| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume Two, June 2002No. 21 HIPAA Regs: What Does the HIPAA Transactions Extension Mean to Your Organization?As a covered entity, your organization must convert its electronic claims transactions processes to the new HIPAA standards mandated by the Transactions and Code Sets regulation. This will require careful internal testing as well as coordinated testing with your clearinghouse(s) and claims processing vendor. The original Transactions and Code Sets (TCS) regulation set an October 16, 2002 deadline. That's a little over four months from now! HHS has the authority to exclude your organization from Medicare participation unless it meets the compliance deadline or submits a compliance extension request. Covered entities should be currently in the assessment and planning process. Even with consulting support and dedicated internal resources, your organization may not be realistically ready by this October 16 for handling the new HIPAA transactions. Don't panic! Recognizing the realistic possibility of organizations not being ready, HHS now allows covered entities to apply for a one year extension - i.e. compliance by October 16, 2003. To receive an extension, organizations must submit a request no later than October 16, 2002. In order to apply for the extension, you need to submit a comprehensive high level Model Compliance Plan form. A blank form is provided on line by HHS. For further details on how and what to complete for this Model form, please refer to the HIPAAlert Vol. 3, No. 4 - "The Transactions Compliance Extension: What It Is -- and is NOT". Or, go straight to the HHS source at http://www.cms.hhs.gov/hipaa/hipaa2/ASCAForm.asp. If your organization hasn't done so, it should promptly get started with its HIPAA gap analysis and implementation planning. This work should be coordinated by a qualified staff member who is experienced in electronic billing processes and knows HIPAA law - or, if need be, a qualified HIPAA consultant. It's time to get moving! For more information, see http://www.hipaadvisory.com/regs/asca/index.htm. Ken Schulkin, No. 22 HIPAA Detail: How is Your Organization's Patient Directory Impacted by the HIPAA Privacy Regulation?If you are a healthcare provider, under the Privacy regulation your organization's directory may include certain patient information. However the following items should be communicated to your patients prior to or at registration time:
Your organization may disclose the following information to persons who inquire about the patient by name.
Note that disclosure of directory information to clergy is a little different: in addition to patient name, general condition and facility location, you may disclose a patient's religious affiliation to a member of the clergy. The Privacy regulation does not require that you ask patients for their religious affiliation nor does it require patients to provide that information to your organization. In fact patients can opt out of disclosing their religious affiliation to clergy in the patient directory. However, when a patient is incapacitated or in emergency situations where asking for a patient's consent to place information in a directory would delay treatment, your organization can make decisions about inclusion of patient information in your patient directory. In summary, the HIPAA Privacy regulation requires the provider to communicate to its patients their options prior to having their names placed on the directory. These options provide patients the opportunity to opt-out entirely from being listed in the directory or to restrict the use and disclosure of information in the directory. Ken Schulkin, No. 23 HIPAA Detail: To Identify or to De-IdentifyInformation that is unique to a person can identify that person. The concept is simple -- but the implications are far-reaching. The HIPAA Privacy Rule invokes the term "PHI," or "protected health information," to prevent inappropriate communication of individually identifiable health information, either electronically or via any other form or medium. This includes information relating to patients' past, present or future health and healthcare. Not all health information falls under the PHI umbrella. Use of de-identified patient information, generally for research, analysis, or trending of data in the aggregate, has HIPAA's blessing. Registries, research hospitals and regulatory agencies are examples of entities who utlilize de-identified health information for such purposes. What information qualifies as de-identified data? You're in safe territory if your organization, as a covered entity, has reason to believe that any anticipated recipient of the information could NOT identify an individual, AND if all of the following identifiers have been REMOVED:
Additionally, covered entities can help ensure de-identification by by utilizing staff qualified to apply "generally acceptable statistical and scientific principles" to render information de-identifiable.. A word of warning — code assignments "that are not derived from or related to information about the subject of the information" can be used to re-identify de-identified data. Before permitting anyone to use your organization's de-identified data, take appropriate precautions against letting re-identification occur. Under the March 2002 privacy NPRM, use of de-identified data would apply for research, public health or health care operations. Recipients of the de-identified information could use it only for the purposes intended and could not re-identify it. To fine-tune the de-identification process, HHS requested public suggestions for alternatives in removing directly identifiable information while retaining certain identifiers - e.g. admission, discharge, service dates, date of death, age, and five-digit zip code. (See "Research" at http://www.hipaadvisory.com/alert/vol3/news032802.htm). Ken Schulkin, No. 24 HIPAA Term: Local Codes -- What Are They and What Do They Mean To You?In preparing for your organization's HIPAA compliance, you may have heard the term "local codes." No, they are neither zip codes nor area codes…. Under HIPAA, local codes are code values that different payer organizations have devised for their own special purposes, to handle unique circumstances. Some of these local codes were requested by providers and employers to simplify their internal accounting procedures, such as differentiating health care claims from current and retired employees. In other cases, local codes have been used to bundle services to create a separate reimbursement structure - for example, to package certain treatments and lower reimbursement rates. Generally, these pre-negotiated rates are the result of a contract between the payer and the provider. The new HIPAA Transactions and Code Sets rules do not permit local codes - logical, considering the purpose of the rules is standardization and simplification. While many payers are appealing to the designated standard maintenance organizations (DMSOs) to incorporate local codes into the standard code sets, it is unlikely that many of these requests will be accepted. What does this mean for your organization as a covered entity? As you plan to implement HIPAA, your organization needs to inventory local codes that are currently being used by its payers. You then need to work with your payers to ascertain how these local codes will be replaced to comply with HIPAA. The CMS HCPCS (Centers for Medicare and Medicaid Services Healthcare Common Procedure Coding System) National Panel is in the process of issuing national "Level-II codes" that replace most of the local codes. Providers and payers must go over the HCPCS codes they use and determine how to best replace their "local" HCPCS codes with the new national codes. The NMEH (National Medicaid EDI HIPAA Workgroup) is publishing crosswalks to help you with the migration. But you will need to do your own conversion. For more information about local codes and related implementation issues, see Kepa Zubeldia, M.D.'s excellent article, first published in our April 23, 2002 HIPAAlert: http://www.hipaadvisory.com/action/ediqa/edi02.htm. Ken Schulkin,
|
