|
|
|
| |
Acronyms. Let us start with the last one first:
“U” is you. HIPAA is the Health Insurance
Portability and Accountability Act of 1996 (Public
Law 104-191), but our focus in this article is on
only a small part of the federal law: Administrative
Simplification. WEDI is the Workgroup for Electronic
Data Interchange, specified in HIPAA as an advisor
to the Secretary of Health and Human Services on implementation
matters related to Administrative Simplification.
The discussion that follows is to show you how WEDI
can help you comply with the Administrative Simplification
provisions of HIPAA.
WEDI: The Early 1990s
WEDI was started in 1991 by then Secretary of Health
and Human Services Louis Sullivan, M.D., as a collaboration
of government and private industry to address how
electronic technology could help achieve cost containment
in the health care industry by minimizing administrative
costs of health care transactions. You may recall
that in the late 1980s and early 1990s, annual health
care costs were increasing rapidly, not unlike our
present situation. In 1993, WEDI published its findings
in a two-volume report that indicated substantial
savings in administrative costs of health care could
be achieved if health care stakeholders, including
providers, payers and patients, used electronic transactions
instead of paper transactions and were connected via
direct electronic means or clearinghouses, so-called
“interoperability.” Estimated savings
of $46 billion were to be realized in the first six
years of implementation.
In 1995, WEDI evolved into a nonprofit association
with a mission dedicated to further collaboration
of health care stakeholders as a means of working
together to implement cost-effective and efficient
solutions pertaining to the exchange and management
of health care information.
Administrative Simplification Under HIPAA
The findings from the 1993 WEDI report were a significant
contributing factor to the inclusion of the Administrative
Simplification provisions in the HIPAA legislation
that was enacted by Congress and signed by President
Bill Clinton in August 1996. Administrative Simplification
mandated that so-called covered entities, health care
providers, payers and health care clearinghouses:
| • Process electronically specified health
care transactions that providers initiated electronically; |
| • Use specified standards and unique
identifiers; |
| • Adopt specific code sets for diagnosis
and procedures; |
| • Implement security and privacy standards
for transmitting, processing and maintaining
patient-identifiable health care information. |
At the time HIPAA was enacted, not much attention
was given to the significance of Administrative Simplification
standards because public and political focus was directed
toward issues addressed in legislation that dealt
with pre-existing conditions and portability of group
health care benefits. Administrative Simplification
standards were destined, however, to have a significant
impact on the health care industry because they:
| • Cover a broad range of more than 30
billion health care transactions annually in
the United States; |
| • Impact a large percentage of the
annual $1.4 trillion in health care expenditures
in the United States (2001 data); |
| • Obligate compliance by millions of
health care stakeholders — including hospitals,
physicians, dentists and pharmacists; insurers
and self-funded payers; employers; health plans;
clearinghouses; and vendors associated with
covered entities — which are known as
business associates. |
There has been a perception in the health care marketplace
that Administrative Simplification standards are similar
to the Y2K system changes prevalent at the change
of the millennium. Administrative Simplification is
not just an information technology systems problem.
Administrative Simplification standards cover systems
issues relating to transactions, code sets and identifiers,
which are likely to be addressed by system vendors.
On average, about 20 percent of resource costs are
systems-related. However, two other standards areas,
privacy and security, which do have systems components,
are much more related to changes in administrative
policies and procedures, ongoing training requirements,
changes in workflow processes and compliance accountability
and will account for the remaining 80 percent of resource
costs.
If implemented successfully, the qualitative and quantitative
returns on investments from Administrative Simplification
will be positive. These returns will be realized via:
| • Improved efficiency and effectiveness
of the health care system by electronic exchange
of administrative and financial information; |
| • Enhanced protection of administrative
and financial information; |
| • Reduced transaction costs in health
care, which today are estimated at $.26 per
$1 of health care expenditure, by moving from
a paper transaction system to an electronic
transaction system and eliminating multiple
transaction formats in favor of industry standards. |
Outline of Administrative Simplification Standards
Administrative Simplification standards are outlined
in this section. A complete description of these standards
is available electronically from several sources:
Transactions and Code Sets
In December 2001, Congress enacted and President George
W. Bush signed the Administrative Simplification Compliance
Act (ASCA) of 2001 (Public Law 107-105). The purpose
of ASCA was to give covered entities a one-year extension
from the October 16, 2002, deadline to become compliant
with transaction and code set standards requirements.
