Negotiating HIPAA - An overview
A Clavib Inc. Report on Complying with Administrative Simplification & Security Mandates
Executive Summary - Key Points:
- Arguably the most complete solution available today, Clavib's DataBridge solution, powered by EDISphere®, gives healthcare organizations the technology needed to develop and implement HIPAA administrative transactions.
- Clavib's DataBridge solution is powerful and scalable enough to be used by every healthcare organization, regardless of size. It is easy to use, quick to install, and simplifies the process of meeting government-mandated deadlines for HIPAA compliancy.
- Clavib delivers a customizable HIPAA solution that provides comprehensive security to maintain mandated privacy regulations. This also creates a self-service environment in which providers and consumers can get authenticated access to the information they need, whenever and wherever they need it, saving you lots of administrative costs.
Clavib has created this white paper to explore the challenges healthcare organizations are facing with the Healthcare Information Portability and Accountability Act (HIPAA) and the steps needed to successfully negotiate the many aspects of the regulations. It also serves to demonstrate Clavib's dedication to providing customers with answers concerning the changes in security and transaction standards and how Clavib's solution enable the move towards compliance.
HIPAA Transaction Set Compliance
While HIPAA is seen in the eyes of some as one of the most monumental tasks the industry has ever faced - even outstripping that of year 2000 preparations - it is the intentions of Congress and Health and Human Services that administrative simplification will save the industry billions of dollars.
This will occur when HIPAA simplifies the complex process of administration and payment of healthcare claims by implementing a single transaction standard in place of the nearly 400 currently being used by the industry. Not only will HIPAA define a single transaction standard, but also code sets used in the transactions. The regulations also require a national standard for identifying the different entities within the industry and establish security and privacy standards to protect the increased usage and transfer of electronic data. Naturally, while the initial phases of compliance will be a large step for all involved, HIPAA will eventually cause a substantial improvement in efficiency and reduce the costs associated with delivering care to patients.
HIPAA regulations apply to all payers, clearinghouses and providers who choose to utilize electronic methods for transactions. Specifically, under the enacted regulations, health plans will be able to reimburse providers, authorize services, certify referrals and coordinate benefits utilizing a standardized electronic format for each transaction. Additionally, providers will be able to check eligibility for coverage, check claim status, request referrals and service authorizations, as well as receive electronic remittance to post receivables.
Other transactions fall under the standards as well, and include coding standards for reporting diagnosis and procedures in the transactions. Also included under the provisions is a way for employers who provide health insurance to use a standard electronic form to enroll or purge employees from their plans and to submit premium payments to the health plans they choose to engage.
Making the Move: The First HIPAA Deadline Approaches
While privacy and security frequently have been the focus of much that has been said and written about HIPAA, it's the transaction standards that the industry will have to confront first. The final rule for transaction standards has been issued and, barring any attempts by Congress to alter them, will be enforced beginning October 16, 2003. Six months later, on April 14, 2004, the rules on protecting patient data will start being enforced. What this means is that in a little more than a year many healthcare organizations that will be completing transactions electronically will have to comply with the new standards as mandated by HIPAA
There are a few exceptions. These include:
- Small health plans: These are health plans with less than $5 million in transactions annually. They have an additional 12 months to comply.
- Health plan sponsors: These consist of any health plan that serves as a sponsor or employers who self-insure. Exempt from the HIPAA mandates are property/casualty and workers' compensation insurers, and self-administered employee health benefit plans with fewer than 50 participants.
- Workers compensation: Plans such as this are excluded from HIPAA regulations, are property and casualty insurance plans because, while they may cover some health benefits, are not considered health plans under the strict definition outlined by HIPAA.
