|
H I P A A L E R T Volume 2 No. 3
December 19, 2000
> > From Phoenix Health Systems...HIPAA Knowledge...HIPAA
Solutions <<
> Healthcare IT Consulting & Outsourcing <
HIPAAlert is published monthly in support of the healthcare industry's
efforts to work together towards HIPAA security and privacy. Direct
subscribers total nearly 10,000.
Do you have interested associates? They can subscribe free at:
http://www.hipaadvisory.com/alert/
IF YOU LIKE HIPAALERT, YOU'LL LOVE HIPAAdvisory.com! -- Phoenix'
comprehensive "HIPAA hub of the Internet," per Modern
Healthcare magazine. Visit: http://www.HIPAAdvisory.com
T H I S I S S U E
1. From the Editors: Towards the HIPAANewYear…
2. The New Transactions Standards: A Wakeup Call for Providers
3. HIPAAnews: Final Rules, Hospital Hacked, E-Health Seal
4. HIPAAlert: Help Us Help You!
5. HIPAAdvisor: Access Controls: Who Sees What Info?
1 / F R O M T H E E D I T O R S:
The start of a new year is a natural time to reexamine the "old"
and plan the "new." With your help, we'll be taking a
new editorial look at HIPAAlert this month. Our goal is simple:
make sure HIPAAlert meets your needs and expectations! Please help
by answering our super-quick Reader Survey questions in Part 4,
below.
Phoenix' Helene Guilfoy highlights HIPAAlert this month by reporting
on the often underestimated role of healthcare providers in implementing
HIPAA's Transactions Standards. Helene's thought-provoking article
is a summary of her recent testimony before the National Committee
on Vital and Health Statistics (NCVHS), the public advisory body
to the Secretary of Health and Human Services. It also includes
a great summary of recommended Transactions Standards compliance
steps.
Between our action recommendations on Transactions, some "hot"
news on next-to-be-published regulations, and HIPAAdvisor's clarification
of Access Control implementation options, this issue offers plenty
of HIPAAwork to plan for this coming year. Happy Holidays and we'll
see you then!
Diane Boettcher, Editor
dboettcher@phoenixhealth.com
D'Arcy Guerin Gue, Publisher
daggue@phoenixhealth.com
2 / The New Transactions Standards: A Wakeup Call for Providers
By Helene Guilfoy, Principal, Phoenix Health Systems, Inc.
You've heard it. So have we… But theorizing that the new
Transactions Standards are the "payers' problem" -- not
the providers' -- doesn't make it so. Here's why, in a nutshell.
Let's look at just one of the nine transactions standards that
are mandated as of October 2002 - the Institutional 837 Claim format.
My research shows that fifty percent of the data that will be required
is not being collected electronically by providers! There are over
300 data elements in this format...apply the 50% missing data factor...and
!!!
Since the early 90's, healthcare claims have been "standardized"
on the UB-92 claim form. "Standardized" is shown in quotes
because there currently are about 400 different ways to fill out
this form! Existing payer electronic systems were designed around
payers' specific needs and information requirements in order to
adjudicate claims.
When HIPAA mandated that claim submissions be standardized, the
Department of Health and Human Services (DHHS) looked to the electronic
format developed by X-12, a standards development organization.
X-12's standard claim transaction format had existed for many years,
but had not been generally accepted by the healthcare industry.
To gain that acceptance X-12 built consensus around the requirements
of the receivers - the payers -- of healthcare claims.
Several new functions were built into the X-12 standard. For instance,
coordination of benefits information was incorporated into the format
so that payers could send the claim to the secondary payer and onward
until all following payers had received the claim. Several new data
elements were included to allow for unquestionable identification
of individuals. Underlying all of this was the intent that text-based
attachments be discouraged.
The final rule for transactions has stipulated that whether the
provider elects to send the information to the payer through the
internet, through direct data entry, or through a clearinghouse
the data element CONTENT of the transaction standard must be maintained.
With this in mind, let's look at a few of the data elements that
are contained in the new claim format that may not be in your institution's
existing requirements:
- Pregnancy Indicator - this information may be in your clinical
systems but not in your billing module.
