Computer Software: What HIPPA Will Mean to Your Home Health Care Organization

Electronic data interchange, or EDI, is the catch-all phrase in health care for transmitting data to and from one organization to another. In a broad sense, it can be anything from eligibility checking to claims processing, from emailing to teleconferencing. Communicating any patient information electronically from one source to another to another in health care is the cornerstone of true cost savings. But before you email clinical nursing notes, before you log on to see if a patient is covered for services, before you buy that next home health care information management system with electronic claims processing, be aware. The rules are changing!

Legislation and Regulation

Prior to the advent of the PC and the Internet, EDI was primarily focused on processing claims. Proprietary claim formats and dedicated telephone lines have given way to every conceivable multimedia format operating over public cyberspace. It was only a matter of time before Federal legislation and regulation would follow. In 1996, Congress did just that. They started the ball rolling with landmark legislation: the Health Insurance Portability and Accountability Act (HIPAA) of 1996. HIPAA was designed to set deadlines on regulations to streamline the process of reporting health care data and identify guidelines for securing electronic health information. What HIPAA will really mean to the health care community is a series of changes to health care application software programs to comply with transfer requirement and new operational procedures to ensure security measures are met.

By the year 2000, claims clearinghouses, provider organizations and payers must take steps to ensure computer systems can handle as many as nine administrative transactions in standard electronic formats as mandated by HIPAA. These transactions include claims and encounters, claim attachments, enrollment and disenrollment, insurance eligibility, payment and remittance advice, premium payments, first report of injury, claims status, and referral certification and authorization. Professionals on all sides of the health care system admit they face a challenge in complying with the Federal mandates. However, HIPAA only requires health care providers to comply when data is submitted electronically.

Impacts and Challenges

The impact is significant and carries both good and bad news. The good news is that there exists a structure to allow disparate health care automation systems to integrate. The bad news is that a health care entity may "skirt" the regulation by not offering the service electronically. For example, if a payer source does not currently office electronic eligibility verification, it is not mandated to comply with HIPAA standards until the information is available electronically. Admittedly, these standards will slow the proliferation of electronic integration in the short term; however, they will ensure connectivity and security once the data is made available electronically.

With respect to security, the standards of HIPAA are not clearly defined at this moment, but they are just as critical to the future success of electronic integration. In August of 1998, the department of Health and Human Services proposed security standards for electronic health data. "The proposals we are making will set a national standard for protecting the security and integrity of medical records when they are kept in electronic form," stated Health and Human Services Secretary Donna Shalala. "It is crucial to have these standards, as we move increasingly towards electronic medical records. But it is also not enough. In addition, we urgently need new legal protections to safeguard the privacy of medical records in all forms." Under HIPPA, Congress is given until August of 1999 to enact privacy protections. If Congress fails to act by that time, HIPAA authorizes the Secretary to implement privacy protections by regulations.

HHS proposed regulations include technical guidance as well as administrative requirements for electronic health information, especially medical records of individuals. All health plans, health care providers and health care clearinghouses that maintain or transmit health information electronically will be required to establish and maintain responsible and appropriate safeguards to ensure the integrity and confidentially of the information. The proposal also calls for an electronic signature standard, which specifies that a digital signature be used when an electronic transaction occurs. This signature will verify the identity of the person signing and the authenticity of an electronically transmitted health care document.

Again there is good and bad news when reviewing the security standards proposed. The good news is that patient confidentiality will hopefully be maintained by adhering to these standards. The bad news is that the next employee your health care organization will hire is a chief information security officer. Being compliant with security regulations will be comparable to being compliant with clinical accreditation. This ruling will not affect internal computer systems, so long as public access systems such as the Internet, are not utilized. However, downloading patient eligibility data from a payer, or transferring clinical data from a hospital system or a referring physician's practice management system to a home health care information system, will require data encryption and a log of who has requested the data being accessed.

The best steps health care providers can do to be ready for HIPAA is to start now to understand what their software vendors are doing to be ready for implementation. New software versions may be delayed in order to become compliant with HIPAA regulations. If new automation systems are being evaluated, such evaluations should include compliance with HIPAA regulations, or at least a guarantee that they will be compliant based upon final rulings. In some cases, it may make more sense to wait on investing in certain information systems until the final regulations are know.

The stakes are high in health care EDI and becoming HIPAA compliant. The impact of implementing the final rulings will be just as dramatic in health care automation circles as the Disabilities Act was to business: expensive to implement, but with a long-term positive outcome.

This article originally appeared in the March 1999 issue of HME Business.

HME Business Podcast