Get Ready for HIPAA.
HIPAA includes criminal penalties (both fines and imprisonment) for violations of privacy and security standards. It is generally agreed upon that, in comparison to the work required to meet Y2K requirements, the burden of meeting HIPAA standards is far greater, will require far more time and will impose upon providers a permanent information technology and security monitoring workload.
The government has suggested that HIPAA's electronic claims transaction standards will be cost-beneficial because of savings generated by electronic filing of claims and processing of transactions. Although some studies have indicated significant savings in accounts receivable processing time, reduced costs per claim and reduced administrative costs, most professionals think that meeting the entire costs of HIPAA will likely exceed the financial benefits.
Despite legislative mandates, the Department of Health and Human Services (HHS) has not been able to promulgate HIPAA's regulations on a timely basis. Until last summer, many if not most health insurers and providers were taking a "wait and see" approach, limiting HIPAA-related expenditures until there were clear published regulations that had to be met. In mid-August, however, HHS published the final rule for electronic transactions and codes sets, the first of seven expected HIPAA rules. This final rule on transactions does not require that providers automate any transactions, but it does require payers and claims clearinghouses to accept and transmit standard online electronic transactions. Furthermore, providers that use electronic data transactions must use the new HIPAA standards or have clearinghouses convert their transactions into the standard HIPAA formats.
The rule also mandates use of various medical code sets, including the International Classification of Diseases, Ninth Clinical Revision (ICD-9CM) and Physician Current Procedural Terminology (CPT-4).
The extent of the new transactions regulation is clear from the nine areas it covers: (1) health claims and encounter information; (2) enrollment and disenrollment information; (3) eligibility requests and responses; (4) payment and remittance advice; (5) health plan premium payments; (6) health claim status requests and responses; (7) referral certifications and authorizations; (8) health claims attachments; and (9)first report of injuries.
The good news is that since many software vendors will revise their packages to conform to the HIPAA transaction standards and coding rules, long-term care providers who use electronic transaction processing will likely be able to meet these requirements through software vendor products or appropriate software support solutions. This will not, however, be the case for the privacy and security HIPAA rules, which will necessitate development of new and permanent security and privacy functions.
For example, in the privacy area, the act establishes the right of the consumer to review information in his/her medical record and requires an audit trail of those who put information into the record, as well as of those who have seen or disclosed the contents, and the purposes of any such disclosures. Also, patients have the right to have their medical records corrected. HIPAA permits disclosure of health care information related to communicable diseases, violent crimes, fraud and abuse, and quality of care, under certain circumstances and limitations. Otherwise, health information can only be used for treatment of illness and payment for health services.
All of this means that healthcare providers are required to develop specific procedures to protect against unauthorized information disclosure. Furthermore, each provider must appoint an official who is responsible for monitoring compliance with the new procedures and who must notify patients about their privacy rights and the protections that ensure privacy of their healthcare information.
In the area of healthcare information security, the regulations will have major effects on information systems and operations with respect to administrative procedures, physical safeguards, technical security and overall safeguarding of information. More than 30 separate security-related issues must be addressed by healthcare providers under the HIPAA security regulation.
HIPAA's requirements are significant, complex and far-reaching. The task of planning to meet them is challenging, first, because concurrent changes in business practices, operations and information technology are involved and, second, many of the HIPAA rules are emerging over time and planning has to be flexible to accommodate them. The most important factors to remember are that: (1) HIPAA is not just an information technology issue--it requires organizational and business practice changes, as well; and (2) HIPAA will likely re quire that organizations make choices about the expense, risks and practicality of proposed changes to administrative and care delivery operations. For example, decisions must be made about the amount of security that is practical if various clinicians require rapid access to patient or resident clinical information. This necessitates input into the decisions by both clinical and technical staff so that the policy adopted is both understood and supported.
Because the exact release dates of the remaining HIPAA regulations are uncertain, the required compliance dates (generally 26 months after each final regulation is published) are subject to uncertainty, as well. Nevertheless, most healthcare organizations are operating using a rolling 20- to 24-month HIPAA planning time frame, beginning before each final rule is scheduled to be published, so that the requirements of each rule will be met before the date that the rule becomes effective. According to the regulations, small organizations, i.e., those with less than $5 million in annual revenue, will have an extra year to comply.
The key planning steps needed include:
* educating staff
* evaluating current operational status (related to each HIPAA rule and its requirements)
* performing risk and cost/benefit analysis
* developing plans to meet requirements
* implementing plans
* reviewing progress
Most information security and privacy professionals in healthcare organizations are cautioning their peers not to underestimate the requirements of HIPAA, the impact these will have or the fact that they will be enforced. And virtually all professionals strongly urge that organizations should plan now for HIPAA compliance, because if organizations wait until all the rules are finally in place, they will not have the time to comply with them and, in rushing to do so, will find their costs to be much higher than if a plan had been developed and followed.
The most important initial steps to take, therefore, are the following:
* Identify and task a major professional in your organization to be the sponsor of the HIPAA compliance plan for the enterprise, and provide that person with the re sources required to develop and implement the plan.
* Start by educating all business, information technology, clinical and other administrative staff about HIPAA and its requirements. Form a project team including key people who will be responsible for process redesign, documentation and training. Be prepared to re-educate people over time and to provide knowledge to new staff.
* Recognize that complying with HIPAA's privacy and security rules will protect both your organization and its residents and avoid costly fines and citations. Also, recognize that information privacy and security are based on people and their behavior, not just on technological security procedures. Accountability for protecting information and confidentiality must be placed on individuals in the organization.
* A comprehensive plan requires a detailed risk assessment for evaluating the extent to which current procedures and technology comply with HIPAA requirements and documenting the existing flow of patient data and information.
* Determine (possibly using a compliance checklist) what specific process re-engineering, business practice modification and information technology changes will be needed to meet HIPAA requirements. (Recognize that these requirements will have to be met over time, and, therefore, both old and new procedures might have to function con currently; seek efficiencies to maximize use of new processes.)
* Be sure to document new policies and procedures that will address the gaps discovered through the risk assessment. This documentation will be extremely valuable during any internal and external reviews of HIPAA compliance.
* HIPAA also mandates that healthcare organizations ensure that their business partners are in compliance with its requirements. This means that you must plan to test and retest systems involving outside business partners regarding your mutual HIPAA compliance.
Because all of these changes focus on changes in policies, procedures and technology, planning and implementation efforts have to involve many parts of the organization, and these must agree to cooperate on a long-term basis to ensure that HIPAA's multiple requirements will be met.
Malcolm H. Morrison, PhD, is president and CEO of Morrison Informatics, Inc., an information technology and data analysis consulting firm specializing in longterm and post-acute care.
Staying Informed about HIPAA
Because of the extent, scope and frequency of the HIPAA regulations, it is important that organizations make every effort to stay current with their development. Following are some resources that might be worth checking regularly:
Association for Electronic Health Care Transactions
Analyzes the impact of HIPAA and provides a security self-evaluation checklist.
Department of Health and Human Services (HHS)
Complete text of the proposed and finalized HIPAA rules, along with industry comments on the rules.
Forum on Privacy and Security in Healthcare
Wide-based industry views on security issues confronting healthcare, including HIPAA documents and transcripts of testimony before Congress on healthcare security.
Health Care Financing Administration
Full text of the act and related statutes; information and resources for a wide range of groups, including consumers and patients; links; a state-by-state contact list; and a search engine.
HIPAA Issues and Answers
Proceedings from the 2000 Annual HIMSS (Health Information and Management Systems Society) Conference and Exhibition, presented by Gene N. Cartier, James Craft, Karen Ferraiolo, John Parmigiani and Charles Reeves, Session 129.
"HIPAA on the Job: Enhance Your Organization's Awareness of HIPAA"
Basics of HIPAA, reasons why healthcare organizations should comply and steps to include when preparing for HIPAA compliance.
Workgroup for Electronic Data Interchange
Set of HIPAA-related links and a HIPAA glossary.