·si·ble adj. Readily comprehended or understood; intelligible. [Latin compreh to the patient. When patients log on via the Internet they access a personalized home page See personal portal. with their conditions, recommendations for treatment, and health reminders from their physicians' plans. Online collaboration between clinicians and patients finally becomes feasible in more secure and encrypted fashion than free-form email. The addition of standard clinical terminology tools to translate accurate medical information to billing information seamlessly in both directions finally supports complete, accurate, appropriate health information sharing See data conferencing. among authorized parties in compliance with the new law. Second generation e-health technology provides a secure, familiar, and broadly available platform for information sharing, transmitted in encrypted form among providers and patients. It does not require enormous front-end effort or health care delivery system changes, and can be available to both providers and patients at low or no cost. The benefits of a second generation approach are not limited to HIPAA compliance. It seems reasonable with such a solution that health plans could use similar rules-based approaches for administrative questions and generating bills to support additional collaboration between providers, patients, and plans--the underpinning of great health care delivery. A health plan using a second generation e-health solution could then address the expensive and frustrating frus·trate tr.v. frus·trat·ed, frus·trat·ing, frus·trates 1. a. To prevent from accomplishing a purpose or fulfilling a desire; thwart: administrative hassles that widen the patient-provider gap. Auto-adjudication or point-of-service settlement with a second generation system allows providers to see a patient, submit the bill, and be reimbursed by the health plan immediately, perhaps even before the patient leaves the office. The physician is paid and the patient receives a statement and explanation of benefits as he or she walks out the door. This reduces the frustration (and cost) of claims processing and saves patients, providers, and health plans from the inconveniences and expenses of endless telephone calls to resolve claims problems--administrative costs that waste 5 to 10 percent of the premium dollar. The final scene Implementing security, privacy, and confidentiality provisions is complex and expensive. Most health care providers and plans will not be able to easily support the controls required by HIPAA--or the legislation and regulation that will inevitably follow. These controls are vital, however, not only to system acceptance by patients and clinicians, but also to maintaining the caring and private nature of the healing relationship. Health plans, tasked with meeting these rules, can use second generation e-health solutions to provide benefits to their clinical and member communities by supporting security compliant infrastructures and systems that service their stakeholders in a relatively inexpensive way. The ending need not be a sad one or the cost of the ticket for admission exorbitant. Done properly (and fairly), everyone stands to gain. Ralph A. Korpman, MD, FACPE FACPE Fellow of the American College of Physician Executives , is President and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of HealthTrio, and a professor at Loma Linda University Founded in 1905, Loma Linda University (LLU) is a private, Christian, coeducational, health sciences university located in Southern California 60 miles east of Los Angeles close to San Bernardino and near beaches, mountains, and the desert. School of Medicine and at the University of Tennessee The University of Tennessee (UT), sometimes called the University of Tennessee at Knoxville (UT Knoxville or UTK), is the flagship institution of the statewide land-grant University of Tennessee public university system in the American state of Tennessee. . Jeffrey S. Rose, MD, is the author of Medicine and the Information Age (ACPE ACPE Accreditation Council for Pharmacy Education ACPE American Council on Pharmaceutical Education ACPE American College of Physician Executives ACPE Association for Clinical Pastoral Education, Inc. Press, 1998), and an Instructor of the Introduction to Health Informatics Health informatics or medical informatics is the intersection of information science, computer science and health care. It deals with the resources, devices and methods required to optimize the acquisition, storage, retrieval and use of information in health and biomedicine. course for the American College American College is the name of:
References (1.) Lee, Richard Lee, Richard, 1613?–1664, American colonist, founder of the Lee family of Virginia. A member of the Coton branch of the Lees of Shropshire, England, he immigrated (c.1642) to Virginia, settling first in York co. and later in Northumberland co. . "Wit Capital e-Health 2000 Report. Healthcare and the Internet in the New Millennium." January 31, 2000. (2.) Johnston, Douglas. "Health Claims' New Intermediaries, Forrester Report." "August 2000. (3.) www.aspe.hhs.gov/admnsimp. (4.) Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS ; www.hhs.gov. (5.) O'Harrow Jr., Robert. Hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. Accesses Patient Records, The Washington Post. December 9, 2000, p E01. (6.) www.chcf.ore/press/view.cfm?itemID=1030. Win the crowd, Maximus Is this all just a fantasy that we have become accustomed to in the world of dot.coms? In 1999, PARTNERS National Health Plans of North Carolina North Carolina, state in the SE United States. It is bordered by the Atlantic Ocean (E), South Carolina and Georgia (S), Tennessee (W), and Virginia (N). Facts and Figures Area, 52,586 sq mi (136,198 sq km). Pop. , Inc., began facilitating improved physician and patient relationships. It installed a web-based infrastructure that utilizes health plan data for two-way online communication among providers, employers, and patients. In early 2000, providers in North Carolina began conducting administrative functions online--benefits and eligibility, claims submission and status, and referral entry and status. In mid-2000, employers started using the service to communicate online enrollment, member eligibility, and provider directories. In early 2001, members began logging on for answers to administrative questions, personalized health management information, and in support of provider/patient collaboration. Thousands of physicians and hundreds of employers are linked in the PARTNERS' environment. Within eight months, the system became cash flow positive. Physician offices and patients are spending considerably less time on the phone, resulting in significant savings for providers. In short, by making administrative tasks more efficient, substantial dollars and additional staff time have become available. With this second generation web strategy, PARTNERS is building a communication environment for its stakeholders that is HIPAA compliant and meets both privacy and standards concerns. Plan members control the use and sharing of their clinical information among providers and can even define whether such data is available to anyone online. Technology and health plans have long been targeted as two of the major factors in the widening patient-provider gap, but PARTNERS seems well on its way to demonstrating how health plans, providers, and patients can use Internet-based solutions to seal this breach. This solution is one example of providers and patients communicating more effectively and securely together, positively impacting both the relationship among stakeholders and, inevitably, the quality of care. Recommended Resources Cutting to the Chase: What Physician Executives Need to Know about HIPAA Fitzmaurice, J. Michael, and Rose, Jeffrey S. The Physician Executive. 2000; 26(3): 42-49. The HIPAAcratic Oath: Do No Harm to Patient Data. Tang, Paul C. The Physician Executive. 2000; 26(3): 50-55. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion