Get Ready for HIPAA.When the Health Insurance Portability and Ac countability Act (HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, ) was enacted in 1996, few long-term care long-term care (LTC),
n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. providers gave it much attention. Although the law has three major parts--(1) portability of benefits; (2) fraud and abuse; and (3) administrative simplification, privacy and security-it is the third part of the law that will generate the highest compliance burden for providers, payers and employers. Basically, HIPAA requires standardization of electronic transmission of health insurance, claims and patient data and establishes data privacy and security standards that must be followed.
HIPAA includes criminal penalties (both fines and imprisonment Imprisonment
See also Isolation.
former federal maximum security penitentiary, near San Francisco; “escapeproof.” [Am. Hist.: Flexner, 218]
German prison ship in World War II. [Br. Hist. ) for violations of privacy and security standards. It is generally agreed upon Adj. 1. agreed upon - constituted or contracted by stipulation or agreement; "stipulatory obligations"
noncontroversial, uncontroversial - not likely to arouse controversy that, in comparison to the work required to meet Y2K See Y2K problem and Y2K compliant.
Y2K - Year 2000 requirements, the burden of meeting HIPAA standards is far greater, will require far more time and will impose upon providers a permanent information technology and security monitoring workload.
The government has suggested that HIPAA's electronic claims transaction standards will be cost-beneficial because of savings generated by electronic filing of claims and processing of transactions. Although some studies have indicated significant savings in accounts receivable accounts receivable n. the amounts of money due or owed to a business or professional by customers or clients. Generally, accounts receivable refers to the total amount due and is considered in calculating the value of a business or the business' problems in paying processing time, reduced costs per claim and reduced administrative costs administrative costs,
n.pl the overhead expenses incurred in the operation of a dental benefits program, excluding costs of dental services provided. , most professionals think that meeting the entire costs of HIPAA will likely exceed the financial benefits.
Despite legislative mandates, the Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979
Health and Human Services, HHS (HHS HHS Department of Health and Human Services. ) has not been able to promulgate To officially announce, to publish, to make known to the public; to formally announce a statute or a decision by a court. HIPAA's regulations on a timely basis. Until last summer, many if not most health insurers and providers were taking a "wait and see" approach, limiting HIPAA-related expenditures until there were clear published regulations that had to be met. In mid-August, however, HHS published the final rule for electronic transactions and codes sets, the first of seven expected HIPAA rules. This final rule on transactions does not require that providers automate any transactions, but it does require payers and claims clearinghouses to accept and transmit standard online electronic transactions. Furthermore, providers that use electronic data transactions must use the new HIPAA standards or have clearinghouses convert their transactions into the standard HIPAA formats.
The rule also mandates use of various medical code sets, including the International Classification of Diseases, Ninth Clinical Revision (ICD-9CM) and Physician Current Procedural Terminology Current Procedural Terminology See CPT. (CPT-4).
The extent of the new transactions regulation is clear from the nine areas it covers: (1) health claims and encounter information; (2) enrollment and disenrollment information; (3) eligibility requests and responses; (4) payment and remittance Money sent from one individual to another in the form of cash, check, or some other manner.
Financial statements sent by a creditor to a debtor frequently refer to the process of submitting a monthly remittance.
REMITTANCE, comm. law. advice; (5) health plan premium payments; (6) health claim status requests and responses; (7) referral certifications and authorizations; (8) health claims attachments; and (9)first report of injuries.
The good news is that since many software vendors will revise their packages to conform to Verb 1. conform to - satisfy a condition or restriction; "Does this paper meet the requirements for the degree?"
coordinate - be co-ordinated; "These activities coordinate well" the HIPAA transaction standards and coding rules, long-term care providers who use electronic transaction processing Updating the appropriate database records as soon as a transaction (order, payment, etc.) is entered into the computer. It may also imply that confirmations are sent at the same time.
Transaction processing systems are the backbone of an organization because they update constantly. will likely be able to meet these requirements through software vendor products or appropriate software support solutions. This will not, however, be the case for the privacy and security HIPAA rules, which will necessitate development of new and permanent security and privacy functions.
For example, in the privacy area, the act establishes the right of the consumer to review information in his/her medical record and requires an audit trail of those who put information into the record, as well as of those who have seen or disclosed the contents, and the purposes of any such disclosures. Also, patients have the right to have their medical records corrected. HIPAA permits disclosure of health care information related to communicable diseases communicable diseases, illnesses caused by microorganisms and transmitted from an infected person or animal to another person or animal. Some diseases are passed on by direct or indirect contact with infected persons or with their excretions. , violent crimes, fraud and abuse, and quality of care, under certain circumstances and limitations. Otherwise, health information can only be used for treatment of illness and payment for health services health services Managed care The benefits covered under a health contract .
All of this means that healthcare providers are required to develop specific procedures to protect against unauthorized information disclosure. Furthermore, each provider must appoint an official who is responsible for monitoring compliance with the new procedures and who must notify patients about their privacy rights and the protections that ensure privacy of their healthcare information.
In the area of healthcare information security, the regulations will have major effects on information systems and operations with respect to administrative procedures, physical safeguards, technical security and overall safeguarding of information. More than 30 separate security-related issues must be addressed by healthcare providers under the HIPAA security regulation.
