The trusted source for
healthcare information and
Many won’t be ready, industry groups say
The Centers for Medicare & Medicaid Services (CMS) will use a complaint-driven process to enforce the transactions and code sets provisions of the Health Insurance Portability and Accountability Act (HIPAA) after the Oct. 16 implementation deadline and will focus on using voluntary compliance.
The agency has said it will not impose penalties on covered entities that deploy contingencies to ensure the smooth flow of payments if they have made "reasonable and diligent efforts to become compliant and, in the case of health plans, to facilitate the compliance of their trading partners."
CMS made that announcement a few days after a number of industry groups — including the American Hospital Association (AHA), the American Medical Association, and others — delivered a letter to Health and Human Services (HHS) Secretary Tommy Thompson urging his department to act promptly to prevent an impending train wreck from an uncoordinated implementation of HIPAA standardized transactions.
"Despite the best efforts of all parties, many covered entities will not be able to achieve full compliance by that date due to circumstances beyond their control," the health care organizations wrote.
They warned that without action by HHS, rejection of nonstandard electronic transactions and resulting reversion to paper transactions by significant numbers of providers would lead to a major disruption of payments to providers under Medicare, Medicaid, and private-sector health plans.
The organizations urged HHS to clarify that during a reasonable migration period, transactions standards compliance requires only that claims be in the HIPAA-standard format, use the standard codes, and contain only the data content necessary for adjudication. They also urged the agency to develop a process to ensure an adequate level of cash flow to providers during the transition.
Pete Kraus, CHAM, business analyst for patient accounts services at Emory University Hospital in Atlanta, says that although "a bit melodramatic," AHA and the other industry groups probably are correct in their assessment of payer and provider readiness. However, Kraus said it would be hard to fault HHS if it chose to be adamant in sticking to the implementation schedule. "It isn’t as though the players haven’t had plenty of notice that this was coming," he notes. "Had everyone treated the deadline as they did Y2K, most participants would be ready."
His hospital’s clearinghouse has been sending 837-formatted claims to any payer that will take them for months, Kraus says. "The clearinghouse tells us the list of payers accepting 837 claims is growing, albeit slowly," he says. "We’ve experienced significant delays attempting to test 835-formatted electronic remittances with our Medicare and Medicaid intermediaries."
Hospitals were to have begun testing their electronic data interchange (EDI) processes on April 16. Most of what has been holding up progress in the move toward transactions and code set implementation is that Medicare and most state Medicaid programs were not ready to proceed with EDI, says Gillian Cappiello, CHAM, senior director for access services and chief privacy officer at Chicago’s Swedish Covenant Hospital. By the end of July, Kraus said, there had been no sign of either Medicare or Medicaid being ready to test. The comments by CMS on its enforcement process "could mean anything," he adds, "although it sounds as though they intend not to be draconian in their initial enforcement. Whether that helps or hinders the process remains to be seen."
Next up is HIPAA security
Cappiello says her organization has begun meetings to strategize its approach to the next HIPAA hurdle — the April 21, 2005, effective date of the HIPAA security regulations. She notes that there is significant overlap between the final security rule and the HIPAA privacy standard, which became effective in April. A number of offerings on the CMS web site have been helpful in her own preparation for the security rule, Cappiello says, including information found at www.cms.gov/hipaa/hipaa2/regulations/security/default.asp. A good place to start, she adds, is the transcript for the Feb. 28, 2003, HIPAA implementation roundtable. Also helpful, she adds, is Phoenix Health Systems’ "Key Security Questions for Healthcare Executives," available at www.hipaadvisory.com/action/security/0603keyques.htm.
In an article found at that site, Clyde Hewitt and Bill Miaoulis, principals with Phoenix Health Systems of Montgomery Village, MD, suggested three questions that health care organizations should ask in regard to the security rule:
Important security risks to be considered, they say, likely will include many, if not all, of the following:
In assessing risk, Hewitt and Miaoulis pointed out, it is important to determine potential events that could result from an organization’s vulnerabilities, which could include the following:
CHC Healthcare Solutions has a document with a grid comparing the privacy rule and the security rule, Cappiello points out, that can be found at www.computerhorizons.com/mediastore/otherfiles/SecurityEssentialsforPrivacy.pdf.