For those covered entities applying for the automatic
extension, the quid pro quo was that testing of the
transactions standards had to begin no later than
April 16, 2003. For health care providers, failure
to comply by the extended date could mean loss of
status as a Medicare provider.
Administrative Simplification standards for which
compliance is required are:
| • Health claims or equivalent encounter
information; |
| • Enrollment and disenrollment in a
health plan; |
| • Eligibility for a health plan; |
| • Health care payment and remittance
advice; |
| • Health plan premium payments; |
| • Health claim status; |
| • Referral certification and authorization; |
| • Coordination of benefits. |
Covered entities must use these standards. Health
plans, whether government or private, and health care
clearinghouses must be able to receive each of these
transactions. Any health care provider who chooses
to transmit any health information electronically
must do so in an Administrative Simplification standards
transaction.
Administrative Simplification standards that are forthcoming
include first report of injury and claims attachment.
Transactions that may be forthcoming, which are not
included in the Administrative Simplification standards,
include electronic pharmacy script and clinical standards.
Code set standards are any set of medical data codes
used for encoding data elements such as tables of
terms, medical concepts, medical diagnosis codes or
medical procedure codes. These include:
| • Coding systems for diseases, impairments
and other health-related problems and their
manifestations; |
| • Causes of injury, disease, impairment
or other health-related problems; |
| • Actions taken to prevent, diagnose,
treat or manage diseases, injuries and impairments; |
| • Any substances, equipment, supplies
or other items used to perform these actions. |
So-called local codes are eliminated under the Administrative
Simplification standards.
Identifiers
The purpose of identifiers is to uniquely identify
employers, health care providers, payers and patients
in an effort to efficiently exchange transactions
among those parties, often using a health care clearinghouse
directly or as part of a network. Four identifiers
and their status are:
• National Employer Identifier Standard
- Proposed rule issued June 1998
- Final rule published in the May 2001 Federal
Register Standard: Employer Identification
Number
- Covered entities must comply by July 30, 2004
- Small health plans with receipts <$5 million
must comply by July 30, 2005 |
• National Provider Identifier Standard
- Proposed rule issued in May 1998
- Final rule expected by the end of 2002 |
• National Health Plan Identifier Standard
- Final rule expected by the end of 2002 |
• National Individual Identifier Standard
- Proposed rule: Congressional hold.
- De facto rule: Social Security Number. |
Privacy
The proposed privacy rule was published in the
Federal Register on November 1999, and the final
rule was published on December 28, 2000. It took effect
on April 14, 2001; covered entities must comply no
later than April 14, 2003, with compliance for small
health plans one year later. Final changes to the
rule were published on August 14, 2002. The rule is
enforced through the HHS OCR.
The privacy rule is complex, and an analysis of its
provisions is beyond the scope of this article. Details
of the rule are available on the Web sites mentioned
earlier. In particular, see <snip.wedi.org/public/articles/
072402PrivacyPPV12.pdf>, which
is available for download on the WEDI SNIP Web site.
In general, the privacy rule protects medical
records and other individually identifiable health
information used or disclosed by a covered entity
in any form, whether electronically, on paper or orally.
There are boundaries on the release of identifiable
medical information, and patients have access to their
records, can make amendments to their records and
have certain appeal rights regarding their medical
records and disclosure. Privacy standards are scalable
based on a covered entity’s business, size and
resources. Finally, a covered entity must implement
certain procedures, including adopting written privacy
policies, training employees and designating a privacy
officer and must formalize trading partner relationships
with business associates — for which the covered
entity is responsible for breaches. Violations of
the privacy rule may be subject to either criminal
or civil penalties or both.
