Racing toward the deadline. (Cover Story).Another month has gone by, and the pile of sand in the bottom of the HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, hourglass hourglass, glass instrument for measuring time, usually consisting of two bulbs united by a narrow neck. One bulb is filled with fine sand that runs through the neck into the other bulb in an hour's time. is mounting steadily toward that Oct. 16 deadline. Ideally, skilled nursing facilities skilled nursing facility n. Abbr. SNF An establishment that houses chronically ill, usually elderly patients, and provides long-term nursing care, rehabilitation, and other services. and other long term providers that meet the HIPAA definition of covered entity" should be putting the funishing touches on their Transaction and Code Sets compliance. (See "Time's almost up!," July 2002 CLTC CLTC Certified in Long-Term Care CLTC Community Long Term Care CLTC Chapter Leadership Training Conference , page 38.) But meeting this deadline is only the beginning. By April 14, 2003, providers must be in compliance with HIPAA's Privacy Rule. And beyond that--when the Security Standards have been finalized--there will be yet another HIPAA deadline with which to contend. (See "HIPAA deadlines reminder," below.) Finding your way in the woods Software vendors, consultants, and information technology (IT) experts agree that procrastination is the enemy of HIPAA compliance. But just where should you be on the HIPAA timeline as of August 2002? "Providers should certainly be testing--maybe even in their final stages of testing--their transactions and code sets," says Julie Natzke, HIPAA Compliance Committee chairman for MDI (1) (Multiple Document Interface) A Windows function that allows an application to display and lets the user work with more than one document at the same time. Technologies Inc., a St. Louis-based software provider. "If they aren't in testing, they should be well into their process of evaluating the policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental they currently have in place and how these might differ from what HIPAA requires." If you are running behind schedule, you are not alone. A recent survey of more than 500 long term care executives conducted by UltraBridge, a Hunt Valley, Md.-based IT outsourcing firm for long term care providers, found that relatively few respondents consider themselves ready to meet the demands of the HIPAA regulations. "Only 8 percent of the respondents say that they're HIPAA-compliant and 41 percent don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. where they are at all," says Lawrence P. Cirka, president and CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of UltraBridge. Cirka, who has also been an operator and administrator of long term care facilities, says that this shortfall reflects more pressing challenges facing the long term care industry: workforce shortages, census reimbursement, liability insurance, and clinical outcomes. He adds that HIPAA is probably not foremost in consumers' minds when it comes to choosing a nursing home for an elderly parent. "HIPAA compliance is not a distinguisher among competition," says Cirka. "But it is a gun the industry is facing and it is something providers have to do. My advice is that people should know where they are in the jungle. How compliant--or non-compliant--are you? What is your plan? Get an assessment, talk to your staff." Whether you are ahead of the curve or behind it, it's important to remain calm. CLTC spoke with several experts whose insights may help you avoid "HIPAA hysteria." 1. Know the rules. To build a solid foundation for HIPAA compliance, it is essential to know and understand exactly what is required and why. Even if you have already read the HIPAA statute, privacy rules, and proposed security standards, read them again. Master the terminology: Know who is a "covered entity," what is a "covered transaction," and who is a "business associate" as defined under HIPAA. The text of the Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when of 1996, the Privacy Rule, and the proposed Security Rule are available on Department of Health and Human Services Noun 1. Department of Health and Human Services - the United States federal department that administers all federal programs dealing with health and welfare; created in 1979 Health and Human Services, HHS (HHS HHS Department of Health and Human Services. ) Web sites. (See "HIPAA resources," page 30.) Maureen Weaver, who chairs the Health Care Department at Wiggin & Dana, a Connecticut-based law firm, says that HHS's own material--including answers to "frequently asked questions" posted online--offer invaluable insights into HIPAA compliance. "If you're confused or need further interpretation of a particular regulation, you can find that it's also helpful to check the preamble A clause at the beginning of a constitution or statute explaining the reasons for its enactment and the objectives it seeks to attain. Generally a preamble is a declaration by the legislature of the reasons for the passage of the statute, and it aids in the interpretation of to the final [privacy] rule--HHS's own comments," says Weaver. "It's divided according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. topic, so it's fairly easy to search. What the agency is saying about the rule is the best source." Most skilled