HIPAA regulations still being revised, keeping HIM departments up in air
Meanwhile, everyone must start to prepare
As deadlines approach for implementation of the Health Insurance Portability and Accountability Act (HIPAA), most hospital systems are involving HIM and other staff in a variety of changes
to policies and procedures. Unfortunately, the Centers for Medicare and Medicaid Services (CMS) still has to decide exactly what these new rules will be.
HIPAA will require health care providers and their HIM departments to make a variety of changes by the deadlines in October 2002 and April 2003. While this is a challenging prospect, some recent proposed changes by CMS to the final rule have made the preparation process more daunting.
"We’re obviously in the same boat as everyone else, in a state of purgatory or limbo, waiting to see what the final rules will come out to be," says Lisa Murtha, JD, chief audit and compliance officer of The Children’s Hospital of Philadelphia.
"We feel there’s so much work to be done in the way of policy and procedure drafting and gaining permission, and we don’t feel we have the luxury to wait until the fall to start," Murtha adds.
Specifically, HIM departments and coders will need to know HIPAA’s privacy rule, and they might be affected by HIPAA’s standard formats and code-sets rule.
CMS has unfortunately left some ambiguity in these regulations, and various provider industry organizations have made an effort to clarify what will be required.
For example, the American Health Information and Management Association (AHIMA) of Washington, DC, has expressed concern about how HIPAA will require health information management professionals to manage paper and electronic record systems differently by giving greater privacy protections to electronic health records.
As it stands, health care facilities may face considerable financial and technical obstacles to complying with HIPAA’s privacy requirements for electronic data.
At The Children’s Hospital of Philadelphia, 13 working groups are studying the HIPAA regulations and are developing policies and procedures for implementing the regulations. One group is concerned with the technical and physical security of information, including data stored and transmitted electronically, says Karen Czirr, MS, RHIA, information security manager.
Electronic data security will include passwords, identification codes for computer access, and the technical issues of limiting access to those who need it. "How do you handle breaches of security when confidentiality is violated, and how do you put physical locks on areas that have sensitive patient data, whether it’s financial or clinical?" Czirr says.
Although The Children’s Hospital does not employ or contract with home-based coders and medical records staff, this is an area that also could pose problems for health care systems, Czirr notes.
"We have policies that you cannot electronically transmit data outside the facility if it contains identifiable patient information," Czirr says. "I can’t send anyone outside the organization an e-mail with a discharge summary attached to it."
Hospital systems that use home office coders may find that they no longer can send these coders the same information that they’ve been able to send them in the past because of concerns over privacy, Murtha says. "That will be an institutional decision of how they will handle that issue and what coders will be allowed to handle remotely," she adds.
Internal e-mail is encrypted, but there are hurdles to sending encrypted information via the Internet, Czirr says. "Encrypted data on the Internet slows the Internet down," she explains.
"So how do we get the information that is needed by clinicians to them as quickly as possible without violating current policy? Or once the policy is revised, how do you do it within the confines of HIPAA?" Czirr says.
Health care providers in some states are being proactive in preparing for HIPAA. In Michigan, for example, the Michigan Health and Hospitals Association, the Michigan Association of Health Plans, and the Michigan Health Management Information System have formed a new organization, called the Health Care Interchange of Michigan (HCIM), to assist providers and others with achieving HIPAA compliance.
One of HCIM’s chief objectives is to help providers and other health care entities to communicate better and to implement standard electronic health care transactions across the trading partners.
A major challenge, particularly for small providers, will be to convert their existing electronic communications systems to HIPAA formatting, says Dennis McCafferty, CEBS, executive director of Health Care Interchange of Michigan in Southfield.
Standardization saves money
"Electronic transmissions are so much more efficient, but the problem is that without standards, the cost of doing things electronically is very high because everyone you share data with will have to change their formats," McCafferty says. "So if you want to take advantage of doing things in electronic format vs. paper, you have to invest heavily in multiple different ways of doing it."
An objective of HIPAA is to narrow the format options down to a very few. If this is achieved, it will provide a standardized format and save providers money, McCafferty says.
"The real financial windfall that will come to everybody in the provider community and payer community will be the result of savings by standardizing the way things are done electronically," McCafferty says. "But a big valid concern is that if you standardize, you will expose people’s health care information to possible disclosure, and if everyone is doing things the same way, there’s a big opportunity for information to be misused."
Another challenge involves switching electronic systems to meet both internal and external standards, and this means paying very close attention to the electronic system that is purchased, McCafferty notes.
Suppose that a payer requests additional information and documentation to justify the use of a particular code. The payer could return the disputed claim to the health care system, but what kind of information will the privacy regulations permit to be on the form?
HIPAA uses the term "minimum necessary" to describe what information may be sent between different covered entities.
"If the insurance company wants documentation to support the codes that we have submitted, then, up until recently, we’ve copied the entire chart and sent it to the insurance company," Czirr says. "Now we can’t do that under HIPAA."
Instead, the billing and records departments will need to limit the information to the payer’s specific request.
"If they have a question about a procedure code, then you send the documentation showing what the procedure is and send a copy of the operative report rather than the entire medical record," Czirr explains. "If they have a question about a radiological procedure or diagnostic study, you only need to send a copy of that diagnostic study — you don’t need to send a copy of all of the labs."
Czirr says the true educational challenge will be with staff outside of the medical records department, because these other employees will need to change the way they’ve customarily handled patient data.
"Medical records people have historically been responsible in the way they’ve handled the release of information," Czirr says. "They open the mail, verify signatures, and look for information that can’t be released under standard authorization."
But staff in some ambulatory and primary care centers may not be accustomed to following privacy policies, she adds.
"HIPAA is going to require that we function consistently throughout the organization," Czirr says. "More than likely as we move closer to a computer-based record system, the medical records people will be responsible for the release of information for the entire organization."
While HIM professionals working for large health systems may find that their employers are taking HIPAA very seriously and are addressing all of the technical and administrative issues raised by the regulations, their counterparts at smaller facilities and physician clinics may feel especially adrift.
"Physicians don’t see HIPAA as a reality whatsoever," says Ned Simpson, FHIMSS, director of health and life sciences practice at Tata Consultancy Services and consultant to Heron Valley Physicians Associates in Ann Arbor, MI.
One Ann Arbor-area physician health organization recently hired a consultant to do a day-long training session for all of its offices and staff, and only a handful of people showed up, Simpson says.
While various industry groups and other nonprofit organizations will offer HIPAA education for coders and payment staff at physician offices, the question is whether physicians will encourage it and whether anyone will attend, Simpson says.
"I think it’s got to become more of an urgent need, because this is not something that’s gotten on the radar screen," Simpson says. "It appears that the specialty societies are gearing up and preparing training materials, sample documents, sample policies, and I think many folks will turn to their specialty to do that." n
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.