The HIPAA clock begins ticking: First administrative rules promulgated
The HIPAA clock begins ticking: First administrative rules promulgated
Your practice has 24 months to comply
With the publication of the final version of the first administrative simplification rules, the clock has started ticking toward the day when health care providers must meet the regulations of the Health Insurance Portability and Accountability Act (HIPAA).
The rule "Transactions and Code Sets" was published in final form by the U.S. Department of Health and Human Services Aug. 16. The rule provides standards for electronic transactions and code sets that health care providers and payers use to identify diagnoses, drugs, and procedures.
When the rule goes into effect, all providers will use and all health plans must accept the same electronic transaction standards. Providers have until Oct. 16, 2002, to comply with the regulations.
While expressing concerns about the cost of implementing the standards, the Medical Group Management Association (MGMA) in Englewood, CO, has announced its support for the standards for electronic transactions. "We believe the publication of this HIPAA standard will lead to more streamlined administrative procedures and encourage the growth of electronic health transactions," says William F. Jessee, MD, president and chief executive officer of MGMA.
Physician practices currently must use multiple electronic formats with different data requirements to submit claims and conduct other health care transactions, Jessee says. The national standards will ensure a uniform format, which ultimately will save time and reduce administrative costs.
However, Jessee points out, the initial cost for adapting the standards is likely to have a huge financial impact on medical practices. That cost will include computer software and hardware upgrades, staff training, and legal and consultant fees.
"We urge HCFA [the Health Care Financing Administration] to recognize these costs associated with complying with the HIPAA rules and to apply any funds available to assist medical group practices in their implementation efforts," Jessee says.
The MGMA also is urging HCFA to initiate a toll-free telephone hotline, national conference calls, and regional training sessions for medical practices. Strictly speaking, if your practice is totally paper-based, you may be able to avoid complying with HIPAA regulations.
Reducing inefficiency
But for practical purposes, every physician’s office in the country will have to comply if they use computerized records in any way, shape, or form.
"Physicians can continue to use paper records and paper for everything and submit the claims the way they’ve been submitting them. But if they are going to transmit any data electronically, they must use specific data elements for those transactions," says Jackie Huchenski, JD, a health care attorney with Moses & Singer, LLP, a New York City-based law firm.
The purpose of the "Transactions and Code Sets" rule is to reduce the inefficiency of hundreds of formats for health care claims currently in use, according to Huchenski. The rule mandates that health care providers, clearinghouses, and health plans must use the standards if they transmit any kind of health information electronically.
In general, the final rule specifies transaction standards that are already accepted and used by the health care industry. The coding section of the HIPAA rule sticks with CPT-4 and ICD-9 codes used by most physician offices. It eliminates local codes used by individual states and health plans and establishes a national process for reviewing and approving codes.
Standardized codes
What has changed is the addition of administrative codes. The new rules specify codes that must be used when a health claim is submitted or a referral is requested.
The "Transaction and Code Sets" rule creates uniform standards for eight types of electronic administrative or financial transactions. (For a list of transactions, see box at left.)
HIPAA provides for two additional transactions: first report of injury and attachments. Rules for these transactions should be issued within a year. Health care clearinghouses, providers, and health plans must use the standards if they transmit any kind of health care information in electronic form.
The final rules hold providers liable if their "business associates" fail to comply with the HIPAA regulations. This provision was not included in the proposed rule. A business associate is someone who conducts business on behalf of your office but is not an employee.
The definition of business partner includes third-party billing organizations, consultants, health care clearinghouses, auditors, or any kind of management services organization — anyone who helps with the administration of the practice. Physician practices should have a written confidentiality agreement with their business partners that requires partners to keep any information they are given confidential to the same degree that the practices are required to keep such information confidential, Huchenski says.
There also should be a provision in the agreement that spells out sanctions against business partners if they violate the agreement.
The rule spells out civil penalties of $100 per person per violation and not more than $25,000 per person for violation of each standard for each calendar year. Criminal penalties of up to $250,000 and/or 10 years imprisonment may be assessed for misuse of patient information with intent to sell or use for commercial advantage, personal gain, or malicious harm. The federal rules preempt any state laws, unless the state laws are more stringent.
The final versions of the remaining administrative simplification standards will be announced over the next two years. Health care organizations must comply with each set of rules within 26 months of the publication of the final rules.
Headaches on the way
Additional final rules slated for release in 2000 include identifiers for providers and employers, standards for health data security, and standards protecting the privacy of patients.
The biggest headaches for physicians are likely to be the security and privacy regulations that will come out in final form later this year. "Right now, the proposed privacy rule does not apply to paper records, but the Clinton administration has stated its intention to expand them to cover any health information on paper," Huchenski says.
Although the final rules won’t be published for a while, physicians are advised to start now to prepare for the inevitable, she adds. Start by designating someone in your office as a privacy officer, a person who can be contacted if there is any problem or question regarding privacy and confidentiality.
Develop your own written confidentiality policies and procedures and make sure your staff are aware of them, Huchenski advises. Have sanctions in place that set out what happens if anyone in your office violates your confidentiality policies.
The privacy regulations are expected to give consumers the right to request a copy of their medical records along with an accounting of where the information has been sent by the physician. Physicians will be required to provide their patients with a written notice about their information practices that details what information is protected health information and what steps the physician office takes to keep it confidential.
Here are some other steps you should take to prepare for HIPAA:
- Follow the flow of confidential patient information in your office. Start with the time the patient gives you the information and trace its path through your office.
- Do an assessment now as to who has access to confidential information both inside and outside the office.
- Get copies of all agreements you have in place now, including arrangements with employees and billing companies. See if they need to be amended to cover the HIPAA rules.
- If you enter into a new agreement with a third party that could constitute a business-partner relationship, include the kind of language you need now so you don’t have to amend it later.
- If you are considering buying new technology, do your HIPAA assessment first to make sure that whatever you are buying will meet the regulations.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.