nursing facilities electronically transmit claims for payment, and therefore are covered entities under HIPAA. Certain other long term care providers--such as assisted living as·sist·ed living n. A living arrangement in which people with special needs, especially older people with disabilities, reside in a facility that provides help with everyday tasks such as bathing, dressing, and taking medication. facilities and CCRCs--may be covered entities as well. Weaver advises that providers with questions concerning their "covered entity" status consult with legal counsel. "It's possible that in some states, assisted living providers could be billing some government funding authority such as Medicare electronically, and they may be covered under the Privacy Rule," she says. "I think it's going to vary, depending on how those entities are licensed and operated state to state." Some state laws and some federal regulations--such as OBRA--call for broader or more stringent measures than those outlined in the HIPAA Privacy Rule. "The approach generally is that if another federal or state law is more protective of residents' rights to privacy and confidentiality of health information, then the more protective rule would remain in place," says Weaver. 2. Find out where you stand. One of the most time-consuming aspects of preparing for HIPAA compliance is the "gap analysis"--a complete inventory of how a provider manages, maintains, uses, and discloses protected health information protected health information Health informatics Any individually identifiable health informatlon that is used or circulated by an entity that falls under the governance of HIPAA; the privacy regulations mandate safeguards for protected health information, and the . This inventory should encompass all current practices, policies, and procedures; software and IT systems; and contractual arrangements with business associates. Findings are then compared against the HIPAA privacy requirements to locate compliance gaps that must be filled. The more thorough the analysis, the more solid the foundation for HIPAA compliance. Weaver suggests that a provider who has not yet begun a gap analysis might want to move ahead with developing policies and procedures. "Your time would probably be better spent assuming that there's a gap and then filling it," she says. The process of evaluating IT systems should begin with system and software vendors. According to Robert Feightner, HIPAA compliance officer for Achieve Healthcare Information Systems, "Long term care providers should be contacting their software vendor or clearinghouse directly requesting information--often in the form of a survey or standardized set of answers--to determine which claims transactions standards they'll be ready to meet and if they will be able to meet the Oct. 16, 2002, deadline." 3. File for an extension. If you know now that you are not going to make the Oct. 16 Transactions and Code Sets deadline, you can file for a 1-year extension by submitting a compliance-extension plan online at <www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.asp>. Submit this plan well before the filing deadline of Oct. 15, 2002. Even if you have everything in place to make the first deadline, it may be wise to file for the extension as a backup measure in case some of your intermediaries and trading partners will not be ready by Oct. 16. "We are now advising all of our clients to file for an extension," says Feightner. "There's no downside to it that I'm aware of." 4. Remember that HIPAA goes beyond IT. Reputable software vendors and IT consultants will be the first to tell you that no software or IT system alone can make a provider "HIPAA compliant." Some consultants and IT experts estimate that the HIPAA-compliance process will be 80 percent administrative and 20 percent IT concerns. State-of-the-art software is only as good as a provider's HIPAA policies and procedures, and no IT-security genius can help you guard protected health information if staff members leave passwords on sticky-notes beside their workstations. "One misconception mis·con·cep·tion n. A mistaken thought, idea, or notion; a misunderstanding: had many misconceptions about the new tax program. that we've been trying hard to squash is that the software company can do it all for you," says Natzke. "There are a lot of tools that we can provide, but we can't write your policies for you and train your staff on policies and procedures. There are other consultants out there who will do that, but the software company won't." Howard G. Lange, vice president of Virtual Care Provider, a Milwaukee-based IT outsourcing firm specializing in long term care facilities, says that HIPAA compliance is a "best practices" activity in which the disciplines and procedures used in the process of patient or resident care must have a certain continuity. "People confuse HIPAA with being an IT initiative, and it's not," he says. "HIPAA compliance has more to do with operations than with anything else. There is a set of transactional standards--but that is small in comparison with the rest of the HIPAA initiative." 