This rule requires healthcare
organizations, insurers and payors that have been using
any electronic means of storing patient data and
performing claims submission (including faxes we are
told), must comply with this new Final Rule for National
Standards for Electronic Transactions.
Providers that use an electronic clearinghouses to
process their transactions do not have to modify their
systems at present to assure compliance, however the
provider has to make sure that the clearinghouse, as a
business partner, is compliant with the new regulations.
In all likelihood, providers will have to make some
modifications to ensure ancillary and departmental
systems are capturing HIPAA required information and
transmitting that data. Transmissions to their
Admission, Discharge and Transfer (ADT) systems and
billing systems in order for the clearinghouse to be
able to create and send a HIPAA compliant transaction.
Additional provider, payor and insurance system
modifications will also be required for Privacy and
Security rules as mandated by the AS provisions , so
having a clearinghouse does not preclude a provider,
insurer or payor from having to make other computer
system changes as part of their HIPAA compliance
efforts.
At the risk of oversimplification, this rule requires
providers, insurers, payors and to a small extent,
employers to submit enrollments, eligibility and claims
processing via Electronic Data Interchange or EDI
transactions.
EDI is nothing new and has been commercially available
since the 1980s. Many large companies have been using
EDI for years to process orders, send invoices and issue
or receive payments with their electronic trading
partners.
EDI is essentially a set of very specific rules
governing how information will be packaged in order to
send orders, invoices, statements and payments
electronically from one electronic trading partner to
another.
The government has essentially adopted this standard as
a good way of ensuring that everyone (providers, payors,
insurers and employers) will use these excellent
standards as a way of communicating and sending
information to each other. Properly done, EDI
transactions do not require human intervention and
should process very quickly. Therefore, providers should
be able to submit electronic eligibility or benefit
inquires and claims via EDI transactions to the payor
whose claims system should process the EDI transaction
quickly, returning a claim payment/advice electronically
and without delay.
Other HIPAA compliance rules currently defined and
proposed under the (AS) provisions, but not expected to
be finalized until 4Q, 2000 or early 1Q, 2001, include:
The Standards for Privacy of
Individually Identifiable Health Information are
designed to help guarantee privacy and confidentiality
of patient medical records. These new Standards for
Privacy are quite extensive. Healthcare providers,
insurers, payors and employers should review this rule
and it's requirements in great detail with the intent to
update and replace any current internal guidelines in
order to insure HIPAA compliance.
The National Provider Identifier,
the Employer Identifier and an earlier proposal
for a National Individual Identifier were
designed to help speed processing of enrollment,
eligibility and claims processing by having a national
set of identification numbers that the entire industry
would use to identify a specific provider, insurer or
patient. These same steps would also help identify fraud
and abuse by eliminating situations where providers and
individuals have multiple identifiers today, making it
difficult to match and track claims to both providers
and individuals, particularly where fraud is intended.
However, the National Individual
Identifier ran afoul of protests from civil
libertarians and individuals concerned about big brother
having the ability to identify, track and gain
information about anyone in the country via a single
identification number. As a result, the National
Individual Identifier seems to have been put on the
sidelines until such time as a reasonable compromise
could be worked out that would assure all sides that
there would be no abuses of such a system.
Electronic Signatures will come
into play at some point in the future, but when is
difficult to predict at this time. Electronic Signatures
may be required for persons submitting healthcare claims
and claims attachments through the use of a digitally
encrypted key "signature", that requires a "private key"
to create and send the "signed document". The document
and electronic signature can then be authenticated as
only having been sent by that individual, by a person
using a public key to decipher and open the document,
typically a payor or insurer who would be processing the
claim and attachments. This eliminates the possibility
of persons submitting false or fraudulent claims later
denying that they were the one that sent the claim.