The EDISphere Translator showing details of a UB92 Translation to 837. Part of the Clavib Data Bridge solution
Standards and Codes
Unlike Y2K, HIPAA won't be a one-time problem that can be addressed at the last second. HIPAA is ongoing and the regulations are subject to change. That's because HHS will continue accepting and evaluating requests for changes to the standards and then recommend those changes to the Secretary of HHS. The six organizations designated to serve as the Designated Standards Maintenance Organizations (DSMO) are:
1. Accredited Standards Committee X12
2. The Dental Content Committee
3. Health Level Seven
4. National Council for Prescription Drug Programs
5. National Uniform Billing Committee
6. National Uniform Claim Committee
The Secretary of HHS may modify a standard or its implementation guide specification one year after the standard or implementation specification has been adopted, but not more regularly than once every 12 months. If the Secretary modifies a standard or implementation specification, the implementation date of the modified standard or implementation specification may be no earlier than 180 days following the adoption of the modification.
HHS will determine the actual date, taking into account the time needed to comply given the nature and extent of the modification. HHS may extend the time for compliance for small health plans. Standards modifications will be published as regulations in the Federal Register. However much change occurs to HIPAA regulations, the initial standard for transactions has been decided. That standard-ANSI ASC X12N, Version 4010-will be the driving force behind the consolidation between the disparate methods currently being used. It is to be used for all healthcare transactions with the exception of those from retail pharmacies.
They will continue to use the standard maintained by the National Council for Prescription Drug Programs (NCPDP) because it is already widely used. The NCPDP Telecom Standard Format Version 5.1 and equivalent NCPDP Batch Standard Version 1.0 are the adopted formats, and health plans will have to support one of these formats, in addition to ASC X12, to meet HIPAA requirements. According to the regulations, transactions subject to the ASC X12 standard include:
- Enrollments and benefits maintenance (834)
- Health plan eligibility (270/271)
- Claim payment and remittance advice (835)
- Premium payments (820)
- Claim status (276/277)
- Claim submission for professional, institutional and dental (837)
- Health care services review (278)
It is widely believed that there might be a need to complete mass upgrades to technology infrastructure in order to comply, but this isn't necessarily the case. For instance, companies can utilize devices that convert legacy data into the standard format for transmission and convert it back to the base format so it can be utilized internally. In other words, HIPAA transaction standards apply directly to data that are being sent and received electronically, with the exception of data sent inside corporate entities and between federal agencies and their contractors or between state agencies.
This means that while stored it can exist in any format. However, that data must always remain secure from inside and outside disclosure. And if it is transferred by CD or magnetic media data must comply with the standards, as well.
The Clavib EDISphere Implementor (a part of the Data Bridge Solution) Ships with all HIPAA ANSI X12 4010 formats
A big hurdle for organizations becomes determining which data must be transformed to meet the guidelines and which data doesn't. Health and Human Services recommends asking the following questions to determine what is required:
Question 1) Is the transaction initiated by a covered entity or a business associate? If not, the standard need not be used.
Question 2) Is the transaction one for which the Secretary had adopted a standard? If yes, the standard must be used. If no, the standard need not be used. Besides moving the industry to a single transaction standard, HIPAA is also mandating standard code sets, which are designed, as are the transaction standards, to help improve the efficiency and ease with which the industry operates.
Identifying Employers and Providers
HIPAA also seeks to implement a national identifying number for providers and employers, as well as health plans and individuals. The employer ID will probably use the employer's tax ID number. The creation of provider ID numbers and national plan ID numbers are still in the works. In addition, the creation of a national patient ID faces barriers to implementation and may never occur.
The idea behind standard identifiers is to improve Medicare and Medicaid as well as other health programs by reducing redundancies and the possibility for errors when identifying entities involved in the processes associated with normal health-related transactions. And while these provisions have yet to be set in stone, they will certainly have an impact on the industry and eventually may include individual identifiers that patients keep with them for life.
The Next Step: Addressing Privacy and Security
Just six months after the transaction standards are enacted, on April 14, 2003, the rules on protecting patient data will be enacted. These rules mandate that patient identifiable data be portable, private and secure whether it's being stored, transmitted electronically or being moved on magnetic media.
