Deciphering HIPAA

More than 5,700 lines of text--nearly 74,000 English language words in one exceptional combination are contained in the Health Insurance Portability and Accountability Act of 1996. So how do these U.S. legislative facts affect me, the HME dealer in Coudersport, Pa. in 2002? If you submit claims electronically, that stroke of the president's pen back in 1996 could have a major impact on your business this October.

Near the end of 2001, President Bush signed into law the latest HIPAA compliance delay bill without any fanfare. Even though this could effectively delay your compliance deadline until Oct.16, 2003, you must file a compliance plan by the original deadline (Oct. 16 of this year) to explain your plan of action.

If you're not convinced, you can stop reading now. But remember how difficult it can be to remove sand from your hair. And did I mention that NSF-formatted claims will no longer be accepted as of the compliance date?

On the other hand, if you do have the vision to improve on current standards (not simply because it's the law, but because you want to move your business and your industry toward better efficiency and true standardization), a brief "HIPAA How To" follows, which may help you.

No matter on which side of the political aisle you stand regarding HIPAA, when Oct. 16 comes rolling around, will you be prepared to comply?

Of course, there is much more to HIPAA than the Transaction and Code Sets compliance in October. Overall, HIPAA consists of these major industry issues: electronic transaction standards, patient privacy standards, identifier standards and security standards. Of these segments, only the first two above are in the final rule stage.

You can read about HIPAA on several Web sites. In fact, you can find sites where you can read all 74,000 official words if you want. The HIPAA Transaction and Code Sets final rule was published in August 2000, after which there was a 60-day comment period to entertain possible alterations. Once that 60-day period expired, a 24-month period began until the compliance date. Don't look now, but the clock is ticking. We're already more than 50 percent through that 24 months.

The Privacy final rule was published in December 2000. The respective comment period expired in April 2001, which means compliance will be effective April 2003. (This deadline was not affected by the recent bill signed by President Bush.) The objective of the Privacy Regulation is to ensure the confidentiality and protection of individually identifiable health information from intentional or accidental unauthorized disclosure, or the misuse, corruption or loss of such information; and, to enhance an individual's rights regarding his or her health information. Privacy covers identifiable medical records created by health care providers, insurers and claims clearinghouses that are either transmitted or maintained electronically. Paper documents created from these electronic records also are covered under the proposed Privacy rule.

After the initial Transaction and Code Sets are in place, further standardization will follow.No final rule has been published yet, but look down the road for a 10-digit National Provider Identifier (NPI) and a 10-digit Health Plan Identifier (PlanID) unique to each payer, employer identifiers, security issues, claim attachments and more. Security is the operational aspect of privacy, which protects against the breach of confidentiality.

Our initial focus, however, must be on the first deadline in our sights: Oct. 16 for Transaction and Code Sets compliance or to file a compliance plan. The goal of the HIPAA Transaction and Code Sets is to improve the efficiency and effectiveness of the health care system through the establishment of standards and requirements for the electronic transmission of certain health information.

For you, this will mean lower administrative costs, which should be immediately evident. For your software vendor, this will mean remaining current with a single payer standard, instead of multiple codes for various payers and plans (which constantly change). The standard selected was ASCX12 or ANSI Version 4010.

Can you imagine a utopian world with one set of codes for all payers? This is a primary goal of HIPAA Transaction and Code Sets. But wait. It gets better.

According to the Department of Health and Human Services' FAQ Web page, "Health plans may not refuse to accept standard transactions submitted electronically (on their own or through clearinghouses). Further, health plans may not delay payment because the transactions are submitted electronically in compliance with the standards." This not only affects Medicare and Medicaid, but all payers. Is that a smile breaking across your face?

What exactly are the transactions mandated by HIPAA? Even though this may not mean much to you, it may give you an appreciation for what your software vendor has been enjoying on your behalf. Just for fun, here's some of what's on the table:

Eligibility Inquiry 270 *

Eligibility Response 271*

Request for Review 278

Review Response 278

Claim/Encounter 837

Remittance Advice 835

Need more data 277

Attachment Transaction 275

Status Inquiry 276

Status Response 277

Enrollment 834

Premium Payment 820

First Report of Injury for Workers Comp / Property-Casualty Claims 148

* Must be implemented by the October 16, 2002 (or 2003) compliance date.

Now here are your responsibilities, according to the U.S. Department of Health and Human Services' FAQ: "All health care providers that elect to conduct these specific transactions electronically must conduct them according to the standards as well. Health care providers also may contract with a clearinghouse to conduct transactions for them."

Ultimately, you are responsible for the compliance of your business. However, you must have a certain level of trust for your software vendor. After all, chances are that you won't be programming your own ANSI-formatted electronic claims files to look similar to the example above. This is why prompt, business-partner communication is key to a happy HIPAA result.

If you haven't already, ask your current software vendor about its strategy for your HIPAA compliance by Oct. 16.

*Inquire as to whether your vendor has completed the programming necessary to test ANSI-formatted claims.

*Ask whether your vendor has already tested the new format and is ready to test with a DMERC.

*Find out whether your current procedure for submitting electronic claims will significantly change when you submit ANSI-formatted claims, or if your vendor performed all the necessary programming "behind the scenes" to keep the update transparent to your users. Is your current software package easy to update? Have you received frequent updates in the past? Is there a bottom-line cost to you?

If you're not satisfied with the answers you receive, you still have a few options:

*Find a clearinghouse that is prepared to convert your data to the new standard (and back again for responses)

*Find a software vendor that is ready to submit the new format and (once approved) can easily provide the necessary programs to you, or

*Ask your current vendor if it plans to purchase a translator to convert your NSF or proprietary data to the HIPAA standards for outgoing transactions and back to your format for incoming transactions. Some software vendors and clearinghouses may consider this their complete plan for Transaction and Code Sets compliance. (Find out whether you will be responsible for any portion of the translator cost.)

HIPAA consists of these major industry issues: electronic transaction standards, patient privacy standards, identifier standards and security standards.

Attempting to select "none of the above" to save a few bucks really isn't an option. How does a $100 per violation non-compliance penalty make you feel? For example, if you submit five electronic claims in the wrong format, that's a quick $500. If the Code Sets within that file are not compliant, that's another $500.

Just be sure to have enough checks to write up to a $25,000 maximum per year per requirement. Requirements include each transaction, each identifier, each code set, security, signatures and COB. Even paper claims will be subject to penalties if the incorrect code sets are submitted. Other more serious non-compliance penalties may apply as well.

If your current software vendor had the vision to prepare for HIPAA, congratulations. You can now set your sights on the next chronological deadline among those 74,000 words--the Privacy final rule--and set your plan of action for that aspect of HIPAA.

If not, or if you have any doubts that your compliance may be in jeopardy, decide which of the above options serves your company's best interests and take action now to be certain that you will be ready. Your patients, communities and employees are counting on you--both today and next October.

This article originally appeared in the February 2002 issue of HME Business.

HME Business Podcast