Skip to main content
The Centers for Medicare & Medicaid Services will use a complaint-driven process to enforce the transactions and code sets provisions of the Health Insurance Portability and Accountability Act after the Oct. 16 implementation deadline, and will focus on using voluntary compliance.

Kinder enforcement indicated for HIPAA EDI

September 1, 2003

Kinder enforcement indicated for HIPAA EDI

Many won’t be ready, industry groups say

The Centers for Medicare & Medicaid Services (CMS) will use a complaint-driven process to enforce the transactions and code sets provisions of the Health Insurance Portability and Accountability Act (HIPAA) after the Oct. 16 implementation deadline, and will focus on using voluntary compliance.

The agency has said it will not impose penalties on covered entities that deploy contingencies to ensure the smooth flow of payments if they have made "reasonable and diligent efforts to become compliant and, in the case of health plans, to facilitate the compliance of their trading partners."

CMS made that announcement a few days after a number of industry groups — including the American Hospital Association (AHA), the American Medical Association and others — delivered a letter to Health and Human Services (HHS) Secretary Tommy Thompson urging his department to act promptly to prevent an impending train wreck from an uncoordinated implementation of HIPAA standardized transactions.

"Despite the best efforts of all parties, many covered entities will not be able to achieve full compliance by that date due to circumstances beyond their control," the health care organizations wrote. They warned that without action by HHS, rejection of nonstandard electronic transactions and resulting reversion to paper transactions by significant numbers of providers would lead to a major disruption of payments to providers under Medicare, Medicaid, and private-sector health plans.

The organizations urged HHS to clarify that during a reasonable migration period, transactions standards compliance requires only that claims be in the HIPAA-standard format, use the standard codes, and contain only the data content necessary for adjudication. They also urged the agency to develop a process to ensure an adequate level of cash flow to providers during the transition.

Pete Kraus, CHAM, business analyst for patient accounts services at Emory University Hospital in Atlanta, tells Hospital Access Management that although "a bit melodramatic," AHA and the other industry groups are probably correct in their assessment of payer and provider readiness. However, Kraus says, it would be hard to fault HHS if it chose to be adamant in sticking to the implementation schedule. "It isn’t as though the players haven’t had plenty of notice that this was coming," he notes. "Had everyone treated the deadline as they did Y2K, most participants would be ready."

His hospital’s clearinghouse has been sending 837-formatted claims to any payer that will take them for months, Kraus says. "The clearinghouse tells us the list of payers accepting 837 claims is growing, albeit slowly," he says. "We’ve experienced significant delays attempting to test 835-formatted electronic remittances with our Medicare and Medicaid intermediaries."

Hospitals were to have begun testing their electronic data interchange (EDI) processes on April 16 of this year.

Most of what has been holding up progress in the move toward transactions and code set implementation is that Medicare and most state Medicaid programs were not ready to proceed with EDI, Gillian Cappiello,CHAM, senior director for access services and chief privacy officer at Chicago’s Swedish Covenant Hospital tells HAM. (See "HIPAA deadline may have come and gone, but privacy concerns continue," Hospital Access Management, May 2003, p. 49.)

By the end of July, Kraus says, there had been no sign of either Medicare or Medicaid being ready to test. The comments by CMS on its enforcement process "could mean anything," he adds, "although it sounds as though they intend not to be draconian in their initial enforcement. Whether that helps or hinders the process remains to be seen."

Next up is HIPAA security

Cappiello says her organization has begun meetings to strategize its approach to the next HIPAA hurdle — the April 21, 2005, effective date of the HIPAA security regulations. She notes that there is significant overlap between the final security rule and the HIPAA privacy standard, which became effective in April.

A number of offerings on the CMS web site have been helpful in her own preparation for the security rule, Cappiello says, including information found at www.cms.gov/hipaa/hipaa2/regulations/security/default.asp. A good place to start, she adds, is the transcript for the Feb. 28, 2003, HIPAA implementation roundtable. Also helpful, she adds, is Phoenix Health Systems’ "Key Security Questions for Healthcare Executives," which are at www.hipaadvisory.com/action/security/0603keyques.htm.

In an article found at that site, Clyde Hewitt and Bill Miaoulis, principals with Phoenix Health Systems, suggest three questions that health care organizations should be asking in regard to the security rule:

  1. What are the security risks to my organization, and which are the highest priority?
  2. What measures should be considered for our plan to reduce risk and become HIPAA security-compliant?
  3. How much should we budget (money, resources) for security?

Important security risks to be considered, they say, likely will include many, if not all, of the following:

  • loss of financial cash flow;
  • permanent loss or corruption of electronic protected health information (ePHI);
  • temporary loss or unavailability of medical records;
  • unauthorized access to or disclosure of ePHI;
  • loss of physical assets (computers, etc.);
  • damage to reputation and public confidence;
  • threats to patient safety;
  • threats to employee safety.

In assessing risk, Hewitt and Miaoulis point out, it is important to determine potential events that could result from an organization’s vulnerabilities, which could include the following:

  • misuse of authorized access (an employee divulges system passwords to a marketing firm, or an errant email containing ePHI is sent to a large group of unauthorized users);
  • financial fraud (think Enron, WorldCom, HealthSouth);
  • natural physical events (fires, floods);
  • unexpected systems downtime;
  • unauthorized access to systems by hackers (defaced web pages, viruses);
  • harm to employees or patients;
  • systems are not set up to effectively monitor security incidents;
  • staff does not know how to respond to security incidents;
  • unauthorized access to facility areas that are not properly secured;
  • ineffective disposal of ePHI and other sensitive data.

CHC Healthcare Solutions has a document with a grid comparing the privacy rule and the security rule, Cappiello points out, that can be found at www.computerhorizons.com/mediastore/otherfiles/SecurityEssentialsforPrivacy.pdf .