HIPAA's requirements are significant, complex and far-reaching. The task of planning to meet them is challenging, first, because concurrent changes in business practices, operations and information technology are involved and, second, many of the HIPAA rules are emerging over time and planning has to be flexible to accommodate them. The most important factors to remember are that: (1) HIPAA is not just an information technology issue--it requires organizational and business practice changes, as well; and (2) HIPAA will likely re quire quire 1
1. Abbr. qr. or q. A set of 24 or sometimes 25 sheets of paper of the same size and stock; one twentieth of a ream.
2. that organizations make choices about the expense, risks and practicality of proposed changes to administrative and care delivery operations. For example, decisions must be made about the amount of security that is practical if various clinicians require rapid access to patient or resident clinical information. This necessitates input into the decisions by both clinical and technical staff so that the policy adopted is both understood and supported.
Because the exact release dates of the remaining HIPAA regulations are uncertain, the required compliance dates (generally 26 months after each final regulation is published) are subject to uncertainty, as well. Nevertheless, most healthcare organizations are operating using a rolling 20- to 24-month HIPAA planning time frame, beginning before each final rule is scheduled to be published, so that the requirements of each rule will be met before the date that the rule becomes effective. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. the regulations, small organizations, i.e., those with less than $5 million in annual revenue, will have an extra year to comply.
The key planning steps needed include:
* educating staff
* evaluating current operational status (related to each HIPAA rule and its requirements)
* performing risk and cost/benefit analysis
* developing plans to meet requirements
* implementing plans
* reviewing progress
Most information security and privacy professionals in healthcare organizations are cautioning their peers not to underestimate the requirements of HIPAA, the impact these will have or the fact that they will be enforced. And virtually all professionals strongly urge that organizations should plan now for HIPAA compliance, because if organizations wait until all the rules are finally in place, they will not have the time to comply with them and, in rushing to do so, will find their costs to be much higher than if a plan had been developed and followed.
The most important initial steps to take, therefore, are the following:
* Identify and task a major professional in your organization to be the sponsor of the HIPAA compliance plan for the enterprise, and provide that person with the re sources required to develop and implement the plan.
* Start by educating all business, information technology, clinical and other administrative staff about HIPAA and its requirements. Form a project team including key people who will be responsible for process redesign, documentation and training. Be prepared to re-educate re·ed·u·cate also re-ed·u·cate
tr.v. re·ed·u·cat·ed, re·ed·u·cat·ing, re·ed·u·cates
1. To instruct again, especially in order to change someone's behavior or beliefs.
2. people over time and to provide knowledge to new staff.
* Recognize that complying with HIPAA's privacy and security rules will protect both your organization and its residents and avoid costly fines and citations. Also, recognize that information privacy and security are based on people and their behavior, not just on technological security procedures. Accountability for protecting information and confidentiality must be placed on individuals in the organization.
* A comprehensive plan requires a detailed risk assessment for evaluating the extent to which current procedures and technology comply with HIPAA requirements and documenting the existing flow of patient data and information.
* Determine (possibly using a compliance checklist) what specific process re-engineering, business practice modification and information technology changes will be needed to meet HIPAA requirements. (Recognize that these requirements will have to be met over time, and, therefore, both old and new procedures might have to function con currently; seek efficiencies to maximize use of new processes.)
* Be sure to document new policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental that will address the gaps discovered through the risk assessment. This documentation will be extremely valuable during any internal and external reviews of HIPAA compliance.
* HIPAA also mandates that healthcare organizations ensure that their business partners are in compliance with its requirements. This means that you must plan to test and retest re·test
tr.v. re·test·ed, re·test·ing, re·tests
To test again.
A second or repeated test. systems involving outside business partners regarding your mutual HIPAA compliance.
Because all of these changes focus on changes in policies, procedures and technology, planning and implementation efforts have to involve many parts of the organization, and these must agree to cooperate on a long-term basis to ensure that HIPAA's multiple requirements will be met.
Malcolm H. Morrison, PhD, is president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of Morrison Informatics Same as information technology and information systems. The term is more widely used in Europe. , Inc., an information technology and data analysis consulting firm Noun 1. consulting firm - a firm of experts providing professional advice to an organization for a fee
business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a specializing in longterm and post-acute care.
Staying Informed about HIPAA
Because of the extent, scope and frequency of the HIPAA regulations, it is important that organizations make every effort to stay current with their development. Following are some resources that might be worth checking regularly:
Association for Electronic Health Care Transactions
Analyzes the impact of HIPAA and provides a security self-evaluation checklist.
Department of Health and Human Services (HHS)
Complete text of the proposed and finalized See finalization. HIPAA rules, along with industry comments on the rules.
Forum on Privacy and Security in Healthcare
Wide-based industry views on security issues confronting healthcare, including HIPAA documents and transcripts of testimony before Congress on healthcare security.
Health Care Financing Administration Health Care Financing Administration,
n.pr department in the U.S. agency of Health and Human Services responsible for the oversight of the Medicaid and Medicare benefit programs, including guidelines, payment, and coverage policies.
Full text of the act and related statutes; information and resources for a wide range of groups, including consumers and patients; links; a state-by-state contact list; and a search engine.
HIPAA Issues and Answers
Proceedings from the 2000 Annual HIMSS (Health Information and Management Systems Society) Conference and Exhibition, presented by Gene N. Cartier, James Craft, Karen Ferraiolo, John Parmigiani and Charles Reeves, Session 129.
"HIPAA on the Job: Enhance Your Organization's Awareness of HIPAA"
Basics of HIPAA, reasons why healthcare organizations should comply and steps to include when preparing for HIPAA compliance.
Workgroup for Electronic Data Interchange WEDI, pronounced "wee dee" is a not-for-profit user group in the United States for users of Electronic Data Interchange (EDI) in public and private healthcare. The organization is sometimes referred to by other names that include some or all of the words:
Set of HIPAA-related links and a HIPAA glossary.