HIPAA gives health industry a queasy feeling

The Health Insurance Portability and Accountability Act of 1996

Despite much fanfare, the first major deadline for landmark federal privacy regulations came and went without any significant hiccups in the health care industry. But the real pain is yet to come.

The April 14 deadline for enforcing the privacy guidelines in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 was intended to force health organizations to develop policies to govern when patient data can be shared with other organizations. The requirements specify that organizations were required to train their staffs on the policy and distribute the policy to patients.

Although a lot of work may have gone into meeting those requirements, especially for large health offices, it pales in comparison to the effort that will be needed to meet the upcoming deadline.

By Oct. 16, doctor's offices, health clinics and other organizations must use nationally defined transaction codes whenever they transmit health-related data electronically, whether they are sending information to private health insurers or to the federal Centers for Medicare and Medicaid Services.

Basically, officials from the federal government and health care industry want a common business language for diagnoses, procedures and services embedded in bills and claims for payment. Those standards would replace the hodgepodge of formats currently used by health plans, hospitals, pharmacies, doctors and others, who must ensure that each claim contains individual insurers' required formats and codes. Failure to meet the HIPAA guidelines could disrupt the processing and payment of health claims.

The regulations affect just about everyone in the health care industry and other entities that share individuals' identifiable health data. Many state government agencies are struggling to comply with the guidelines during a time of severe budget shortages. Some observers have compared HIPAA to the Year 2000 date change problem, both in terms of the volume of work and the potential costs.

Noncompliance "could certainly threaten financial solvency of the health care safety net," said Robert Burns, policy analyst for the National Governors Association's (NGA) Center for Best Practices.

Restoring a Health System

HIPAA was largely welcomed when it was enacted in 1996, because it was designed to make health insurance more affordable and accessible and the system more efficient and effective.

The legislation essentially established national guidelines for privacy, security and electronic transactions. Not only could workers and their families maintain continuous health coverage if they changed jobs, but the law promised to transform the paper-based industry with 21st century technology.

The target audience is the private health sector, including hospitals, doctor's offices and various clinics. But state agencies operate Medicaid and other public health programs, run academic, mental and corrections hospitals and oversee state laboratories. They also share health data among a number of agencies.

The law mandates the secure electronic exchange of standardized patient medical data, claims, enrollment, eligibility, payment, coordination of benefits and other information. Such a system would eliminate paper, reduce handling and processing time, improve data quality and dramatically lower costs.

But the ambitious nature of the law has been a challenge for just about everyone.

The goals Congress defined were sweeping and complex, but they were also broad enough to leave most of the details to the rulemaking process, especially for privacy and security. That process was overseen by the U.S. Department of Health and Human Services.

HHS officials sought input from participants across the health care industry — including state and local governments, public and private health care providers, insurance companies, medical and nursing associations, patient's rights groups and privacy advocates. They eventually set a series of deadlines focusing on different aspects of the law.

Unfortunately, although the law was passed in 1996, HHS finalized the transaction code sets and privacy and security regulations at different times, and many organizations have been slow in dealing with the issue.

People didn't grasp the complexity of the HIPAA legislation, contributing to misunderstandings and confusion about what they had to do, said W. Holt Anderson, executive director of the North Carolina Healthcare Information and Communications Alliance Inc. The nonprofit consortium of nearly 300 public and private organizations from across the country advocates using information technology to improve the health care industry.

"I think the complications there are not generally appreciated and therefore the assumption is that these are simple fixes and we could, just in a couple of months, have this thing done and we could go on," he said.

That's a bad assumption, especially when it comes to the transaction code sets, Anderson said.

"When you make all these profound changes to the system and you don't have any time to test them, then you don't have any time to remediate any problems that turn up through the testing and these are very complex systems," he said. "So that's a major part of the concern that I have."

A Good Start

It was a different story in April, when the privacy deadline arrived. It is no simple matter to define a privacy policy, but most people understood what was involved. In fact, HHS received more than 60,000 public comments during the past several years on its original and amended privacy guidelines.

"I think on the whole the entire industry took it seriously and most everybody's in good shape," said Marne Gordon, director of regulatory affairs at TruSecure Corp., which offers managed security and HIPAA consulting services. "There are going to be the stragglers, [but] I haven't seen any huge pockets of resistance or people that have done flat out nothing."

Mary Gerlach, former chief information officer for New Mexico's Department of Health, both a health care provider and a health plan for a state with a population of 1.8 million, said her state began working on HIPAA more than two years ago and successfully implemented the privacy regulations.

The state legislature did its part, appropriating approximately $25 million to four state agencies — the Department of Health, the Human Services Department, the Children's Youth and Family Department and the Health Policy Commission — to address the privacy and transaction code requirements.

The department trained 4,000 state employees and installed an integrated client data system using Microsoft Corp. systems that will electronically track to whom the state has given privacy notifications and to whom they have disclosed private health information.

"For privacy, the major challenge I believe was changing our business processes," she said. "For an organization as large as we are — diversified and spread out — I think it was a big challenge. Some programs said [HIPAA] didn't apply to me, and we said, yes, it does apply to you."

But the challenge is magnified when it comes to the transaction codes, which require more work and more technical expertise, she said.

