HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > Compliance Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

Capitalizing on HIPAA Compliance

by Ellen G. Lanser

Ask a group of healthcare professionals--from executives to medical staff--for opinions about the Health Insurance Portability and Accountability Act of 1996, and a lively discussion will likely ensue. From a cost and operations perspective, some are leery of the impact HIPAA will have on their already strained organizations. But perhaps others would find an apt analogy in an observation made by the French political philosopher Montesquieu, who wryly remarked that the reason the Romans paved their roadways was because they had such inconvenient footwear. What Montesquieu suggests is that the Romans had vision--they looked beyond the obvious answer and opted instead for an arduous, long-term solution that consequently simplified life as we know it.

Will HIPAA be to future generations what the Roman system of roadways is to us today? Maybe--maybe not. The truth is probably somewhere in between. Although HIPAA may have the potential to propel the administration, delivery, and culture of healthcare into the future, for this generation it does offer tangible benefits for healthcare organizations and patients alike.

Counting Down to Compliance Deadlines

When HIPAA was passed in 1996, the portability portion of the law, which protects workers' insurance coverage when they change or lose jobs, was put into immediate effect. Lawmakers hoped to lessen the administrative burden of healthcare through the second portion (Title II) of HIPAA, called Administrative Simplification. The rules contained in this part of the law address the standardization of electronic data interchange as well as the protection of health information and confidentiality. Only some of the Title II rules, however, are official; others are still being developed. The process begins when the Department of Health and Human Services proposes a rule. The public is then given the opportunity to comment on the proposal, and those comments must be considered in development of the final rules. Coupled with the precedence of other critical issues that have diverted HHS time and resources, the lengthy approval process has contributed to the lag between the proposed and final versions of the rules.

When the final rules are published on the Federal Register, healthcare organizations must comply within 24 months of the "effective date" or risk punishment; the effective date is normally 60 days after the final rule is published. At the time of this publication, only two rules had been finalized--the Transaction and Code Set Standards Regulation on August 17, 2000, and Standards for Privacy of Individually Identifiable Health Information on December 28, 2000. Thus, by Fall 2002--approximately 16 months from now--the Transaction and Code Set Standards Regulation will be enforced.

Benefiting from Electronic Data Interchange

Not only is the Transaction and Code Set Standards Regulation the first to become law, but of all the HIPAA regulations passed and pending, it will yield the most actual dollar savings by reducing administrative costs and processes. Currently, providers and payors use many different formats with varying data requirements to submit electronic claims or perform other transactions. Some healthcare providers may process as many as 140 different formats. Under the Transaction and Code Set Standards Regulation, all providers and payors who collect and submit electronic health information must do so using a common format.

The potential benefits to healthcare providers are enormous because standardization will:

  • allow providers to check the status of claims electronically and verify eligibility in real time
  • reduce or eliminate manual or paper-based activities
  • accelerate the receipt of payment for claims and hence, shorten payment cycle
  • reduce claim errors and write-offs

On average, paper claims take 60 days until receipt of payment at a cost of about $5 per claim; payment for a clean electronic claim only takes 14 days at about $.25 to $.30 per claim. HHS predicts that the savings gained through transaction standardization could be as high as $29.9 billion over 10 years.

To achieve these savings, providers will make significant payouts during the first five years of implementation. Investing time and resources now, however, will save money later. "Waiting to meet the 24-month deadline in the last 6 months could increase costs by as much as 100 percent because healthcare providers that begin working on HIPAA immediately can actually comply with much of HIPAA using their own resources," says Joseph Pokorney, principal, Phoenix Health Systems, Inc. While a few healthcare organizations are well on their way to implementing the transaction regulation, the vast majority have underestimated the amount of time they will need to comply. To capitalize on the benefits that transaction standardization offers, providers must think strategically at the highest levels of their organization, perform rigorous assessments of their current environment, and collect new data elements--beginning now.

