HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA Is Not Done: How HIPAA & New Healthcare Initiatives Intersect

by Randa Upham, Consulting Editor, Phoenix Health Systems

Updated March 2006

Now that the April 2005 HIPAA Security Rule compliance deadline has passed, many covered entities seem to believe they have conquered the final frontier. Comments like the following are often heard in provider, payer, and clearinghouse environments:

  • "Thank goodness we are through all that HIPAA stuff."
  • "Yes, we are all set with HIPAA - did everything."
  • "Our organization did that HIPAA training last year, we are compliant now!"

Indeed, covered entities have overcome enormous budgetary and operational challenges in the HIPAA implementation process. But the comments above share an underlying fallacy: HIPAA is not done! HIPAA is not an event or a target date, but rather, a process. The intent of HIPAA was that its requirements and underlying principles become an integral part of our healthcare culture - similar to other accepted values (or buzzwords) such as: confidentiality, patient safety, infection control, quality assurance, etc. There are at least two aspects of this "HIPAA process" to consider:

First, HIPAA compliance itself will continue to require ongoing implementation, updating, and monitoring. For example, HIPAA anticipated expansion of its applicability, particularly in the area of transactions and code sets (TCS), with the promise of a succession of new standards to further simplify healthcare business processes. In addition, as technology marches on, challenges related to information security will be a critical topic, and remain under the radar of the Security Rule. Further, we have yet to see the overall impact of privacy violations and threats on consumers - but thousands of formal complaints have been filed and there is no indication that filings will decrease. Just as significant are a number of over-arching factors: a political climate that is highly sensitive to security issues, and compliance with accrediting bodies, such as the Joint Commission on the Accreditation of Healthcare Organizations (JCAHO) and the National Committee for Quality Assurance (NCQA), that have begun to focus on HIPAA. All of these factors signify that healthcare organizations must continually reevaluate and refine their HIPAA practices.

Second, a variety of significant healthcare industry initiatives that are currently underway will require integration of HIPAA precepts in order to succeed. There may have been "final rules" established for HIPAA, but the delivery and business of healthcare is ever changing. How will current innovative movements function within our existing "HIPAAtized" healthcare environment? How will the current HIPAA culture be changed?

Electronic Medical Record

In June of 2004, the President's Information Technology Advisory Committee issued its report, "Revolutionizing Health Care through Technology" (http://www.itrd.gov/pitac/reports/20040721_hit_report.pdf), providing recommendations for creating an information infrastructure that it claims will revolutionize medical records systems. The report cites the Department of Health and Human Services (HHS) Secretary Tommy Thompson's remark that "...the most remarkable feature of this twenty-first century health system is that we hold it together with nineteenth-century paperwork." The advisory committee's core recommendations included a universal electronic health record for all Americans with standardized data, computer-assisted clinical decision support, and computerized provider order entry (CPOE). The report clearly acknowledged HIPAA and specified its importance within the overall process of actually achieving the recommended objectives. The journey to realization of a true electronic medical record must navigate the entire set of HIPAA regulations.

National Health Information Initiative

The National Committee on Vital and Health Statistics (NCVHS) has urged Congress and the White House to prioritize the development of a comprehensive National Health Information Infrastructure (NHII) for the public and private sectors. As part of their appeal to the government, the NCVHS also urged that HIPAA be amended to address standards issues related to the NHII, including: "the portability of health information across information systems, plans, and providers to ensure continuity of care; promote the adoption of clinical data standards; and promote consumer/patient control of personal health information" (http://aspe.hhs.gov/sp/nhii/Documents/NHIIReport2001/report11.htm). Although the government was asked to take a leadership role in this initiative, it is assumed that all stakeholders will play an active role in establishing an NHII. To begin to envision the extensiveness of what the next phase of HIPAA might be if the NHII comes to be reality, just consider some of the recommendations that have been made relative to this enormous initiative:

  • "The specific NHII-related roles and responsibilities of HHS agencies should be enhanced, with appropriately increased budgets, under the strategic oversight of the central NHII office."
  • "Congress should supplement HIPAA to address standards issues related to the NHII. A 'Health Information Portability and Continuity Act' should provide for the portability of health information across information systems, plans, and providers to ensure continuity of care; promote the adoption of clinical data standards; and promote consumer/patient control of personal health information."
  • "Federal health data agencies should collaborate with State and local government agencies and standards organizations to develop common data reporting formats and standardized methods of transmission of all pertinent health data."

