HIPAAnotes Volume One, September 2001

No. 43 HIPAAregs – Transactions and Code Sets: Are Providers Affected?

Some healthcare providers believe that HIPAA's Transactions and Code Sets regulation is not really their problem. Certainly, it would be a relief to rely on vendors and clearinghouses to handle the lion's share -- if not all -- of the compliance burden. The fact is that standardization of healthcare transactions and code sets will affect all health industry entities, including health plans, clearinghouses, vendors AND providers.

Providers may not have to address mapping and standardization of code sets (unless they act as their own clearinghouse), but they will have to train employees on the new standards, ensure that all required transaction data is captured electronically, and update billing and coding procedures. They must inventory and review all software contracts with their vendors, initiate and complete enterprise-wide assessments, amend or create budgets, and prepare remediation plans. If software conversions or upgrades are necessary, financial and staffing requirements must be balanced with requirements of other IT projects.

While software vendors update their billing systems, their clients -- healthcare providers -- should review and manually update reference masters, policies and procedures to avoid conflicts. Testing and implementation dates should be synchronized with trading partners. Finally -- as in many new and complex endeavors -- time should be allotted for problem solving and unexpected conversion issues.

For more information on transactions and code sets, go to:
http://www.hipaadvisory.com/action/tcs/

No. 44 HIPAAtech: Worms...Viruses...Trojan Horses – What’s a Network to Do?

Securing corporate networks from malicious attacks is one of many HIPAA Security rule requirements. But HIPAA or no HIPAA, in the wake of this week’s appearance of Nimda, a new, rapidly spreading worm, and after the July infection of over 250,000 systems in 9 hours by the “Code Red” worm, it’s becoming clear that protecting against these threats is plain, good sense.

But what are these techno-varmints? According to the CERT Coordination Center, several kinds of software can secretly breach computer security, including:

• Viruses: Code fragments that reproduce by attaching to another program. They may damage data directly, or degrade system performance gradually by taking over system resources and making them unavailable to authorized users.
  
  
• Worms: Independent programs that reproduce by copying themselves from one system to another, usually over a network. They also may damage data directly, or degrade system performance by consuming system resources and even shutting down a network.
  
  
• Trojan horses: Independent programs that appear to perform a useful function but hide another unauthorized program within. When the user performs the apparent function, the Trojan horse also performs the unauthorized function (often usurping the user's privileges).

These programmed threats can cause significant security breaches: confidential information can be captured and transmitted, critical information can be modified, and computer software configurations can be changed to enable subsequent intrusions.

Business disruption caused by one of these intruders can be expensive. And, in the case of healthcare services, patient care quality can be compromised. Healthcare organizations who are inadequately protected, should take immediate steps to install preventative measures and user training. Even basic measures can significantly reduce exposure to programmed threats -– and at a fraction of the cost it would take to recover from them.

No. 45 HIPAAdetail: Why National Identifiers?

In the bustle created by the HIPAA Transactions, Privacy and Security regulations - National Identifiers are mentioned only occasionally. You may be asking, why are they important?

Standardization is the foundation of HIPAA’s “Administrative Simplification” goals. National identifiers are intended to standardize how healthcare providers, employers, health plans and individuals are identified in the “business” of healthcare. In our increasingly automated industry, lack of standardization has created confusion, duplication of effort, errors, and expense. For example, a single provider is often assigned different identifiers by different health plans – or even by the same health plan. Sometimes different providers are assigned the same identifier. These practices create extra work for those handling claims, billing and other processes, and often lead to processing errors, missing data, delays, and even fraud. One national identifier for each provider would reduce these problems substantially.

The identifier that should be the easiest to implement will be the proposed National Employer Identifier (NEI). The Department of Health and Human Services (HHS) has recommended using the nine digit Employer Identification Number (EIN) currently assigned by the IRS to employers. Since this number is already widely used, and doesn't represent any individual, it is doubtful that it would spark any privacy issues.

HHS has indicated that it will create a new National Provider Identifier (NPI) consisting of a 10-digit numeric with a check digit in the last position to help detect keying errors. The NPI will be implemented in phases — most likely starting with Medicare and Medicaid providers. Ultimately, all providers will be issued, or will need to apply for, a NPI. NPIs will be maintained in a national provider database.

HHS plans to propose a Health Plan Identifier before the end of 2001. It is intended to help improve electronic transaction processing and benefit administration. DHHS has postponed development of an Individual Identifier indefinitely, primarily because of public concerns that any individual identifier scheme could result in decreased consumer privacy.

Will the benefits created by national identifiers be cost-effective? Probably, not right away. However, implementation costs are expected to be low, compared to costs of privacy and security implementation. It is likely that, relatively soon, we will realize sufficient benefits through decreased errors, fraud, and administrative costs to determine that implementing National Identifiers was well worth the effort.