Security
The proposed security rule was published in August
1998, and the final rule is expected by the end of
2002. “[H]ealth plans, health care clearinghouses
and health care providers [covered entities] would
use the security standards to develop and maintain
the security of all electronic individual health information.”
Compliance is required of any covered entity “who
electronically maintains or transmits health information
pertaining to an individual.” This requirement
extends security beyond the HIPAA transactions standards.
While no security compliance date is known at this
time, it is important to note that the final privacy
rule, for which the compliance date is April 14, 2003,
requires that security safeguards — many of
which are included in the proposed security rule —
be in place by that date. These fall into four areas:
| • Administrative procedures to guard
data integrity, confidentiality and availability; |
| • Physical safeguards to guard data
integrity, confidentiality and availability; |
| • Technical security services to guard
data integrity, confidentiality and availability; |
| • Technical security mechanisms to guard
against unauthorized access to data are transmitted
over a communications network. |
Many of the proposed standards are technical in nature,
but others cover such things as disaster recovery
planning and training of employees. Violations of
the proposed security rule are subject to civil penalties.
The proposed security rule also is complex, and an
analysis of its provisions is beyond the scope of
this article as well. Details of the security rule
are available on the Web sites mentioned earlier.
Again, see “Security Policies and Procedures:
A Resource Document,” on the WEDI SNIP Web site
<snip.wedi.org>.
WEDI Today
As mentioned at the beginning of this article, WEDI
began 11 years ago as a collaboration of government
and private industry to address how electronic technology
could help achieve cost containment in the health
care industry by minimizing administrative costs of
health care transactions. In 1995, WEDI evolved into
a nonprofit association that has grown to more than
220 corporate members today. With its core focus being
the collaboration of health care stakeholders to achieve
successful implementation of Administrative Simplification
standards, WEDI now has more than 6,000 participants
in various WEDI SNIP activities. There also is a growing
number of regional affiliates around the United States
that are dedicated to delivering education and information
to small providers and health plans in local communities.
One of WEDI’s important mission objectives is
facilitating implementation by small health care providers
such as members of anesthesiology practices. Toward
that end, WEDI has published a white paper titled
“Small Practice Implementation,” which
is available for download on the WEDI SNIP Web site
at <snip.wedi.org/public/articles/2002_0510_1.2.pdf>.
This provides useful information for moving toward
Administrative Simplification compliance. In addition,
WEDI has five key pieces of advice in order to stay
informed about pervasive and ongoing Administrative
Simplification activities:
| 1. Become familiar with Administrative Simplification
standards and developments through communiqués
from ASA and by periodically accessing the Web
sites mentioned in this article; |
| 2. Ask your vendors to tell you in writing
what they are doing to help you to achieve compliance
with Administrative Simplification standards.
ASA, other medical societies and WEDI have established
a Web site where medical billing systems vendors
post objective information regarding their HIPAA
readiness at <www.hipaa.org/psmdirectory>.
If your own vendor has not registered, you may
want to ask it the same basic questions; |
| 3. Examine your business practices and workflow
to see how you can facilitate compliance with
Administrative Simplification standards; |
| 4. Prepare to appoint privacy and security
officers to facilitate and achieve compliance
with those standards and institute an auditable
and documented training program that will accomplish
learning objectives because breaches of security
and privacy standards could be costly to your
practice in terms of penalties and customer
acceptance; |
| 5. Treat resource requirements for achieving
compliance as an investment in a more efficient
health care transaction future rather than as
an expense only to be borne today.
|
| |
|
Edward D. Jones III is owner of E. Jones Consulting
and President, HIPAA Corporation, Johns Island,
South Carolina. |
|
|
return to top
|
|
|
|
|
FEATURES
Governmental Affairs
ARTICLES
DEPARTMENTS
The views expressed herein are those of the authors and
do not necessarily represent or reflect the views, policies
or actions of the American Society of Anesthesiologists.
NL Archives
Information for Authors
|
| |
|
|