"For the most part...we were not using industry-standard codes, so it's quite a bit of change in our system," Gerlach said.

For example, the state currently could file a bundled claim for a patient who received family planning services, including birth control pills and a mammogram, using one bill and one code. However, the new transaction codes would require a separate charge for each, she said.

Needing More Time

HHS permitted most entities to extend the transaction code sets deadline from Oct. 16, 2002, to this year when it became clear that most of them weren't ready to comply. However, it appears the situation hasn't changed.

"Our observation is that...a significant percentage of the population out there — the health care community population — is probably not going to be ready for full implementation and to comply," said James Schuping, executive vice president of the Workgroup for Electronic Data Interchange, which advises HHS on HIPAA issues.

"And if that's the case — and we certainly think it is based on the feedback we're getting, particularly from the providers — what do we do?" he asked.

Although there is no proactive testing mechanism for the privacy regulations, Gordon said transaction codes are either right or wrong and noncompliance could mean, for example, that the federal government would not approve Medicare payments.

In a letter to HHS Secretary Tommy Thompson, the workgroup pointed out the situation and is still awaiting an answer. Schuping said his group doesn't want another deadline extension but would like the opportunity to pursue alternatives — such as permitting noncompliant entities to use existing transaction codes that might not contain all the required elements as long as they're working toward fulfilling their required obligation.

"In other words, if there are people who are striving to be compliant, but they're not 100 percent there, we don't want them out of frustration or fear of punishment, enforcement, what have you, to give up on the electronic means and go back to paper, which could happen," Schuping said.

States of Scarcity

State governments are also hurrying to comply with the transaction code sets deadline, but many experts fear that eight to 10 states may not be ready in time, according to NGA's Burns, who was citing a federal study.

States simply don't have the money to change, test and then remediate their information systems, Burns said. Collectively, states face budget shortfalls approaching $55 billion this fiscal year and that's going to increase next year, according to the National Conference of State Legislatures. That means HIPAA is competing for dollars against other demands, such as homeland security.

Burns said that if states have to choose between releasing prison inmates to save money and spending money to comply with HIPAA, then most would "probably say, well, we're going to have to take our chances with HIPAA."

Another reason some states may not make the deadline is that they don't yet have all the technical specifications "to make cost-effective purchasing decisions of HIPAA-compliant technology," Burns said.

Aldona Valicenti, Kentucky's CIO, agreed that funding is the No. 1 concern among state governments. For several years, Kentucky has had a HIPAA working group that meets regularly, collects data, surveys agencies and receives progress updates from agency representatives, but funding has had to come from whatever each agency can spare.

Unlike New Mexico's legislature, Kentucky's lawmakers have not even discussed providing funds for HIPAA compliance because they are grappling with other issues, Valicenti said. "In this state, as in many other states, we're in a staff- reduction mode," she said. "We are reducing probably about 1,000 employees by Dec. 1."

She said states also have to implement the HIPAA security regulations while they work to tighten their cyberdefenses against increasing hacks. Officials must ensure that security systems are installed right the first time and according to the law, she said.

When HIPAA was passed, no one anticipated the far- reaching effects of implementation on state governments, according to Valicenti. Most people thought it would only affect Medicaid, but they did consider who shares patient health information and how they do so.

"When you think through it, it is not confined to one agency," Valicenti said. "That is really the issue we wanted to get across to the federal government. That when you think about the data, the data flows [on] multiple paths, and I think that was the part that was really never considered."

Although states would like to have another deadline extension, it's unlikely the law will permit it, Burns said.

However, he added, "HHS has indicated a willingness to be flexible with states as far as enforcement goes. We still don't know specifically what that means, but by all indications, HHS is going to make a good-faith effort to be flexible with states."

Department officials also hosted several teleconferences and regional seminars to answer questions, but they could do more, said J. Marc Overhage, associate professor of medicine at the Indiana University School of Medicine. "But are they doing an OK job? I think so," he said.

Overhage has been involved with a Markle Foundation initiative to use technology to connect the country's health systems. He said some proposals floating around include establishing a federal loan fund that would enable a state government or other covered entity to borrow money to implement the new transaction codes, test and remediate its systems, and then pay back the money over several years.

Organizations need to take the necessary steps to "get over that hump and start accruing those dollars," he said.

Eventually, standardizing administrative codes could save millions or billions of dollars for the health care industry, which could reinvest the savings to make the industry even more efficient, he said.

"I think...in the end when we get through this, we will have a better, more efficient health care system," said the North Carolina alliance's Anderson. "So I think, yes, the devil's in the details in the implementation. And it's awfully difficult. More difficult than most people imagined."

***

Three faces of HIPAA

* Privacy regulations require health care organizations and others to know how patient rights are to be protected and what individually identifiable health information — on paper, electronic or even spoken — they can and cannot share.

* Security regulations ensure the confidentiality, availability and integrity of health records at all stages of the process — before, during and after electronic transmission.

* National transaction code sets provide a common language for electronic data interchange within the industry. Several standards-maintenance groups are developing uniform methods for recording health care claims and their status, eligibility, enrollment or disenrollment, payment and remittance advice, premium payments and coordination of benefits.