Why is HIPAA important to my organization?
In addition to being in compliance with federal law, HIPAA standards make good business sense! While converting to electronic transaction standards and ensuring network security will initially be a cost to the industry, providers will significantly benefit by real time access to eligibility, enrollment, and claims status information as well as improved cash flow. It is not too early to reap the benefits. For example, one provider was able to reduce the number of nurses required to do hospital pre-certifications by two thirds using secure e-mail.

As providers are consolidating, integrated delivery systems are building more expansive networks and exchanging information with many more organizations. These providers are struggling with the need for unique identifiers and exposing themselves to greater risks for breeches of confidentiality and compromised data integrity. For example, without anti-intrusion detection built into a network, the result of an altered laboratory test could result in a major lawsuit.

Who must comply with HIPAA requirements?
All health plans, clearinghouses, and providers who choose to exchange data electronically must comply with HIPAA requirements. These requirements do not pertain only to providers receiving federal funds.

When must we comply with HIPAA requirements?
Standards are required to be implemented within 2 years of the effective date of the final rule; generally 60 days after publication of the rule.

What information would be useful to brief the organization's executives on the scope of HIPAA?

• HIPAA compliance will be a multi-year, large cost, institution-wide effort that will be required by Federal law, Federal regulation, and related regulatory and accreditation bodies within the next 2-4 years.
  
• Failure to comply will result in significant monetary penalties. The consequences of knowingly disclosing individually identifiable patient information are criminal penalties.
  
• Implementing HIPAA will affect how healthcare entities organize and staff to achieve and monitor compliance with patient privacy/confidentiality needs. HIPAA compliance is better focused as a business issue than as an Information Technology issue, although IT will play a major role in implementing compliant systems.
  
• HIPAA will affect how independent providers deal with managing both electronic transactions (claims, referrals, remittance) and medical records.
  
• Large and medium sized organizations will need executive sponsorship and dedicated resources to lead the HIPAA compliance effort. Compliance-related activities may compete with other major projects.
  
• HIPAA's requirements may cause significant changes in process, organization, and/or staffing in the area of claims management.
  
• HIPAA's requirements are meant to encourage healthcare organizations to move patient information handling activities from manual to electronic systems in order to improve security, lower costs, and lower the error rate. These resources need to be planned for.
  
• HIPAA mandates will require substantial changes in the policies, processes and administration governing patient specific health information. Similarly, it will require updates of all information systems that use or collect patient data, and will require the introduction of new features and functions.
  
• Implementing HIPAA will improve security of healthcare information. Patient privacy and the security of all medical records will be more routinely assured. Information systems will have an improved general resistance to operational disruptions. It may be useful to consolidate off-network medical record information to a secure network.
  
• Because HIPAA covers all healthcare organizations, compliance itself is substantially a non-competitive issue. Coordinating and co-implementing HIPAA mandated changes among providers, payers, and IT vendors (especially in claims management) will minimize the cost, confusion and disruption involved in the transition.
  
• If Congress does not pass a privacy bill this year, how will that impact the requirements for security standards?
  
• It will not impact the security standards required under HIPAA. A national privacy law would define rights with respect to confidentiality and access to health information. The security standards in HIPAA address administrative procedures, physical safeguards, technical security services, and technical security mechanisms to guard data integrity, confidentiality, and availability.

How will compliance with HIPAA standards be monitored?
Initially, organizations will use the competitive marketplace to mutually enforce compliance. Organizations will also find that electronic transmission of claims using standard transactions will improve cash flow, increasing the business reason for compliance. Accrediting and licensing organizations will also be incorporating compliance with the standards into their processes.

We do not exchange data electronically with other enterprises, only within our enterprise. We batch claims and mail a disk to the clearinghouse. Do the standards apply to us?
Yes, the security standards apply to exchange of all electronic health information within an enterprise as well as across enterprises. Transmissions over the Internet, an extranet, leased lines, dial-up lines, and private networks are included.

All electronic media are included - even when the information is physically moved (e.g., through the postal service) from one location to another using magnetic tape, disk, or compact disc.

Telephone voice response and "faxback" systems are not included.

Which electronic healthcare transactions are affected by the rules?
Based on current information, eleven transaction standards are scheduled for implementation:

• Health Care Claim (837)
• Coordination of Benefits (837)
• Payment and Remittance Advice (835)
• Electronic Funds Transfer
• Claims Status Inquiry/Response (276/277)
• Eligibility Inquiry/Response (270/271)
• Health Care Service Review (278)
• Patient Information Attachment (275)
• Enrollment (834)
• Premium Payment (820)
• First Report of Injury

Organizations need to thoroughly assess their transaction systems to assure a smooth transition to mandated transaction standards. Start now to review your current systems and developing proper procedures.

What are the mandated standard code sets? Where can I get more information about code sets?
ICD-9-CM: Official version is available on CD-ROM from the Government Printing Office (GPO) at 202-512-1800 or FAX: 202-512-2250. The CD-ROM contains the ICD-9-CM classification and coding guidelines. Versions of ICD-9-CM are also available from several private sector vendors.

CPT-4: Official version is available from the American Medical Association. Versions are also available from several private sector vendors.

HCPCS: Information about HCPCS is available from the HCFA web site.

Code on Dental Procedures and Nomenclature: Official version is available from the American Dental Association at 800-947-4746.

NDC: Official versions of the files are available on-line. NDC codes are also published in the Physicians' Desk Reference under the individual drug product listings and "How supplied." The supplements are available quarterly on diskette from the National Technical Information Service at 703-487-6430.

Read the Extended FAQ page http://aspe.hhs.gov/admnsimp/bannerps.htm

Read the National Provider Identifier (NPI) FAQ http://www.hipaadocs.com/professional/pro_faq_npi.jsp

Privacy Standards http://aspe.hhs.gov/admnsimp/bannerps.htm

Security Standards http://aspe.hhs.gov/admnsimp/bannerps.htm#security

Transaction and code set standard http://aspe.hhs.gov/admnsimp/bannertx.htm

Identifier standards http://aspe.hhs.gov/admnsimp/bannerid.htm

The Department of Health and Human Services' (HHS) Office of Civil Rights has released a new guidance document to address frequently asked questions about the Health Insurance Portability and Accountability Act (HIPAA) medical privacy rule. A notable section in the 14-part guidance says hospitals are not prohibited from keeping patient charts at the bedside and displaying patient care signs, such as "diabetic diet," if reasonable precautions are taken to protect patient privacy, such as limiting access to patient areas. HHS also said in the document that marketing rules that permit communications with patients about products and services for treatment or case management purposes do not modify or otherwise preempt the anti-kickback laws. The document is at http://www.hhs.gov/ocr/hipaa/privacy.html.

This article 1st appeared in the December 9, 2002 issue of AHA News