Step 1: Committing from the Top

Because many providers assume that their vendors or payors will handle the bulk of the transaction standardization, they believe that they do not have to address HIPAA as anything more than a technology issue. "Unlike Y2K, HIPAA is an organizationwide issue requiring a cultural as well as technological change," Phoenix's Pokorney says. "Compliance is 80 percent policy- and planning-related and about 20 percent technology."

To create a thorough initiative, providers should establish a high-level working group to examine how HIPAA will affect every segment of the organization and how each department can best position itself to respond. Phoenix Health advises its clients to explore the following questions from specific vantage points:

  • CEO perspective: How does HIPAA fit with my strategic plan and initiatives?
  • CFO perspective: What cost constraints and revenue opportunities exist within HIPAA?
  • CMO perspective: How will quality of care be affected by HIPAA?
  • CIO perspective: What technology changes will HIPAA require or create?
  • COO perspective: How can HIPAA improve current processes in our daily operations?
  • CKO perspective: What educational opportunities exist?

Regular task force meetings that address these perspectives should also include other key staff such as the directors of medical records, patient accounting, and patient registration, as well as security officers. Adventist Health in Roseville, Calif., created a HIPAA Implementation and Compliance department in November 2000 and appointed Larry Mitchel, Ph.D., as its director. Cross-functional teams from across the organization have been created to help Mitchel direct Adventist's compliance efforts. "At this point, we have identified a steering committee composed of corporate executives and facility presidents. Under this rubric, we have two working subcommittees in place, one for technical matters and the other for operational matters," Mitchel says. "We selected members for these working subcommittees based on functional expertise, regional representation, and ability to work well with the team. Before the subcommittees were in place, the steering committee had been meeting weekly to make initial decisions and get the process going."

Like Adventist, Allina Health System in Minneapolis saw the need for centralized HIPAA management. Recognized as one of the leaders in the race for HIPAA compliance, Allina believed that HIPAA was significant enough that it required strategy, education, internal coaching, analysis, and representation in industrywide HIPAA efforts. Consequently, the organization developed a HIPAA Program Management Office in the first half of 1999. Led by Jeremy Pierotti, the office pulled together teams from across the organization and brought in a consulting firm to facilitate its work. "To examine our scheduling and registration process, we used an existing revenue cycle improvement work team composed of registration staff and managers," Pierotti says. "In our hospital billing office, we pulled in billing department managers, the compliance director, and a business analyst. In the Allina Medical Clinic business unit, we included clinic billing officer managers, as well as business and systems analysts. We engaged similar levels of staff from each of our other business units: hospital-based clinics, medical transportation, home care, home medical equipment, and retail pharmacy."

Regardless of the scope of a provider's HIPAA efforts, a formal mechanism for planning, implementing, and monitoring compliance should be in place. "If providers try to address HIPAA without a full-time dedicated person, they will probably struggle," Adventist's Mitchel says. Furthermore, by formalizing their efforts, providers will not only ease the implementation process, but they will also demonstrate their commitment to HIPAA compliance from the top down.

Step 2: Assessing the Environment

With a strategy, key players, and commitment in place, providers should next conduct a readiness/risk assessment. As part of an assessment, Phoenix Health recommends that organizations take inventory of all information systems that contain or process health information and designate a staff member to report on each area. Next, with copies of the rules obtained from HHS's Web site (http://aspe.os.dhhs.gov/admnsimp/), leaders should identify gaps between their organizations' current processes, policies, and practices and those mandated in the rules. "Your assessment will turn up more than you can probably deal with," Adventist's Mitchel says. "If you've done your assessment right by going through a very disciplined process, you'll be able to decide what to work on first and have a better sense of the budget impact." Based on three to four wide-scope assessments, Adventist was able to put dollar numbers in its budget at the corporate, regional, and facility levels. "These are more or less generic placeholders," Mitchel says. "We'll be able to create more accurate budgets as our assessment becomes more specific and we decide how much risk we can live with, what we cannot live with, and what it will take to mitigate those risks."

