HIPAA deadlines approach: Are you ready, or in denial?
HIPAA deadlines approach: Are you ready, or in denial?
Extension for transaction standards, privacy deadline April 2003
A nurse in your agency is scheduled to see five patients during the day. She pulls the five charts, places them in her briefcase, sets the briefcase on the back seat, and heads to her first patient. In the driveway, she removes one chart from her briefcase, places it on the back seat of the car, locks the car, and goes in to see the patient.
Is the privacy security of the other four charts protected according to standards set by the Health Insurance Portability and Accountability Act (HIPAA)? This is only one of the many questions home health managers should be asking themselves as the implementation date of Oct. 16, 2002, for the first part of HIPAA — the transaction standards — approaches, say experts interviewed by Hospital Home Health.
Because the transaction standards have the earliest implementation deadline, most home heath agencies have focused upon them and may not be paying as close attention to the privacy and security standards, says Heather P. Wilson, PhD, president of Weatherbee Resources in Centerville, MA, and co-author of The HIPAA Privacy Rule: Compliance Resources for Home Care Agencies.
"There are changes being considered for the privacy standards," Wilson says. "The security standards have not been finalized, so some home health managers may be lulled into the belief that there is no reason to work toward compliance with these standards yet," she adds.
There is a lot that can and must be done now, Wilson says. The privacy standards, in particular, can affect every aspect of a home health agency’s operation. The best way to implement changes is in stages so that employees are not overwhelmed, she adds.
"Make sure you are familiar with all three categories of HIPAA standards, and make sure a representative from the home health agency is on any committee set up within your hospital to meet HIPAA requirements," Wilson suggests.
Transaction standard deadline
Because the implementation date for the transaction standards is Oct. 16, 2002, make sure this issue is addressed now, says Larri A. Short, JD, partner in Washington, DC-based law firm Arent Fox Kintner Plotkin & Kahn.
"If a home health agency is not ready to bill Medicare electronically, according to the standards set by HIPAA, a request for a one-year extension can be filed," she says.
If the home health agency is considered a department of the hospital, the hospital can file for the extension, but if a home health agency has its own provider number, an extension for the home health agency must be filed separately. The home health manager should be coordinating activities with the appropriate hospital personnel to make sure the request for extension is filed prior to Oct. 15, Short explains.
At the same time, you should be talking with your vendors to find out how close they are to meeting the standards, she adds.
Be wary if your vendors assure you that they are fully compliant at this time, warns Mark Sharp, CPA, senior manager and consultant with the Springfield, MO, office of BKD, an accounting firm that offers a variety of consulting services to the health care industry.
"The Centers for Medicare & Medicaid Ser-vices [CMS] is currently addressing a problem formatting the admission date on the UB92," Sharp says.
Home health agencies also are currently using V-codes for electronic billing but the transaction standards don’t recognize V-codes, he adds. Until CMS resolves these questions, vendors cannot be fully compliant, Sharp explains.
Internally, agency managers should be reviewing all forms that feed information into the billing system, Short suggests.
"The UB92 is to be replaced by the X837 so managers should become familiar with the new form and compare the information that is needed to the information that the agency is already collecting," she says. (Editor’s note: A copy of the form and detailed instructions can be found at http://aspe.hhs.gov/admnsimp/index.htm.)
April privacy deadline
Even if you file for a one-year extension, you must be prepared to test your electronic billing system by April 16, 2003, Short points out.
"The definition of what constitutes a test is not well defined, but an agency cannot file for the extension and then continue to put off [its] efforts to implement electronic billing, according to HIPAA standards," she adds.
Also, the privacy standards implementation deadline of April 14, 2003, still is in place and probably will not be changed, Short adds.
The privacy standards are designed to protect unauthorized use of or access to a patient’s health information, Short explains. The most obvious area for evaluation is the way in which charts or medical information on a computer is transported and stored when a clinician is visiting a patient, she says.
While password protection for computer information, storage of medical charts in the trunk rather than a back seat, or even keeping records in a locked box, may be the right answer for your agency, it is important to look at what you are doing now as compared to the standards, she suggests. While you may not have to make changes or major changes in all policies, you must look at each one, Short adds.
Remember, too, that HIPAA standards are scalable and written for all types of health care organizations, Wilson points out.