- Provider Taxonomy Code - this is a new classification system
that will be required for all practitioner information included
in the claim. It is used to codify provider type and provider
area of specialization for all medical related providers.
- Related Causes Code - this is required when the claim is for
an accident or is employment related.
- Country Codes - these are required whenever an address is outside
the US. If your institution is a referral center for other countries
you will need to report this code.
Even if this information is already collected by your provider
organization, chances are good that it is not available in an electronic
form. In order to send the information, even to a clearinghouse,
it must be made available electronically. Here's a high-level view
of the process that your organization must undertake to make that
happen:
GAP ANALYSIS and COMPLIANCE PLANNING
- First, you will have to compare the information that you have
available electronically with the information that is required
in HIPAA transactions.
- Once you have identified the gaps, it's time to contact your
vendors to determine if they plan to include the required HIPAA
data content within their software.
- If your vendors' plans don't include updates, or if they're
unlikely to move fast enough to allow you to meet compliance deadlines,
you will have to make some hard decisions. Will you stay with
your current vendor, or must you look elsewhere?
- A word of warning - if you don't begin the above process early
enough, your ability to investigate and negotiate with either
existing vendors or potential new vendors may be severely hampered.
IMPLEMENTATION
- At the same time, you will also need to evaluate your internal
business processes to determine where and how best to collect
the missing data.
- Select someone who understands health transactions to study
the Implementation Guides for the Transactions Standards.
- Then determine where the required information is likely to be
available or likely to be used within your organization. Examples
are your pre-admissions area (where eligibility inquiry is likely
to occur), admitting and registration areas (where you will collect
the bulk of the demographic information that will be submitted
under the new Transactions Standards), and your business or billing
office (where the claims are readied and approved for transmission
to the payers).
- Then, eliminate any processes that are no longer necessary.
- Determine where new processes are required to ensure that all
required data elements are collected and available electronically.
- At this point you should be working closely with the vendors
you've selected (or kept on) to establish your new processes and/or
update the old.
- Coordination and proper sequencing is important at this juncture;
your vendors must be ready to "change over" before you
are – and payers must be ready at the same time!
- Finally, remember, being "ready" within your organization
will require training applicable staff and documenting your new
processes.
3 / H I P A A n e w s
*** News Bytes on Upcoming Final Rules ***
Seems like everyone has the "latest word" on when the
Administration expects to publish the Privacy and Security rules.
Earlier this week, government sources close to the publication process
informed us that the Privacy rule is likely to be announced before
the end of the year, perhaps even within the next several days.
The same source has indicated that DHHS expects to publish the Security
rule within the first quarter, perhaps as early as January.
Department of Health and Human Services (HHS) officials have
confirmed in conversations this week that the final privacy rule
will be about twice as long as the proposed rule - over 1000 pages
long. Many of the 150,000 comments received are included in the
rule along with DHHS replies.
The New York Times has reported that the privacy rule is unlikely
to include an individual's right to sue, according to a November
20th article. The proposal that was removed would have allowed patients
to sue in state court for violation of contract if their medical
records were improperly disclosed.
As reported in a HIPAAlert NewsBrief earlier this month, DHHS
has formally scheduled release of the National Standard Employer
Identifier and the Standard Unique Health Care Provider Identifier
for this month. However, the inside-the-beltway word is that HHS
is focusing first on the Privacy rule -- with the likelihood that
the ID rules will be delayed.
*** Washington Hospital Records Accessed by Hacker ***
A sophisticated hacker took command of large portions of the University
of Washington Medical Center's internal network earlier this year,
and downloaded computerized admissions records for four thousand
heart patients, according to reports earlier this month by the Washington
Post and SecurityFocus.com.
The hacker, a 25-year-old Dutch man who calls himself "Kane,"
said he did not tamper with any hospital data. He described his
forays into the hospital's network as a renegade public service
aimed at exposing the poor security surrounding medical information.
University officials in Seattle said they first determined that
the center's computers had been invaded in late June. However, they
weren't sure any electronic records had been taken until late Thursday,
after a reporter sent them a copy of one record, the Washington
Post reported.
*** Another Study Shows Payers Ahead of Providers in Compliance
***
Payer organizations are significantly ahead of providers in reaching
several key early milestones in HIPAA compliance, according to a
new study conducted by the Gartner Group.
The Gartner HIPAA report revealed that the majority of payers
have appointed executive sponsors, staffed compliance committees,
completed organizational awareness programs and assessed their status
regarding standardized transactions. On the other hand, provider
organizations that have completed those early tasks are in the minority.
About 75% of healthcare organizations -- both payers and providers
– expect to require assistance from consulting or systems integration
firms to help them complete HIPAA assessment projects.
However, only 15 percent of those indicated that they have developed
preliminary overall budgets for achieving compliance. Of those organizations,
total spending is expected to average almost $9 million. Slightly
more payers and providers (24 percent) have identified their 2001
HIPAA budgets, and the average for next year's HIPAA spending is
$5 million.
A total of 225 organizations participated in the survey, including
104 payers and 121 providers. Payer participants include both HMO
and PPO organizations and private health insurers. Provider participants
include representation from integrated delivery systems, hospital
networks, stand-alone hospitals and physician groups.
Read more.
*** Hi-Ethics Announces New E-Health Seal ***
Hi-Ethics will develop a rigorous E-Health Seal for health Web
sites jointly with TRUSTe, an online privacy seal program. The coalition
of 18 health Internet sites and content providers announced the
agreement on December 12th.
The new E-Health Seal will certify that a Web site is in compliance
with all 14 of the Hi-Ethics principles. The principles include
ethical guidelines on privacy and confidentiality, quality of health
information, advertising and commercial relationships, consumer
relations, and best practices for professionals on the Internet.
Under the terms of the agreement, TRUSTe will create a framework,
with advice from Hi-Ethics, for verifying compliance and applying
accountability measures to Web sites that adopt the Hi-Ethics principles.
The proposed E-Health Seal will reflect the TRUSTe Privacy Seal's
format, including:
- A branded trustmark on a Web site's home page that links directly
to a statement of practices.
- A "click to verify" seal that will enable consumers
to verify that a Web site is a bona-fide participant in the E-Health
Seal program.
- An independent consumer dispute resolution process.
- Consumer education activities to increase awareness of the Hi-
Ethics principles and the E-Health Seal.
Read more.
*** HHS Issues Minor Corrections to Transactions Final Rule ***
The Department of Health and Human Services (HHS) issued corrections
to the Transactions and Code Sets Final Rule on November 26, 2000.
They are technical and typographical corrections and include no
substantial changes to the rule.
View all six changes.
*** AHIMA Releases Tenets for Patient Health Records ***
The American Health Information Management Association (AHIMA)
has published a set of fundamental principles and operational tenets
for individual health records on the Web. Directed toward consumers,
providers, and e-health site developers, this document is intended
as a blueprint for protecting the privacy and ensuring the quality
of personal health information on the Web.
The tenets are available at:
http://www.ahima.org/infocenter/guidelines/tenets.html
4 / H I P A A l e r t : Reader Survey
Help us make HIPAAlert even better!
Just take a few minutes to answer our questions, and we'll use
your responses to help direct the future of HIPAAlert.
1. TO COMPLETE & RETURN BY E-MAIL -- With this HIPAAlert message
open, click on "Reply" in your email program. Complete
the questions in the questionnaire. If time allows, delete the remainder
of the newsletter from the survey. Then, send in your response.
2. TO COMPLETE & RETURN BY FAX -- Print the questionnaire, and
complete it by hand. FAX it to 301 869-0788.
General. Please rate:
1: The length of HIPAAlert (Too short) 1__ 2__ 3__ 4__ 5__ (Too
long)
2: Technical tone (Too basic) 1__ 2__ 3__ 4__ 5__ (Too technical)
3: Frequency (Fewer issues) 1__ 2__ 3__ 4__ 5__ (More issues)
HIPAAnews. Please rate:
4: Number of items (Too few) 1__ 2__ 3__ 4__ 5__ (Too many)
5: Detail of items (Too general) 1__ 2__ 3__ 4__ 5__ (Too detailed)
6: Would you like more news items about (check all that apply):
Privacy ____
Security ____
Technologies ____
Industry Initiatives ____
Security Breaches ____
Other topics ______________________________________
HIPAAdvisory. Please rate:
7: Usefulness (Seldom) 1__ 2__ 3__ 4__ 5__ (Always)
8: Technical tone (Too basic) 1__ 2__ 3__ 4__ 5__ (Too technical)
9: Would you like more legal opinions on (check all that apply):
Privacy ___
Security ___
Transactions and Code Sets ____
National Identifiers ____
Other topics _______________________________________
Articles. Please rate:
10: Technical tone (Too basic) 1__ 2__ 3__ 4__ 5__ (Too technical)
11: Would you like more articles on (check all that apply):
Privacy ____
Security ____
Legislative/Regulatory Development ____
Technologies ____
Industry Initiatives ____
Case Studies
Other topics ______________________________________
Overall.
12: Any other suggestions for improvements, changes:
__________________________________________________
__________________________________________________
__________________________________________________
Thanks for your input!
5 / H I P A A d v i s o r : Legal Q/A with Steve Fox, Esq.
*** Access Controls: Who Sees What Info? ***
---------------------------
QUESTION: What obligations does HIPAA's proposed Security rule
impose upon covered entities concerning access controls like user
IDs? Doesn't HIPAA allow somewhat broad latitude on the specific
implementation of this rule?
ANSWER: The proposed Security rule is intended to allow covered
entities some latitude in determining how best to comply with the
security requirements.
In contrast to the Transactions Standards, which are only applicable
to the electronic transmission of health information in connection
with certain specified transactions, the proposed Security rule
applies to any health information relating to an individual that
is electronically maintained or transmitted by health plans, health
care clearinghouses, and health care providers. The proposed rule
does not distinguish between internal communication and communication
that is external to the covered corporate entity.
The proposed Security rule consists of the requirements that a
covered entity must address in order to safeguard the integrity,
confidentiality, and availability of its electronic data. It also
describes the implementation features that must be present in order
to satisfy each requirement.
However, one of the principles that guided the formulation of
the proposed Security rule was recognition that appropriate security
practices are highly dependent upon individual circumstance. Instead
of mandating or prescribing specific practices, the rule defines
a general set of requirements and implementation features for them.
These can be adopted in any one of several ways.
For example, one security requirement is that covered entities
have a contingency plan in effect for responding to system emergencies.
The plan must include certain features, including a disaster recovery
plan. However, the proposed rule does not set forth any required
elements for such a disaster recovery plan. Covered entities are
left to determine exactly how to formulate a disaster recovery plan
that best meets their needs and unique requirements.
With respect to access controls, the general set of requirements
is:
- establish and maintain formal, documented policies and procedures
for granting different levels of access to health care information,
- establish and maintain formal, documented policies and procedures
for limiting physical access to an entity while ensuring that
properly authorized access is allowed,
- limit access to health information (by implementing a procedure
for emergency access as well as enforcing either context-based
access, role-based access, or user-based access) so that only
those employees who have a business need may access such information,
- execute entity authentication to prevent the improper identification
of an entity who is accessing secure data,
- protect communications containing health information that are
transmitted electronically over open networks so that they cannot
be easily intercepted and interpreted by parties other than the
intended recipient, and
- to protect their information systems from intruders trying to
access such systems through external communication points.
This article was co-authored by Rachel H. Wilson, an associate
at Pepper Hamilton.
Steve Fox, Esq. is a partner in the Washington, D.C. office of
Pepper Hamilton LLP. Pepper Hamilton LLP is a multi-practice law
firm with more than 400 lawyers in ten offices. A specialist in
healthcare, Steve is a frequent writer and speaker on healthcare
information management and technology issues.
http://www.pepperlaw.com/
Disclaimer: Steve's responses offer information that is general
in nature and should not be relied upon as legal advice. Only your
attorney is qualified to evaluate your specific situation and provide
you with customized advice.
Copyright 2000, Phoenix Health Systems, Inc. All Rights Reserved.
Reprint by permission only.
http://www.phoenixhealth.com
|