These are just a few of the recommendations that NCVHS urges the government to address.

Expansion of Required Transactions & Code Sets

ASC X12N 275

The HIPAA standard transaction for "electronic healthcare claims attachment" presents huge ramifications for the capture and protection of clinical documentation in accordance with the three major HIPAA rules. Seen as the next HIPAA "opportunity," the electronic claims attachment transaction offers a bridge between administrative and clinical records; and is viewed as a major milestone toward a true electronic record. As the most complex of the transactions to date, it will require extensive collaboration between all covered entities and vendors. Significant format considerations and technical requirements are involved in the implementation of the 275 - not to mention adherence to the privacy and security standards for all components of protected health information (PHI). The 275 may create our greatest HIPAA challenge to date. In June of 2004, the Association for Electronic Health Care Transactions (AFEHCT) hosted an audio conference (co-sponsored by CMS, HL7, X12, HIMSS and WEDI) for a joint Claims Attachment Educational Effort. The sponsors voiced the opinion that vendors are the key to the implementation of the standards (http://www.afehct.org/pdfs/claimattachmay04.pdf). It is this type of cooperation among HIPAA stakeholders that will encourage realization of the HIPAA benefits.

Unique Patient Identifier

Although it was mandated by HIPAA Administrative Simplification legislation since 1996, the national patient identifier was placed on hold by Congress because of the complexity of its implementation. In November of 2003, a committee of the Institute of Medicine urged legislators to revisit the issue. The committee maintained that the lack of universal patient IDs could hamper realization of administrative simplification and adversely affect patient safety (http://www.hipaadvisory.com/news/NewsArchives/dec03.htm#1202hdm). Indeed, the concept of a universal electronic health record for all Americans includes some manner of uniquely identifying individual patients. In spite of the fact that HHS has no current plans to pursue development of this HIPAA-mandated data element, the issue of a unique patient identifier will likely continue to elicit controversy.

ICD-10

From the very beginning of the development of the HIPAA TCS regulations, the recommended code set for use in the standard transactions was ICD-10. Although the requirement for using ICD-10 was delayed, NCVHS has urged HHS to quickly transition from ICD-9 to ICD-10. No definitive requirement has yet been agreed upon, but this transition is expected to occur and will need to be integrated into operational processes.

New Transactions

When the TCS final rule identified the required HIPAA standard transactions, it was only the beginning of Administrative Simplification. Although the industry has a distance to go in implementing the standard transactions currently required, it should be remembered that the intent behind TCS was to adopt many more standard transactions than the initial ones identified in the final rule in order to streamline business processes. For information on the standards development schedule, reference the website of the X12N/TG2 Healthcare task group (http://www.disa.org/x12org/).

Patient Safety

A primary and ubiquitous healthcare initiative is patient safety. Improvement of patient safety has been a major topic on organizational agendas for years. Many facets of patient safety involve the capture of patient data to both monitor and research key indicators related to patient care. Since much of this data includes PHI, its use will need to address HIPAA privacy and security compliance, along with issues related to standardized coding and reporting formats. It is realistic to expect that HIPAA-related assessment and implementation tasks will be necessary for years to come as we evolve more extensive and aggressive patient safety measures across the industry:

E-Prescribing

Although e-prescribing is often identified within patient safety initiatives, it stands on its own as both a valuable clinical tool and a work-flow enhancement methodology. The industry has been moving towards e-prescribing and CPOE for years and, in spite of the many barriers to overcome, they will eventually be included in normal healthcare processes.

  • When asked what types of healthcare IT investment are most likely to improve health in America, David Brailer, MD, (appointed as the first National Health IT Coordinator by HHS) first identified "e-prescribing technologies" (http://www.healthcare-informatics.com/newsclips/newsclips06_3_04.htm).
  • On July 21, 2004, the Centers for Medicare & Medicaid Services (CMS) took a strong stand on the industry's need to give top priority to e-prescribing when it was identified by CMS as an important initiative to "improve the quality and reduce the costs of healthcare, and to provide more personalized services for beneficiaries" (http://www.cms.hhs.gov/media/press/release.asp?Counter=1117).
  • A common myth is the notion that doctors are opposed to provider order entry. Many physicians disagree, including Patricia Hale, MD, an internist who testified to NCVHS on behalf of the American College of Physicians that, "Physicians are not opposed to e-prescribing. We absolutely want these things" (http://www.ncvhs.hhs.gov/040527p1.htm).
  • In contrast, according to online eWEEK Enterprise News and Reviews, physicians are taking a time-will-tell approach to the new CafeRx consortium dedicated to accelerating electronic prescribing (http://www.eweek.com/article2/0,1759,1635866,00.asp). CafeRx was formed as the consortium of nine well-recognized entities, including high-tech and e-prescribing companies, to promote common standards and government support of e-prescribing.

Whether it takes until 2009 (the date when the Medicare Modernization Act of 2003 mandates that HHS have standards for electronic prescribing ready for voluntary nationwide adoption) for it to become mainstream, e-prescribing is on the way. We hardly need to mention that, because of the focus on patient information, e-prescribing implementations must adhere to HIPAA privacy and security regulations.

National Security Issues

Since 9/11, terrorism, biological warfare, emergency preparedness, and homeland security have climbed to the top of the country's "hot topics" list. These concerns are bringing healthcare-related issues - and new initiatives - to the forefront. How we integrate the HIPAA regulations (both current and new) presents overwhelming challenges for the healthcare industry.

The Centers for Disease Control (CDC) sponsored an initiative to establish a Health Alert Network whose mission is to "ensure that each community has rapid and timely access to emergent health information; a cadre of highly-trained professional personnel; and evidence-based practices and procedures for effective public health preparedness, response, and service on a 24/7 basis" (http://www.phppo.cdc.gov/han/Index.asp). This huge endeavor has some very interesting ramifications relative to HIPAA. The current regulations cite a number of specific circumstances when covered entities are required to submit/report PHI for "national security" purposes. It is assumed that the establishment of a Health Alert Network would fall under the HIPAA privacy standard for "uses and disclosures for specialized government functions" (164.512k) but covered entities will likely need to expand their policies and their practices in order to address the mandates for reporting information to the network.

It is noteworthy that the basic tenets of HIPAA, namely standardization and security of health information, are also essential criteria for homeland security. In order for homeland security processes to function smoothly, appropriate access to personal information is necessary and, in certain circumstances, will involve PHI covered by HIPAA. Covered entities must ensure that HIPAA practices already in place will be responsive to any homeland security initiatives. During times of crisis, it is essential that medical practitioners have access to health information in order to treat patients effectively and safely. It is also essential that the security of that same health information is maintained to protect it from access by terrorist forces.

Personal Health Record Technologies

According to the Informatics Review, personal health records (PHRs) include "any internet-accessible application that enables a patient (or care provider for a patient, e.g., the 'mom') to create, review, annotate, or maintain a record of any aspect(s) of their health condition, medications, medical problems, allergies, vaccination history, visit history, or communications with their healthcare providers" (http://www.informatics-review.com/records.html). There are numerous commercial ventures offering the consumer options for maintaining a personal health record on the internet. This current trend in healthcare opens the door for both innovative technologies in healthcare record-keeping, as well as potential risks for the confidentiality of patient information.

One example of a PHR is the AHIMA-sponsored website for personal health tracking (http://www.myphr.com), which provides a clear statement on PHR and definitions about HIPAA, confidentiality, and the patient's rights with respect to his health information. It also provides links to many of the agencies who govern or support electronic health information.

Medical Banking

Proponents of medical banking are relatively new players in the healthcare market. As described by John Casillas, Founder of the Medical Banking Project, medical banking is "the latent integration of banking infrastructure and credit resources within healthcare operations." In a presentation to the Workgroup for Electronic Data Interchange (WEDI), Casillas indicated that the banking stakeholder is essential to establishing a digital healthcare environment and projected that healthcare can save $35 billion annually if banks become engaged in its administrative operations (http://www.wedi.org/cmsUploads/pdfUpload/eventsPresentationInformation/pub/MedicalBankingProject.pdf).

Should any of the medical banking components be identified as covered under the HIPAA umbrella, it creates a new area of healthcare administrative functions to consider on the HIPAA implementation checklist. However, the issue of whether financial institutions have any HIPAA-related responsibilities is currently a controversial one.

  • The Medical Banking Project (http://www.mbproject.org/wizard.php) states that banks using external parties to provide the HIPAA-defined clearinghouse function are most typically considered business associates and NOT HIPAA clearinghouses. It is when a bank actually converts HIPAA-defined health data elements into HIPAA-defined transactions, and vice versa, that HIPAA regulations (45 CFR Section 160.103) do apply.
  • In its letter to HHS on June 17, 2004, NCVHS postured that some banks are clearinghouses under HIPAA when they perform certain functions related to the standard transactions defined under the HIPAA statutes and subsequent regulations and recommends HHS clarify whether the exception HIPAA makes in Section 1179 of the Privacy Rule applies to consumer-initiated healthcare transactions (e.g., credit card or check payments), covered entity-initiated payment transactions, or both.
  • The Electronic Privacy Information Center (EPIC) feels that financial institutions handling PHI contained in premium payment and remittance advice transactions need to be considered healthcare clearinghouses under HIPAA and that PHI should be encrypted so it cannot be accessed by those with access to the automated clearinghouse network (ACH) (http://www.epic.org/privacy/medical/medical_test.html).
  • The "Great American Interoperability Tour" (http://www.mbproject.org/tour.php) identifies 10 major stakeholders,(including payers, clearinghouses, and providers). However, physicians have been slow to adopt the process. According to Lee Barrett, President, Medical Banking Exchange (MBEXX), this is because 1) few insurers offer electronic funds transfers to physicians, 2) most health plans are not capable yet of transmitting HIPAA-compliant EOBs, and 3) most of the billing systems that physicians use cannot accept the transactions
    (http://www.ama-assn.org/amednews/2004/04/12/bisa0412.htm).

Consumer Driven Health Plans

Consumer Driven Health Plans (CDHPs) are health benefits plans that offer their members a role in choosing their own healthcare providers and managing their own health expenses. All over the nation, benefits companies are offering consumers the opportunity to be in charge of their own healthcare delivery (http://www.consumerdrivenhealthplans.us/).

Many view CDHPs as positive healthcare innovation, offering reduced costs and improvements in patient care, but others are concerned about the IT challenges related to its implementation and information privacy and security threats. Since CDHPs would be considered covered entities under HIPAA, it might be assumed that privacy and security practices would already exist within the payer organizations offering CDHPs - but, we must ask whether these organizations have implemented appropriate practices for allowing consumer access to CDHP-maintained health information.

Regardless of current controversies, URAC believes CDHPs are here to stay and is currently establishing an Advisory Committee to develop meaningful quality benchmarks for them. URAC feels that consumers should consider standards as part of the selection process in determining which CDHP is best for them and compliance with HIPAA should be a primary consideration (http://www.urac.org/documents/PrintVolume2Issue1_000.pdf).

Our HIPAA Perspective: Universal Healthcare Value or Government Regulation?

What is being done as an industry to view HIPAA as a universally-accepted standard for healthcare, rather than simply "another governmental regulation?" As we move forward during this fast changing - if not tumultuous - period, we must expand the "HIPAA culture" concept beyond organizational focus on compliance deadlines.

Many industry collaborations and strategic partnerships addressing this question, some of which have been named above, already exist. Their numbers are growing. A search of the internet readily yields hundreds, if not thousands of websites which detail how industry organizations are addressing the ongoing challenge of maintaining HIPAA-compliant cultures as they respond to new initiatives and opportunities. HIPAA re-assessments, privacy, and security program updates, new training, and new opportunities for return on investment (ROI) are being recognized as a necessary part of any plan for new capabilities and operational enhancements. So, the next time you hear your colleagues lament about "how hard HIPAA was to put into place" or sigh with relief that "HIPAA is over," you might want to educate them on what else is looming on the horizon for HIPAA.

Randa Upham, Phoenix Health Systems' consulting editor, has nearly 25 years' experience in the Healthcare and Information Services industries with an extensive background in knowledge services, product development, clinical services, organizational management, software design, and educational planning. (This article was originally written in 2004.)