And though rules differ based on the size of the organization, any company that engages in electronic transmission of health-related data will need to address these issues and put a plan in place to protect personal information. This necessitates, not only the establishment of internal policies, procedures and practices, but also a secure environment where data is protected from all breaches in security, both internal and external.
One of the most important aspects of compliance is education. Every healthcare organization not only needs to create security policies and procedures regarding HIPAA, but also educate employees on how to adhere to them. To boost compliance levels, healthcare organizations need to consider implementing ongoing training programs to educate employees on the new standards in addition to the organization's policies and procedures.
Since HIPAA is an ongoing issue, rather than one-time-only event such as year 2000 concerns, training programs need to be an ongoing effort, whether the training takes place via traditional services or by computer-based training. Achieving enough security to maintain HIPAA-mandated privacy will be a challenge for most organizations, especially considering that there are several areas that must be addressed under the guidelines.
This pertains to protection of computers and workstations that get used for viewing and transmitting patient-identifiable data and related information. These terminals must be protected from both internal and external security breeches. Maintaining security for information systems may require risk analysis, access lists, configuration management, personnel security, password management, auto log on and off, internal audits, virus checking and incident management. Translation also may be an issue for organizations dealing with large quantities of legacy data-and systems-that will continue to be the cornerstone of their IT efforts after security and privacy guidelines have been implemented.
This means that the premises and assets must be protected from potential security compromises or threats. Included in this is unauthorized access to workstations, network or storage facilities. Items that should be considered for an organization's physical security include door locks, secure workstations/databases, access codes, secure back-up and storage, sign-in logs, and protection for multiple points of entry.
Designed to help identify activity as it relates to patient-identifiable data, audit trails are key for any organization that is required to review all information access.
Different than identifier numbers, digital signatures are designed to ensure that information being transmitted electronically is authentic and protected from observation while it passes through intranets, extranets and the Internet.
One big area of concern is the ability for patients to have the right to review, address and comment on their medical records. Patients also have the right to know who has viewed their medical records, and have the right to prohibit their medical information from being viewed by certain people in certain situations.
The Clavib DataBridge solution
Clavib assists customers in complying with HIPAA regulations through our DataBridge solution.
To help customers comply with the Transaction Set part of HIPAA we offer EDISphere with the following technical features:
Trading Partner Information
Create Trading Partner profile
Specify contact information, default settings for separators, terminators,
EDI specific partner-id, password etc.
Trading Partner Agreement
Create Interchange Agreement between two partners
Specify workflow, level of validation, communication option, file-naming convention
Helps in undertaking EDI implementation remotely
Helps in reducing Test-runs between Trading Partners
Helps in certifying EDI implementation of Trading Partner for Production-runs
Create Partner's kit for the desired IC and EDI data
Print Trading Partner profile
Print Trading Partner agreement
Supports EDIFACT, X12 EDI standards and their industry subsets, user defined proprietary messages.
Robust compliance checking with Implementation Convention
Conversion/mapping between any to any format files
Checks for duplicate messages
Transaction logs, Audit Trails and Reports
Supports cross references and lookups of the mapped elements
Server mode unattended operation
Allows automatically exchanging messages with the Business Application and
Schedules communication at configured intervals
Supports EDI over Internet and VAN through Email and FTP
Interfaces with MS Outlook Express using MAPI to enable S/MIME communication
Uses layouts, maps, cross references and expressions created using 'Implementor'
Uses Trading Partner Agreements created using Collaborator
Allows to create/import standard proprietary EDI message layouts and browse them.
Allows to create Implementation Convention (IC)
Annotate IC at all levels including codes
Supports any-to-any mapping,
Analyze EDI data for conformance with IC and reports errors
Analyze Application data for conformance with User Defined layout and reports errors.
Test Data Generator
Generate EDI test data from IC and User-Defined layout
Validates generation with respective layout and reports errors
Test mapping before communicating with Business Application and Trading Partners
Create cross-references and lookups of the mapped elements
Create complex cases of logical and mathematical expressions in maps
Provides dictionary of standard EDI Messages, Segments, Composites and Elements Search