However, for a uniform encrypted key
system to work absolutely and without the possibility of
error (that could lead to deniability) for the entire
health industry in the United States, there must be a
national organization. An organization that could be
universally trusted to assign, distribute and manage
keys on a national basis and without error. Such an
organization has yet to be established. Therefore, this
HIPAA rule seems somewhat more distant than the others,
in terms of implementation.
These rules fall short of requiring
specific technology or specific vendor solutions to
address such issues as security and protection of
individually identifiable patient information. Tools
being discussed are the use of biometric devices (palm
print readers, retinal scanners, finger print readers,
etc.) for workstation security, enterprise wide network
security or the security of data transmission of claims
information to insurers or payors for claims processing.
By not defining specific technology or vendor solutions,
The Department of Health and Human Services (DOHSS) has
left enough wiggle room to say that the AS provisions
are technology neutral. Thereby passing the
responsibility of evaluating and justifying appropriate
technological solutions into the laps of each individual
healthcare institution, based upon their unique business
requirements.
Healthcare organizations under
tremendous financial pressure and having enough
difficulty fielding enough qualified nurses for a single
shift will have trouble justifying the expense of
retinal scanners on their workstations and servers or
encrypting their entire hospital data network in order
to ensure the protection of individually identifiable
patient data. As a result, there will be a distinct lack
of uniformity in HIPAA compliance and implementation at
the institutional level, based upon what each
organization can justify and/or afford.
Achieving HIPAA compliance,
particularly for healthcare providers, will not be easy
and will be costly to the provider and payor
organizations. Providers, payors and insurers will have
to educate and train their staffs to be in compliance
with the new requirements and then perform ongoing
compliance monitoring and application of appropriate
sanctions when necessary. Providers, unlike insurers,
also have to deal with millions of family members, loved
ones and outside visitors from all walks of life in the
course of performing daily business. These daily
visitors, along with security challenges supplied in
ample quantity by the Internet hackers, email viruses
and the shear physical size of some organizations makes
the protection of individually identifiable patient
information a major challenge in itself.
Like most federally mandated programs,
there are no provisions for the recovery of HIPAA
compliance implementation costs or the ongoing costs to
train new staff and monitor HIPAA compliance after
initial implementation. Sadly, it is the author's
opinion that more institutions will close as a result of
not being able to achieve HIPAA compliance for a variety
of reasons. Currently, some experts are estimating the
costs of achieving initial HIPAA compliance (not
counting ongoing compliance training and monitoring once
implemented) at over $66 billion dollars and climbing.
However, there is a long-term, bright
side to HIPAA compliance. Over time and once fully
implemented, HIPAA should minimize the amount of
paperwork and human intervention required to verify a
patient's eligibility and minimize the amount of human
effort required to perform claims processing. The
required eligibility and claims transactions should not
require human intervention if submitted correctly and
according to the transaction standards. Insurers or
payors may only want to manually examine randomly
submitted claims or claims for a specific individual or
business as part of fraud or abuse detection. Since
claims should be processed far more quickly, claims
payments to the providers should also speed up (at least
in theory), hopefully easing some of the cash flow
burden for provider organizations. Security improvements
to prevent deliberate or accidental accessing of unique
or individually identifiable patient data will address
concerns over privacy of patient data. Moreover, digital
Electronic Signature (as proposed) will ensure that
persons submitting fraudulent electronic insurance or
Medicare/Medicaid claims, will not be able to deny
submitting them in court later on.
While it is easy to get tangled up in
the emotion of having the expenditures and work effort
required to achieve HIPAA compliance, it is important to
remember there are many positive features of HIPAA. The
need for insurance portability is apparent. Protecting
the patients' right to the privacy of healthcare
information has always been, and should remain a high
priority. Reductions in fraud and abuse are certainly
welcome, if not long overdue.
Quicker processing of eligibility and
claims not only reduces the cost of these items to the
hospital and the insurer/payor but provides better
service to the patient as well. Although there may be
some pain associated with the successful implementation
of compliance rules, the result will ultimately be the
improvements that the Clinton administration and
Congress agreed upon and intended.