It is not necessary, or practical, for home health agencies to enact the same type of privacy policies that a hospital might implement, but all of the home health policies should meet the HIPAA standards as a baseline, she adds.
Protecting the privacy of your patients’ health information starts even before a clinician takes a chart on a visit, Short says. "An agency has to develop a mechanism that ensures that the minimum amount of information necessary for the recipient to do a job is given," she says.
This means that your billing department does not need the whole medical record for billing, your home health aides may not need the entire record, or your physical or occupational therapists may only need access to part of the record, she explains.
"You can develop a role-based access system that defines who gets access to the whole record, and who gets access to specific parts of the record," she says.
Put processes in place for documentation
One of the more difficult changes an agency may have to make is the patients’ right to receive an accounting of how their medical records are used, Short says.
"An agency must have a process in place to document out-of-the-ordinary uses, such as reports to a public health agency in the case of a tuberculosis infection, a subpoena for the record, or use of the record in a research project," she explains.
"This means that the nurse who calls the public health department must document in writing that a report was made to a specific place on a specific date," Short explains. The documentation has to be distinctive enough that someone making a report to the patient easily can see it, she adds.
The key to successful HIPAA compliance is to make sure your policies reflect the reality of your agency’s practice and can accommodate changes, Short says.
As you review and change your policies, don’t forget to address these changes in employee orientation programs and employee handbooks, Short adds.
Implement these changes in small steps, making sure you educate your staff well, Wilson says.
"While privacy is not a new concept in any health care setting, people do have to change the way they think about privacy," she says. "Privacy and security have to become part of an agency’s culture, not just a policy to follow."
The security standards address protection of a patient’s health information from loss, destruction, or unauthorized access, Sharp explains. Security differs from privacy because it focuses more on the electronic systems that collect, store, and transmit the information, he explains.
While the rule has not been finalized, it is not realistic to hope that it will be eliminated, Wilson says. "Some people hope that implementation of the privacy standards will take care of security, but it is important to address security even without a final rule," she adds. Publication of the security standards is expected in Summer 2002.
"Look at the proposed rule and compare the requirements to what your agency is already doing," Wilson suggests.
"Some agencies have addressed the security of their computer systems and access to computerized records as part of their normal business operations," Sharp admits.
"It is still important for the home health agency to take an active role to make sure that its specific needs are addressed for employees who routinely access or input information remotely," he adds.
Get started now
Passwords for login, passwords to access specific information, and firewalls within the system, are all common ways to address security, Sharp says.
Although some requirements may be burdensome, it is important to begin addressing all HIPAA requirements now, Wilson says.
"Don’t delay your preparation, but don’t be overwhelmed," she says.
"This isn’t rocket science. Evaluate the standards, plan your changes, develop your policies and forms, and educate your staff," Wilson emphasizes. "Throughout all of this, remember that these changes are good for the patients and we are all potential patients."
[For more information about compliance with HIPAA, contact:
- Mark Sharp, CPA, Senior Manager & Consultant, BKD, 901 E. St. Louis St., #1,000, Springfield, MO 65806. Telephone: (417) 865-8701. Fax: (417) 865-0682. E-mail: [email protected]. Web site: www.bkd.com.
- Larri A. Short, JD, Partner, Arent Fox Kintner Plotkin & Kahn, 1050 Connecticut Ave., N.W., Washington, DC 20036. Telephone: (202) 775-5786. E-mail: [email protected].
- Heather P. Wilson, PhD, President, Weatherbee Resources, 404 Main St., Centerville, MA 02632. Telephone: (866) 969-7124 or (508) 778-0008. Fax: (508) 778-8899. E-mail: [email protected]. Web site: www.weatherbeeresources.com.]
HIPAA Resources
The following web sites offer updates, forms, instructions, and other details related to the Health Insurance Portability and Accountability Act (HIPAA):
Maintained by the American Health Information Management Association in Chicago. The site offers updates on HIPAA, a web-based training course titled How to Achieve HIPAA Compliance, sample position statements, and sample job description for privacy officers.
Sponsored by the Montgomery Village, MD-based information technology consulting firm Phoenix Health Systems, the site contains a wide range of articles, updates, and information on HIPAA.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.