5. Keep looking ahead. Gwen Hughes, a practice manager for the American Health Information Management Association The American Health Information Management Association (AHIMA) is a non-profit association for health information management professionals. The organization was founded in 1928, and has 51,000 members. (AHIMA AHIMA American Health Information Management Association (Chicago, IL) ), cautions providers not to wait until they are ready to comply with Transactions and Code Sets standards to start working on compliance with the HIPAA Privacy Rule. As this issue of CLTC goes to press, proposed amendments to the Privacy Rule are still under consideration. For example, a proposed "consent amendment" would make optional the requirement that covered entities obtain a consent for uses and disclosures of information for treatment, payment, and health care operations. Hughes points out that HHS may revert to some or all of the existing privacy standards or introduce entirely new standards in areas where amendments have been proposed, but she urges providers to proceed with privacy implementation in areas unaffected by the proposed amendments. "If I were in a long term care setting, I would want to make sure I had a privacy officer appointed and a contact person who's going to receive complaints and provide further information about matters covered in the [privacy] notice," she says. "Another thing you'll want to define early on is your designated record set--that's going to define which records people can have access to and where they're going to get that access within your organization." Because privacy and security issues often overlap, Hughes suggests that representatives of the privacy team sit in on security-team meetings and vice versa VICE VERSA. On the contrary; on opposite sides. . Feightner agrees that privacy and security compliance must be worked on "in tandem Adv. 1. in tandem - one behind the other; "ride tandem on a bicycle built for two"; "riding horses down the path in tandem" tandem ." "The Privacy Rule requires that you have administrative, technical safeguards for privacy," he says. "But your IT operation and systems--to meet the Privacy Rule--have to take into account the Security Standards." Although HIPAA's Proposed Security Standards have not yet been finalized See finalization. , Feightner says that they can provide "meaningful guidance regarding system requirements To be used efficiently, all computer software needs certain hardware components or other software resources to be present on a computer system. These pre-requisites are known as (computer) system requirements and are often used as a guideline as opposed to an absolute rule. for access controls and network protection." 6. Don't underestimate the workload. There's no way around it: HIPAA is going to require hard work of long term care providers, and much of it needs to be done at the facility level. "Large and medium-sized nursing home chains are doing a good job of addressing HIPAA at the corporate level," says Feightner. "But I think HIFAA compliance is really a 'from-the-bottom-up' effort. The gap assessments and policies and procedures have to be implemented on a facility-by-facility basis. No individual facility in a chain is going to be so much like the others that the same compliance plan is absolutely interchangeable from facility to facility." Weaver finds that many providers underestimate their workload when it comes to HIPAA compliance. In hyperfocusing on Transactions and Code Sets compliance, some may lose sight of the April 2003 privacy deadline. "I think that all providers ought to be well on their way toward implementing the Privacy Rule," says Weaver. "The big piece of privacy implementation is going to be review and revision of policies and procedures and training your staff on those policies." Lange advises providers to view HIPAA compliance not as a finite "destination" but as an ongoing journey. "It's really what most people refer to as a 'quality improvement' program," he says. "It will be review, do, and act then review, do, and act again-an ongoing monitoring effort. That's where the compliance issues will be exposed." RELATED ARTICLE: HIPAA resources GOVERNMENT WEB SITES Centers for Medicare & Medicaid Services (CMS) HIPAA home page www.cms.hhs.gov/hipaa/ CMS bas also released a video presentation that tells how to prepare for HIPAA Transactions and Code Sets implementation. It is also available as a "Web cast" at <http://cms.livewebcasts.com>. Questions about the Transactions and Code Sets portion of HIPAA can be e-mailed directly to <AskHIPAA@cms.hhs.gov>. Department of Health and Human Services (HHS) Administrative Simplification information http://aspe.hhs.gov/admnsimp/index.htm This site offers details on HIPAA Administrative Simplification, the Privacy Rule, and the Proposed Security Standards. Providers can also subscribe to Verb 1. subscribe to - receive or obtain regularly; "We take the Times every day" subscribe, take buy, purchase - obtain by purchase; acquire by means of a financial transaction; "The family purchased a new car"; "The conglomerate acquired a new company"; e-mail updates on HIPAA regulations. HHS 'Frequently Asked Questions' about HIPAA http://aspe.os.dhhs.gov/admnsimp/qdate01.htm HHS Office for Civil Rights (OCR OCR in full optical character recognition Scanning and comparison technique intended to identify printed text or numerical data. It avoids the need to retype already printed material for data entry. ) www.hhs.gov/ocr/hipaa/ OCR provides fact sheets, background, and general information on HIPAA and the development of national standards to