Have You Heard About HIPAA?

If you seek reimbursement for services you render as a healthcare provider, or you use electronic methods in conducting your business, HIPAA will affect you.

What is HIPAA?

Congress enacted HIPAA (Health Insurance Portability and Accountability Act of 1996) as a major step toward healthcare reform, mandating that standards be adopted for all health information that is electronically exchanged. The results are intended to streamline the processing of healthcare claims, reduce the volume of paper work, lower operating costs, and improve overall data quality.

HIPAA will have far-reaching impact on the procedures and standards healthcare providers use when seeking reimbursement from healthcare plans for their services.

Who is Covered by HIPAA?

If you conduct any portion of your business as (1) a health plan, (2) a health care clearinghouse, or (3) a health care provider who transmits any health information in electronic form in connection with a transaction covered by the rule, you are considered a covered entity.

Providers who do not use any form of electronic data interchange are not considered covered entities, however these providers may also be affected due to process changes imposed by Medicaid and other insurance plans when HIPAA standards are implemented.

Health Insurance Standards for Electronic Transactions

The Health Insurance Standards for Electronic Transactions was published on August 17, 2000. By establishing a national standard for electronic claims and other transactions, healthcare providers will be able to use consistent procedures and codes when submitting transactions to a health plan anywhere in the United States.

The rule adopts standards for eight electronic transactions and for code sets to be used in those transactions. These include:

· Claims or Encounter Information
· Eligibility
· Payment and Remittance Advice
· Referral Certification and Authorization (Prior Auth)
· Claim Status
· Enrollment/Dis-enrollment in Plan
· Premium Payments
· Coordination of Benefits

The Standards will change the procedures and codes you use in communicating with clients, healthcare plans, and other healthcare organizations.

HIPAA does not mandate the use of electronic data interchange (EDI), but requires the use of specific standards if EDI is used. If you file electronically, you must comply with the new HIPAA Standards for Electronic Transactions by October 17, 2002.

The reason for national standards is to make these transactions simpler and less costly, by establishing a single set of rules that all healthcare plans, providers and organizations must follow. Although this will ultimately simplify the administrative aspects of healthcare reimbursement, the transition to HIPAA compliance may require extensive modification to how you conduct transactions for healthcare reimbursement.

HIPAA Privacy Rule

Each time a patient sees a doctor, is admitted to a hospital, goes to a pharmacist or sends a claim to a health plan, a record is made of their confidential health information. The confidentiality of this health information has been a source of concern and interest to lawmakers, policymakers and the public at large. It is with this in mind that the HIPAA Privacy Rule was released on April 14, 2001. The Privacy Rule assures protection of individually identifiable health information.

Consumer control over health information: Under the final rule, patients have significant new rights regarding their health information.
· Providers and health plans must provide patients with a clear written explanation of how they can use, keep and disclose their health information.
· Patients must be able to see and get copies of their records, and request amendments. In addition, a history of most disclosures must be made accessible to patients.
· Patient authorization to disclose information must meet specific requirements. Patients have the right to request restrictions on the uses and disclosures of their information.
· Providers and health plans generally cannot condition treatment on a patient’s agreement to disclose health information for non-routine uses.
· People have a right to complain to a provider or health plan, or to the Secretary of Health and Human Services, about violations of the provisions of this rule or the policies and procedures of the covered entity.

Restrictions for medical record use and release: With few exceptions, an individual’s health information can be used for health purposes only.
· Patient information can be used or disclosed only for the purposes of health care treatment, payment and operations. Health information cannot be used for purposes not related to health care.
· Disclosure of information must be limited to the minimum necessary for the purpose of the disclosure. However, this provision does not apply to the transfer of medical records for purposes of treatment, since physicians, specialists, and other providers need access to the full record to provide quality care.
· Non-routine disclosures, with patient authorization, must meet standards that ensure the authorization is truly informed and voluntary.

Security of personal health information: The regulation establishes privacy safeguards that covered entities must meet, such as,
· Adopt written privacy procedures which include who has access to protected information, how it will be used, and when the information would or would not be disclosed to others.
· Sufficient training must be provided to employees allowing for an understanding of the new privacy protection procedures. An individual must be designated as the privacy officer. This individual would be responsible for ensuring privacy procedures are followed.
· Establish a grievance process for patients to make inquiries or complaints regarding the privacy of their records.

Providers and health plans are required to comply with the Privacy Rule by April 2003.

What is Medicaid Doing to Become HIPAA Compliant?

An analysis of HIPAA and its impact on Utah Medicaid has been performed. Modifications to computer systems have begun with implementation of the electronic transactions as follows:

Claims/Remittance Advice – Jan 2002
Eligibility Inquiry/Response – Mar 2002
Enrollment/Dis-enrollment – Apr 2002
Claims Status/Response – May 2002
Premium Payments – June 2002
Prior Authorization – Aug 2002

Many Medicaid policies and procedures will be affected with implementation of HIPAA, i.e., discontinuation of local codes (Y-codes) and proprietary EDI formats (bulletin board). As changes occur, Medicaid will strive to provide notification to all affected parties.

Medicaid continues to have representation on national standard setting organizations, giving input to modifications to the current standards and development of new standards.

How to Get Started

Now is the time to begin by reading the final rules and assessing the impact on your organization. Develop an action plan. Perform a gap analysis or risk assessment. Document affected processes or procedures. Get started.

Available Resources and Committees

One of the best resources for information regarding HIPAA is the web site for the U.S. Department of Health and Human Services at: http://aspc.hhs.gov/.admnsimp
The final rule and links to other HIPAA related sites are available from this web site.

Utah Health Information Network (UHIN) is a coalition of providers and payers within the State of Utah. A provider solution to all HIPAA transactions is being developed, including a dental solution to EDI. Visit the UHIN web site:

Publications of the implementation guides are available through Washington Publishing site:

Participation in national workgroups and committees is strongly encouraged. They include:
· ASC X12N
· Health Level 7
· National Council for Prescription Drug Programs
· Workgroup for Electronic Data Interchange
· National Committee on Vital and Health Statistics
· National Uniform Claim Committee
· National Uniform Billing Committee