Because Allina Health System was able to embark on its HIPAA efforts almost two years ago, it has been able to assess HIPAA's impact on a detailed level at a very early stage. Based on a rigorous four-month process and application analysis conducted by its HIPAA Program Management Office, Allina determined that the organization could garner $68 million in net positive cash flow over a five-year period by implementing HIPAA transaction standards. "We have identified a real opportunity, and we know where in our organization to focus our efforts," Pierotti says. Currently, 70 percent of Allina's claims are electronic. Complying with HIPAA transaction standards will allow the organization to move the remaining 30 percent to a common electronic format, giving Allina the opportunity to shorten the payment cycle for all of its claims.

"Most assessments or impact analyses take anywhere from 30 40 to 120 160 days, depending on the size of the organization and the complexity of its existing technology and processes," Phoenix's Pokorney says. Providers should be aware that actual implementation, based on the results of their assessments, will take months longer. With enforcement of the Transaction and Code Set Standards Regulation looming, providers who have not yet begun may easily fall behind.

Step 3: Collecting New Data for New Formats

One gap that will likely turn up in many assessments centers around the data requirements for the new electronic formats. "While eliminating the disparate formats used by payors and providers will eventually simplify things, the process burden will still be there for awhile because there are new data elements in the mandated format that many providers don't collect at all right now," Allina's Pierotti says. In fact, more than 300 data elements are contained in the new claim format mandated by HIPAA, and most healthcare organizations are collecting only 50 percent of those elements, according to Helene Guilfoy, principal, Phoenix Health Systems, Inc. "Even if this information is already collected by your organization, chances are good that it is not available in an electronic form," Guilfoy says. "To send the information, even to a clearinghouse, it must be made available electronically."

Phoenix Health suggests that to be ready to transmit the new data in the required format, providers should:

  • Compare the information available electronically in their organizations with the information required in HIPAA transaction standards.
  • Contact vendors to determine if they plan to include the required HIPAA data content within their software.
  • If vendors' plans do not include updates--or if they are unlikely to move fast enough to meet compliance deadlines--make the decision to keep current vendors or look elsewhere. If providers do not start this process early enough, their ability to investigate and negotiate with existing vendors or potential ones may be severely hampered.
  • Evaluate internal business processes to determine where and how best to collect the missing data.
  • Select someone who understands health transactions to study the Implementation Guides for the transaction standards regulations.
  • Determine where the required information is likely to be available or likely to be used. Examples include the preadmissions area (where eligibility inquiry is likely to occur), admitting and registration areas (where the bulk of the demographic information that will be submitted under the new transaction standards is collected), and business or billing office (where the claims are prepared and approved for transmission to payors).
  • Eliminate any processes that are no longer necessary.
  • Determine where new processes are required to ensure that all required data elements are collected and available electronically.
  • Work closely with vendors to establish new processes and/or update the old.
  • Coordinate the proper sequence for "changing over" with vendors.

Finally, providers should remember that before HIPAA can simplify electronic transaction processes, providers will be faced with transitioning new steps into current processes. To leverage the efficiencies HIPAA offers, staff will need to know when to collect the new information, what information to collect, and how to document it.

Timing is Everything

In the very near future, benefits can accrue to providers through compliance with HIPAA's Transaction and Code Set Standards Regulation. In addition to direct dollar savings, electronic data interchange can improve productivity, which can lead to savings. Market share may also increase as customer satisfaction rises because of the ways electronic data interchange will affect patients (standard explanation-of-benefits forms or real-time approval for treatments and procedures). Eventually, HIPAA security and privacy regulations could change the culture of healthcare even further by nudging providers into the e-health arena, helping reduce medical errors through a true electronic exchange of patient information, and building consumer confidence in the security and privacy of individual health information.

No one will deny that meeting HIPAA requirements will require vast resources, time, and patience. But if HIPAA is viewed only as a compliance project and nothing more, providers may not maximize the opportunities to improve operations and the delivery of care. HIPAA is here--and it is law. "My sense is that the providers that will be able to take advantage of the opportunities HIPAA offers will be those that started early," Allina's Pierotti says. "By and large, providers will get out of it what they put into it."

Ellen G. Lanser is a senior editor for Healthcare Executive. This article was co-authored by Joe Pokorney.

Go to TOP