protect the privacy of personal health information. HANDBOOKS Field Guide to HIPAA Implementation, (American Medical Association American Medical Association (AMA), professional physicians' organization (founded 1847). Its goals are to protect the interests of American physicians, advance public health, and support the growth of medical science. , 2002) $109.95 for members, $139.95 for non-members. Call (800) 621-8335. HIPAA: A Short-and Long-term Perspective for Health Care, (American Medical Association, 2002) $64.95 for members, $79.95 for non-members. Call (800) 621-8335. HIPAA Compliance Manual, (American Health Care Association The American Health Care Association (AHCA) is non-profit federation of affiliated state health organizations, together representing more than 10,000 non-profit and for-profit assisted living, nursing facility, developmentally-disabled, and subacute care providers that care for , 2002) $199 for members, $249 for non-members. Call 800-321-0343. The HIPAA Handbook: Implementing the Federal Privacy Rule in a Long-Term Care long-term care (LTC), n the provision of medical, social, and personal care services on a recurring or continuing basis to persons with chronic physical or mental disorders. Setting, by Maureen Weaver, Jeanette C. Schreiber, Michelle Wilcox DeBarge, and Catherine P. Baatz. (American Association American Association refers to one of the following professional baseball leagues:
HIPAA Implementation Strategies: Making Choices to Enable Collaborative Strategies, (American Health American Health Inc. is a company that manufactures health supplements. It is located in Holbrook, New York. One of its products is labeled the "Chewable Original Papaya Enzyme" with the attached registered trademark, "The 'After Meal Supplement'". Lawyers Association, 2002) $105 for members, $150 for non-members. Order online at www.healthlawyers.org. The HIPAA Privacy Standards: Practical Guidelines on Identifying Business Associates, by Robert L. Coffield, Esq., edited by Kristin B. Rosati, Esq. (American Health Lawyers Association, 2002) $35 for members, $45 for non-members. Order online at www.healthlawyers.org. HIPAA TERMINOLOGY http://snip.wedi.org/public/articles/HIPAA_GLOSSARY.PDF (Portable Document Format) The de facto standard for document publishing from Adobe. On the Web, there are countless brochures, data sheets, white papers and technical manuals in the PDF format. This downloadable 24-page glossary from the Workgroup for Electronic Data Interchange WEDI, pronounced "wee dee" is a not-for-profit user group in the United States for users of Electronic Data Interchange (EDI) in public and private healthcare. The organization is sometimes referred to by other names that include some or all of the words: (WEDI) will help you decipher Same as decrypt. HIPAA -related acronyms and other terminology. OTHER ONLINE RESOURCES Achieve Healthcare Information Systems www.achievehealthcare.com/regulatory/regulatory.htm Accu-Med Services Inc. www.accu-med.com American Association of Homes and Services for the Aging (AAHSA AAHSA American Association of Homes and Services for the Aging (formerly American Association of Homes for the Aging, AAHA) ) www.aahsa.org American Health Care Association (AHCA AHCA Agency for Health Care Administration AHCA American Health Care Association AHCA American Hockey Coaches Association AHCA American Highland Cattle Association AHCA Australian Health Care Agreement AHCA Austin Healey Club of America ) www.ahca.org American Health Information Management Association (AHIMA) www.ahima.org/hot.topics/hipaa.html American Health Lawyers Association www.healthlawyers.org American HealthTech's HIPAA Headquarters www.healthtech.net/hipaa American Medical Association (AMA (Automatic Message Accounting) The recording and reporting of telephone calls within a telephone system. It includes the calling and called parties and start and stop times of the call. ) HIPAA page www.ama-assn.org/ama/pub/category/4234.html Association for Electronic Health Care Transactions www.afehct.org Health Information and Management Systems Society (HIMSS HIMSS Healthcare Information and Management Systems Society ) www.himss.org/asp/hipaasource.asp HIPAA Comply www.hipaacomply.com HIPAA Privacy Workgroups www.hipaaprivacywotkgroups.com LaConner Technologies www.laconner.com MDI Technologies Inc. www.mditech.com/hipaa.htm Phoenix Health Systems HIPAAdvisory www.hipaadvisory.com Privacy Officers Association www.privacyassociation.org Workgroup for Electronic Data Interchange (WEDI) Strategic National Implementation Process www.wedi.org/snip HIPAA deadlines reminder Administrative simplification (Transactions and Code Sets standards): Oct. 16, 2002 Providers filing for a 1-year extension of the Transactions and Code sets deadline must do so by Oct. 15, 2002. Privacy standards: April 14, 2003 Although several amendments to the privacy standards are still under consideration, the deadline is not expected to change. Security Standards: deadline to be announced To be announced (TBA) A contract for the purchase or sale of an MBS to be delivered at an agreed-upon future date but does not include a specified pool number and number of pools or precise amount to be delivered. As this issue to CLTC goes to press, the HIPAA Security Standards have not yet been finalized. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion