This rule requires healthcare organizations, insurers and payors that use any electronic means of storing patient data and
perform claims
submission (including faxes) to comply with the standards contained within the
Final Rule.
This rule requires providers, insurers, and payors to submit enrollments, eligibility and
claims processing via Electronic Data Interchange (EDI) transactions.
EDI, a technology that has been commercially available since the 1980s, is essentially a set of
specifications that define how information will
be packaged in order to send orders, invoices, statements and payments
electronically from one electronic trading partner to another.
Many
large companies have been using EDI for years to process orders, send invoices
and issue or receive payments with their electronic trading partners. Properly done, EDI transactions do not require human intervention and
are processed very quickly. Therefore, providers using EDI should be able to submit
electronic eligibility or benefit inquires and claims to
the payor, whose claims system should process the transactions and return an
electronic response very quickly.
Providers that use electronic clearinghouses to process their transactions
do not have to modify their systems at present to be compliant. However,
the provider has to make sure that the clearinghouse, as a business partner,
is compliant with the new regulations. In most cases, providers
will need to make some modifications to ensure that ancillary and
departmental systems are capturing HIPAA required information and transmitting
that data through HIPAA compliant transactions.
Additional provider, payor and insurance system modifications will also be
required for Privacy and Security rules as mandated by the AS provisions.
So
simply using a clearinghouse does not preclude a provider, insurer or payor from
having to make other computer system changes as part of their HIPAA compliance
efforts.
The Standards for Privacy of
Individually Identifiable Health Information is a proposed mandate designed to help
guarantee privacy and confidentiality of patient information. The standards
cover a vast amount of technical requirements for such things as network
security monitoring, mandated employee passwords and the physical security of
electronic systems. Even though these are still under negotiation, healthcare
organizations should become familiar with the requirements for budgeting
purposes.
The National Provider Identifier, the Employer Identifier and
the National
Individual Identifier were designed to help speed up
enrollment, eligibility and claims processing by having an industry-wide set of
identification numbers to identify
specific providers, insurers and patients. These same steps also help
identify fraud and abuse by eliminating multiple identifiers, which make it difficult to match and
track claims to both providers and individuals. However, the National Individual
Identifier came under scrutiny from civil libertarians and individuals
concerned about the government having the ability to identify, track and gain
information about anyone in the country via a single identification number. As
a result, this provision has been put on hold until lawmakers and privacy
advocates can reach a compromise.
Electronic Signatures may be required for persons submitting healthcare claims
and claims attachments through the use signed documents. Electronically signed
documents can ensure non-repudiation and help prevent fraudulent claims. Due
to difficulties in establishing a nationally-trusted entity to manage the
assignment and distribution of digital certificates for the entire U.S. healthcare industry,
electronic signatures are still a goal of the distant future.
By not defining specific technology or vendor solutions to address such
security and privacy issues, the Department of Health and Human Services is passing the responsibility of evaluating and justifying appropriate
technological solutions into the laps of each individual healthcare
institution, based upon their unique business requirements.
Achieving HIPAA compliance, particularly for healthcare
providers, will not be easy and will be costly to the provider and payor
organizations. There will be expenses related to education and training of
staff, ongoing compliance monitoring and assessment, and the administration of
employee sanctions when necessary. The sheer logistics of protecting
individually identifiable patient information and at the same time caring for
patients, dealing with visitors and managing a large medical staff will offer
many hurdles to overcome.
It is estimated that most of the effort required to achieve HIPAA
compliance will be in the area of developing and enforcing policies and
procedures.
Like most federally mandated programs, there are no
provisions for the recovery of HIPAA compliance implementation costs or the
ongoing costs of training and compliance monitoring. Some experts are estimating the costs of achieving
initial HIPAA compliance (not counting ongoing compliance training and
monitoring once implemented) at over $66 billion dollars.
While it is easy to feel daunted by the amount of effort and revenues required to achieve HIPAA compliance, it is
important to remember there are many positive features of HIPAA. In the
long-term, HIPAA should indeed reduce the
amount of paperwork and human effort required to verify a patient's
eligibility and perform claims
processing. Since claims should be processed more
quickly, claims payments to the providers should also speed up, hopefully easing some of the cash flow burden for provider
organizations. Quicker processing of eligibility and claims not only reduces the cost of
these items to the hospital and its business partners, but also provides better service
to the patient.
In the end, if implemented successfully, HIPAA will attain its goals of
insurance portability through the privacy of unique or individually identifiable patient data,
the accountability and non-repudiation of claims submission and the
improvements in deterring and prosecuting fraud and abuse.
Copyright © 2001 Automation Services Co. Inc.
